ORXIAIN ISLAND
博客 / BLOG POST
2025 - 2026
READING

WriteUp - 2025红明谷Web方向

+

web的题感觉还行,打了一次fastjson弹shell,回头研究研究怎么实现的

简单的仓库

改guest为admin充值

任意用户文件下载得到flag位置

推测user是文件夹地址,downlaod后是文件名

日记本

 ⚡11930 ❯❯ java -jar .\JDumpSpider-1.1-SNAPSHOT-full.jar C:\Users\11930\Downloads\heapdump
===========================================
SpringDataSourceProperties
-------------
password = root
driverClassName = com.mysql.cj.jdbc.Driver
url = jdbc:mysql://localhost:3306/ez_blog?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true
username = root

===========================================
WeblogicDataSourceConnectionPoolConfig
-------------
not found!

===========================================
MongoClient
-------------
not found!

===========================================
AliDruidDataSourceWrapper
-------------
not found!

===========================================
HikariDataSource
-------------
password = root
jdbcUrl = jdbc:mysql://localhost:3306/ez_blog?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true
user = root

===========================================
RedisStandaloneConfiguration
-------------
not found!

===========================================
JedisClient
-------------
not found!

===========================================
CookieRememberMeManager(ShiroKey)
-------------
not found!

===========================================
OriginTrackedMapPropertySource
-------------
springdoc.swagger-ui.operationsSorter = alpha
spring.web.resources.static-locations = classpath:/static/
mybatis.configuration.log-impl = org.apache.ibatis.logging.stdout.StdOutImpl
spring.application.name = ez_blog
spring.mvc.static-path-pattern = /static/**
mybatis.type-aliases-package = com.example.ez_blog.entity
springdoc.swagger-ui.path = /swagger-ui.html
spring.h2.console.path = /h2-console
spring.datasource.password = root
server.address = 0.0.0.0
mybatis.mapper-locations = classpath:mapper/*.xml
spring.datasource.username = root
management.endpoint.health.probes.enabled = true
springdoc.default-consumes-media-type = application/json
spring.datasource.url = jdbc:mysql://localhost:3306/ez_blog?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true
server.port = 80
springdoc.swagger-ui.tagsSorter = alpha
spring.mvc.throw-exception-if-no-handler-found = false
mybatis.configuration.map-underscore-to-camel-case = true

===========================================
MutablePropertySources
-------------
sun.boot.class.path = /usr/local/openjdk-8/jre/lib/resources.jar:/usr/local/openjdk-8/jre/lib/rt.jar:/usr/local/openjdk-8/jre/lib/sunrsasign.jar:/usr/local/openjdk-8/jre/lib/jsse.jar:/usr/local/openjdk-8/jre/lib/jce.jar:/usr/local/openjdk-8/jre/lib/charsets.jar:/usr/local/openjdk-8/jre/lib/jfr.jar:/usr/local/openjdk-8/jre/classes
java.protocol.handler.pkgs = org.springframework.boot.loader
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
sun.cpu.isalist =
sun.jnu.encoding = UTF-8
java.runtime.version = 1.8.0_342-b07
java.class.path = /app/app.jar
path.separator = :
java.vm.vendor = Oracle Corporation
os.version = 5.10.134-17.3.1.lifsea8.x86_64
java.endorsed.dirs = /usr/local/openjdk-8/jre/lib/endorsed
java.runtime.name = OpenJDK Runtime Environment
file.encoding = UTF-8
catalina.useNaming = false
APP_SECURITY_KEY = yQ5mS4lN4mQ9yN0bK6gE5dM1rG9qC7xE7cS5wQ9iV7aA7iA0hG8qI3iW5iH8jQ2hA5nR9nJ1mR1eM7pZ2pE2iP3zS0yB9pM6gP8hB7pK4zA1kW2fS5uZ3kO4zB4zV6cS8eH5jP8mZ5xG5xW4gQ7nA9rM9oR6uA8pM2oE3sR5uW3zT1iK4vN2vB5uP1oT6oW7fR0rU7rT5iX1fY3rB0iZ7zZ2lM8aV0pR6bQ4dA0kL7oG4cW7pR3cX7jS3eM9zE6h
spring.beaninfo.ignore = true
java.vm.specification.version = 1.8
os.name = Linux
java.vm.name = OpenJDK 64-Bit Server VM
local.server.port = null
sun.java.launcher = SUN_STANDARD
java.vendor.url.bug = http://bugreport.sun.com/bugreport/
sun.java.command = /app/app.jar --server.port=18888
java.io.tmpdir = /tmp
com.zaxxer.hikari.pool_number = 1
catalina.home = /tmp/tomcat.18888.9210474772691989549
java.version = 1.8.0_342
user.home = /home/appuser
user.language = en
PID = 260
java.awt.printerjob = sun.print.PSPrinterJob
CONSOLE_LOG_CHARSET = UTF-8
file.separator = /
catalina.base = /tmp/tomcat.18888.9210474772691989549
java.vm.info = mixed mode
java.specification.name = Java Platform API Specification
java.vm.specification.vendor = Oracle Corporation
FILE_LOG_CHARSET = UTF-8
java.awt.graphicsenv = sun.awt.X11GraphicsEnvironment
java.awt.headless = true
sun.io.unicode.encoding = UnicodeLittle
java.ext.dirs = /usr/local/openjdk-8/jre/lib/ext:/usr/java/packages/lib/ext

===========================================
MapPropertySources
-------------
local.server.port = null

===========================================
ConsulPropertySources
-------------
not found!

===========================================
JavaProperties
-------------
java.util.logging.FileHandler.pattern = %h/java%u.log
awt.toolkit = sun.awt.X11.XToolkit
sun.cpu.isalist =
sun.jnu.encoding = UTF-8
sun.arch.data.model = 64
password = root
catalina.useNaming = false
security.overridePropertiesFile = true
sun.boot.library.path = /usr/local/openjdk-8/jre/lib/amd64
security.provider.7 = com.sun.security.sasl.Provider
sun.java.command = /app/app.jar --server.port=18888
security.provider.9 = sun.security.smartcardio.SunPCSC
java.specification.vendor = Oracle Corporation
security.provider.1 = sun.security.provider.Sun
security.provider.2 = sun.security.rsa.SunRsaSign
security.provider.3 = sun.security.ec.SunEC
networkaddress.cache.negative.ttl = 10
security.provider.4 = com.sun.net.ssl.internal.ssl.Provider
security.provider.5 = com.sun.crypto.provider.SunJCE
security.provider.6 = sun.security.jgss.SunProvider
useSSL = false
file.separator = /
java.specification.name = Java Platform API Specification
java.vm.specification.vendor = Oracle Corporation
dbname = ez_blog
ja = UTF-8
package.definition = sun.,com.sun.xml.internal.,com.sun.imageio.,com.sun.istack.internal.,com.sun.jmx.,com.sun.media.sound.,com.sun.naming.internal.,com.sun.proxy.,com.sun.corba.se.,com.sun.org.apache.bcel.internal.,com.sun.org.apache.regexp.internal.,com.sun.org.apache.xerces.internal.,com.sun.org.apache.xpath.internal.,com.sun.org.apache.xalan.internal.extensions.,com.sun.org.apache.xalan.internal.lib.,com.sun.org.apache.xalan.internal.res.,com.sun.org.apache.xalan.internal.templates.,com.sun.org.apache.xalan.internal.utils.,com.sun.org.apache.xalan.internal.xslt.,com.sun.org.apache.xalan.internal.xsltc.cmdline.,com.sun.org.apache.xalan.internal.xsltc.compiler.,com.sun.org.apache.xalan.internal.xsltc.trax.,com.sun.org.apache.xalan.internal.xsltc.util.,com.sun.org.apache.xml.internal.res.,com.sun.org.apache.xml.internal.resolver.helpers.,com.sun.org.apache.xml.internal.resolver.readers.,com.sun.org.apache.xml.internal.security.,com.sun.org.apache.xml.internal.serializer.utils.,com.sun.org.apache.xml.internal.utils.,com.sun.org.glassfish.,com.oracle.xmlns.internal.,com.oracle.webservices.internal.,oracle.jrockit.jfr.,org.jcp.xml.dsig.internal.,jdk.internal.,jdk.nashorn.internal.,jdk.nashorn.tools.,jdk.xml.internal.,com.sun.activation.registries.,jdk.jfr.events.,jdk.jfr.internal.,jdk.management.jfr.internal.
sun.boot.class.path = /usr/local/openjdk-8/jre/lib/resources.jar:/usr/local/openjdk-8/jre/lib/rt.jar:/usr/local/openjdk-8/jre/lib/sunrsasign.jar:/usr/local/openjdk-8/jre/lib/jsse.jar:/usr/local/openjdk-8/jre/lib/jce.jar:/usr/local/openjdk-8/jre/lib/charsets.jar:/usr/local/openjdk-8/jre/lib/jfr.jar:/usr/local/openjdk-8/jre/classes
java.protocol.handler.pkgs = org.springframework.boot.loader
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
java.runtime.version = 1.8.0_342-b07
user.name = appuser
policy.url.1 = file:${java.home}/lib/security/java.policy
securerandom.source = file:/dev/random
policy.url.2 = file:${user.home}/.java.policy
jdk.tls.disabledAlgorithms = SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves
policy.ignoreIdentityScope = false
file.encoding = UTF-8
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
jdk.sasl.disabledMechanisms =
java.io.tmpdir = /tmp
com.zaxxer.hikari.pool_number = 1
java.version = 1.8.0_342
PID = 260
java.vm.specification.name = Java Virtual Machine Specification
jdk.tls.keyLimits = AES/GCM/NoPadding KeyUpdate 2^37
java.awt.printerjob = sun.print.PSPrinterJob
CONSOLE_LOG_CHARSET = UTF-8
jdk.xml.dsig.secureValidationPolicy = disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,maxTransforms 5,maxReferences 30,disallowReferenceUriSchemes file http https,minKeySize RSA 1024,minKeySize DSA 1024,minKeySize EC 224,noDuplicateIds,noRetrievalMethodLoops
java.library.path = /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.vendor = Oracle Corporation
handlers = java.util.logging.ConsoleHandler
sun.io.unicode.encoding = UnicodeLittle
krb5.kdc.bad.policy = tryLast
java.class.path = /app/app.jar
java.vm.vendor = Oracle Corporation
jdk.security.legacyAlgorithms = SHA1, RSA keySize < 2048, DSA keySize < 2048
jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
crypto.policy = unlimited
jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!*
login.configuration.provider = sun.security.provider.ConfigFile
user.timezone =
host = localhost
java.vm.specification.version = 1.8
os.name = Linux
sun.java.launcher = SUN_STANDARD
jdk.security.caDistrustPolicies = SYMANTEC_TLS
sun.cpu.endian = little
user.home = /home/appuser
user.language = en
jdk.http.auth.tunneling.disabledSchemes = Basic
en = UTF-8
jdk.tls.alpnCharset = ISO_8859_1
ssl.KeyManagerFactory.algorithm = SunX509
FILE_LOG_CHARSET = UTF-8
.level = INFO
java.awt.graphicsenv = sun.awt.X11GraphicsEnvironment
java.awt.headless = true
com.xyz.foo.level = SEVERE
ftp.nonProxyHosts = localhost|127.*|[::1]
policy.provider = sun.security.provider.PolicyFile
path.separator = :
fr = UTF-8
jdk.http.ntlm.transparentAuth = disabled
os.version = 5.10.134-17.3.1.lifsea8.x86_64
java.endorsed.dirs = /usr/local/openjdk-8/jre/lib/endorsed
java.runtime.name = OpenJDK Runtime Environment
keystore.type.compat = true
APP_SECURITY_KEY = yQ5mS4lN4mQ9yN0bK6gE5dM1rG9qC7xE7cS5wQ9iV7aA7iA0hG8qI3iW5iH8jQ2hA5nR9nJ1mR1eM7pZ2pE2iP3zS0yB9pM6gP8hB7pK4zA1kW2fS5uZ3kO4zB4zV6cS8eH5jP8mZ5xG5xW4gQ7nA9rM9oR6uA8pM2oE3sR5uW3zT1iK4vN2vB5uP1oT6oW7fR0rU7rT5iX1fY3rB0iZ7zZ2lM8aV0pR6bQ4dA0kL7oG4cW7pR3cX7jS3eM9zE6h
spring.beaninfo.ignore = true
java.vm.name = OpenJDK 64-Bit Server VM
java.vendor.url.bug = http://bugreport.sun.com/bugreport/
java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
java.util.logging.FileHandler.count = 1
catalina.home = /tmp/tomcat.18888.9210474772691989549
sun.cds.enableSharedLookupCache = false
sun.security.krb5.maxReferrals = 5
catalina.base = /tmp/tomcat.18888.9210474772691989549
java.util.logging.FileHandler.limit = 50000
java.vm.info = mixed mode, sharing
keystore.type = jks
java.ext.dirs = /usr/local/openjdk-8/jre/lib/ext:/usr/java/packages/lib/ext
policy.expandProperties = true
securerandom.strongAlgorithms = NativePRNGBlocking:SUN
user = root

===========================================
ProcessEnvironment
-------------
not found!

===========================================
OSS
-------------
not found!

===========================================
UserPassSearcher
-------------
com.alibaba.fastjson.parser.deserializer.FastjsonASMDeserializer_1_RegisterRequest:
[email_asm_prefix__ = "email":, username_asm_prefix__ = "username":, password_asm_prefix__ = "password":]

com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin:
[firstPass = true]

com.mysql.cj.protocol.a.authentication.CachingSha2PasswordPlugin:
[publicKeyRequested = false]

com.mysql.cj.protocol.a.authentication.Sha256PasswordPlugin:
[publicKeyRequested = false]

com.mysql.cj.NativeCharsetSettings:
[platformDbCharsetMatches = true]

com.mysql.cj.protocol.a.NativeAuthenticationProvider:
[database = ez_blog, useConnectWithDb = true, serverDefaultAuthenticationPluginName = mysql_native_password, username = root]

com.mysql.cj.jdbc.ConnectionImpl:
[password = root, database = ez_blog, origHostToConnectTo = localhost, user = root]

com.mysql.cj.conf.HostInfo:
[password = root, host = localhost, user = root]

com.zaxxer.hikari.pool.HikariPool:
[aliveBypassWindowMs = 500, isUseJdbc4Validation = true]

org.springframework.boot.autoconfigure.jdbc.DataSourceProperties:
[password = root, driverClassName = com.mysql.cj.jdbc.Driver, url = jdbc:mysql://localhost:3306/ez_blog?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true, username = root]

com.zaxxer.hikari.HikariDataSource:
[keepaliveTime = 0, password = root, jdbcUrl = jdbc:mysql://localhost:3306/ez_blog?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true, driverClassName = com.mysql.cj.jdbc.Driver, username = root]

org.apache.catalina.startup.Tomcat:
[hostname = localhost]


===========================================
CookieThief
-------------
not found!

===========================================
AuthThief
-------------
java.util.Hashtable$Entry:
jdk.http.auth.tunneling.disabledSchemes = Basic
jdk.http.ntlm.transparentAuth = disabled


===========================================

获得key

将api文档导入postman,发现注册接口被废弃,盲猜改成了v2,发现成功注册

还有个测试接口,提示了fastjson

找个接受json的api,发现update可以

构造payload发包,用jndi的反弹shell打

Links

https://alter1125.github.io/2022/05/07/fastjson%E6%B3%A8%E5%85%A5%E5%88%86%E6%9E%90%E4%B8%8E%E6%80%BB%E7%BB%93/

END