Java反序列化漏洞与CC链分析<\/h1>

一、序列化与反序列化基础<\/h2>

1.1 序列化(Serialization)<\/h3>
序列化是将对象状态转化为字节流的机制，只有实现了Serializable<\/code>或Externalizable<\/code>接口的类的对象才能被序列化。<\/p>
序列化关键点：<\/strong><\/p>

使用ObjectOutputStream<\/code>和writeObject()<\/code>方法<\/li>
静态成员变量不可被序列化<\/li>
transient<\/code>标识的成员变量不参与序列化<\/li>
<\/ul>
序列化示例：<\/strong><\/p>
ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>path));<\/span>
<\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span><\/code><\/pre>1.2 反序列化(Deserialization)<\/h3>
反序列化是将字节流重新创建为Java对象的过程。<\/p>
反序列化关键点：<\/strong><\/p>

使用ObjectInputStream<\/code>和readObject()<\/code>方法<\/li>
反序列化时会自动调用readObject()<\/code>方法<\/li>
<\/ul>
反序列化示例：<\/strong><\/p>
ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>path));<\/span>
<\/span><\/span>return<\/span> ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>1.3 反序列化漏洞原理<\/h3>
反序列化漏洞产生的根本原因是readObject<\/code>方法被重写，当反序列化时会自动调用重写的readObject<\/code>方法，如果其中包含恶意代码就会被执行。<\/p>
漏洞示例：<\/strong><\/p>
private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream ois)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    ois.<\/span>defaultReadObject<\/span>();<\/span>
<\/span><\/span>    Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> \/\/ 恶意代码
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>二、反射机制<\/h2>
2.1 反射基础<\/h3>
反射允许程序在运行时检查和操作类的成员，包括：<\/p>

获取类的名称、属性、方法、注解等信息<\/li>
动态修改类的属性<\/li>
调用对象的方法<\/li>
<\/ul>
2.2 反射关键操作<\/h3>
1. 获取Class对象：<\/strong><\/p>
Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"ClassName"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2. 实例化对象：<\/strong><\/p>
\/\/ 无参构造
<\/span><\/span><\/span><\/span>Object obj =<\/span> clazz.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 有参构造
<\/span><\/span><\/span><\/span>Constructor<?><\/span> constructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>String.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span>
<\/span><\/span>Object obj =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>"参数1"<\/span>,<\/span> 2<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3. 获取和修改属性：<\/strong><\/p>
\/\/ 获取属性
<\/span><\/span><\/span><\/span>Field field =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"fieldName"<\/span>);<\/span>
<\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> \/\/ 对私有属性需要设置可访问
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 修改属性值
<\/span><\/span><\/span><\/span>field.<\/span>set<\/span>(<\/span>obj,<\/span> "newValue"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>4. 调用方法：<\/strong><\/p>
\/\/ 获取方法
<\/span><\/span><\/span><\/span>Method method =<\/span> clazz.<\/span>getDeclaredMethod<\/span>(<\/span>"methodName"<\/span>,<\/span> parameterTypes);<\/span>
<\/span><\/span>method.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> \/\/ 对私有方法需要设置可访问
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 调用方法
<\/span><\/span><\/span><\/span>method.<\/span>invoke<\/span>(<\/span>obj,<\/span> args);<\/span>
<\/span><\/span><\/code><\/pre>三、Java类加载机制<\/h2>
3.1 类加载器<\/h3>
Java类加载器负责将类的字节码加载到JVM中，主要类加载器：<\/p>

启动类加载器(Bootstrap ClassLoader)<\/li>
扩展类加载器(Extension ClassLoader)<\/li>
应用类加载器(Application ClassLoader)<\/li>
自定义类加载器<\/li>
<\/ol>
3.2 动态类加载方式<\/h3>
1. Class.forName()<\/strong><\/p>
Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"ClassName"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2. ClassLoader.loadClass()<\/strong><\/p>
ClassLoader cl =<\/span> ClassLoader.<\/span>getSystemClassLoader<\/span>();<\/span>
<\/span><\/span>Class<?><\/span> clazz =<\/span> cl.<\/span>loadClass<\/span>(<\/span>"ClassName"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3. URLClassLoader<\/strong><\/p>
URLClassLoader cl =<\/span> new<\/span> URLClassLoader(<\/span>new<\/span> URL[]{<\/span>new<\/span> URL(<\/span>"file:\/\/\/path\/"<\/span>)});<\/span>
<\/span><\/span>Class<?><\/span> clazz =<\/span> cl.<\/span>loadClass<\/span>(<\/span>"ClassName"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>4. defineClass<\/strong><\/p>
Method defineClass =<\/span> ClassLoader.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> 
<\/span><\/span>    String.<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span>
<\/span><\/span>defineClass.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Class<?><\/span> clazz =<\/span> (<\/span>Class<?>)<\/span> defineClass.<\/span>invoke<\/span>(<\/span>cl,<\/span> "ClassName"<\/span>,<\/span> code,<\/span> 0<\/span>,<\/span> code.<\/span>length<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>四、反序列化利用链(CC链)分析<\/h2>
4.1 URLDNS链分析<\/h3>
URLDNS链是Java反序列化的简单利用链，用于DNS探测。<\/p>
利用链：<\/strong><\/p>
HashMap.readObject()
  -> HashMap.putVal()
    -> HashMap.hash()
      -> URL.hashCode()
        -> URLStreamHandler.hashCode()
          -> URLStreamHandler.getHostAddress()
            -> DNS解析
<\/code><\/pre>
利用代码：<\/strong><\/p>
URL url =<\/span> new<\/span> URL(<\/span>"http:\/\/example.com"<\/span>);<\/span>
<\/span><\/span>HashMap<<\/span>URL,<\/span> Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>url,<\/span> null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反射修改URL的hashCode值为-1
<\/span><\/span><\/span><\/span>Field hCode =<\/span> URL.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"hashCode"<\/span>);<\/span>
<\/span><\/span>hCode.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>hCode.<\/span>setInt<\/span>(<\/span>url,<\/span> -<\/span>1<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化和反序列化触发DNS请求
<\/span><\/span><\/span><\/span>serialize(<\/span>hashMap,<\/span> "dns.bin"<\/span>);<\/span>
<\/span><\/span>unserialize(<\/span>"dns.bin"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>4.2 CC1链分析<\/h3>
CC1链利用Apache Commons Collections库中的Transformer接口。<\/p>
关键类：<\/strong><\/p>

InvokerTransformer<\/code>: 实现Transformer接口，可通过反射调用任意方法<\/li>
TransformedMap<\/code>: 可包装Map对象，在修改值时调用Transformer<\/li>
<\/ul>
利用链：<\/strong><\/p>
AnnotationInvocationHandler.readObject()
  -> Map.entrySet().iterator().next().setValue()
    -> TransformedMap.checkSetValue()
      -> Transformer.transform()
        -> InvokerTransformer.transform()
          -> Runtime.exec()
<\/code><\/pre>
利用步骤：<\/strong><\/p>

创建InvokerTransformer<\/code>实例，设置反射调用Runtime.exec()<\/code><\/li>
使用TransformedMap.decorate()<\/code>包装Map对象<\/li>
通过反射创建AnnotationInvocationHandler<\/code>实例<\/li>
序列化和反序列化触发漏洞<\/li>
<\/ol>
五、防御措施<\/h2>

输入验证<\/strong>：对反序列化的数据来源进行严格验证<\/li>
白名单控制<\/strong>：限制可反序列化的类<\/li>
安全配置<\/strong>：

使用ObjectInputFilter<\/code>设置反序列化过滤器<\/li>
更新JDK和依赖库到安全版本<\/li>
<\/ul>
<\/li>
代码审计<\/strong>：检查自定义readObject<\/code>方法的安全性<\/li>
运行时保护<\/strong>：使用安全管理器限制敏感操作<\/li>
<\/ol>
六、总结<\/h2>
Java反序列化漏洞的核心在于：<\/p>

重写readObject<\/code>方法引入不安全操作<\/li>
利用反射机制动态调用危险方法<\/li>
通过精心构造的利用链连接入口点和危险函数<\/li>
<\/ol>
理解这些机制对于安全研究和防御Java反序列化漏洞至关重要。在实际应用中，应避免直接反序列化不可信数据，并及时更新相关组件以修复已知漏洞。<\/p>