2025第十届 "磐石行动" Java题目分析与利用<\/h1>

题目概述<\/h2>
这道Java题目包含两个部分：`web-jaba_ez<\/code>和web_ezyaml<\/code>。主要考察Java安全相关的知识，包括反射调用、黑名单\/白名单绕过、表达式注入等漏洞利用技术。<\/p>`

web-jaba_ez题目分析<\/h2>
漏洞点分析<\/h3>
题目提供了两个主要端点：<\/p>

\/job\/add<\/code> - 添加任务<\/li>
\/job\/run\/{jobName}<\/code> - 执行任务<\/li>
<\/ol>
关键代码逻辑<\/h4>
@PostMapping<\/span>({<\/span>"\/job\/add"<\/span>})<\/span>
<\/span><\/span>public<\/span> Map<<\/span>String,<\/span> Object><\/span> addJob<\/span>(<\/span>@RequestBody<\/span> ScheduledJob job)<\/span> {<\/span>
<\/span><\/span>    Map<<\/span>String,<\/span> Object><\/span> result =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>containsBlacklist(<\/span>job.<\/span>getInvokeTarget<\/span>()))<\/span> {<\/span>
<\/span><\/span>        result.<\/span>put<\/span>(<\/span>BindTag.<\/span>STATUS_VARIABLE_NAME<\/span>,<\/span> "error"<\/span>);<\/span>
<\/span><\/span>        result.<\/span>put<\/span>(<\/span>"message"<\/span>,<\/span> "包含非法字符"<\/span>);<\/span>
<\/span><\/span>        return<\/span> result;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    if<\/span> (!<\/span>containsWhitelist(<\/span>job.<\/span>getInvokeTarget<\/span>()))<\/span> {<\/span>
<\/span><\/span>        result.<\/span>put<\/span>(<\/span>BindTag.<\/span>STATUS_VARIABLE_NAME<\/span>,<\/span> "error"<\/span>);<\/span>
<\/span><\/span>        result.<\/span>put<\/span>(<\/span>"message"<\/span>,<\/span> "目标不在白名单中"<\/span>);<\/span>
<\/span><\/span>        return<\/span> result;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    jobs.<\/span>put<\/span>(<\/span>job.<\/span>getJobName<\/span>(),<\/span> job);<\/span>
<\/span><\/span>    result.<\/span>put<\/span>(<\/span>BindTag.<\/span>STATUS_VARIABLE_NAME<\/span>,<\/span> "success"<\/span>);<\/span>
<\/span><\/span>    result.<\/span>put<\/span>(<\/span>"message"<\/span>,<\/span> "任务添加成功"<\/span>);<\/span>
<\/span><\/span>    result.<\/span>put<\/span>(<\/span>"jobId"<\/span>,<\/span> job.<\/span>getJobName<\/span>());<\/span>
<\/span><\/span>    return<\/span> result;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>@PostMapping<\/span>({<\/span>"\/job\/run\/{jobName}"<\/span>})<\/span>
<\/span><\/span>public<\/span> Map<<\/span>String,<\/span> Object><\/span> runJob<\/span>(<\/span>@PathVariable<\/span> String jobName)<\/span> {<\/span>
<\/span><\/span>    Map<<\/span>String,<\/span> Object><\/span> result =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>    ScheduledJob job =<\/span> jobs.<\/span>get<\/span>(<\/span>jobName);<\/span>
<\/span><\/span>    if<\/span> (<\/span>job ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        result.<\/span>put<\/span>(<\/span>BindTag.<\/span>STATUS_VARIABLE_NAME<\/span>,<\/span> "error"<\/span>);<\/span>
<\/span><\/span>        result.<\/span>put<\/span>(<\/span>"message"<\/span>,<\/span> "任务不存在"<\/span>);<\/span>
<\/span><\/span>        return<\/span> result;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        invokeMethod(<\/span>job.<\/span>getInvokeTarget<\/span>());<\/span>
<\/span><\/span>        result.<\/span>put<\/span>(<\/span>BindTag.<\/span>STATUS_VARIABLE_NAME<\/span>,<\/span> "success"<\/span>);<\/span>
<\/span><\/span>        result.<\/span>put<\/span>(<\/span>"message"<\/span>,<\/span> "任务执行成功"<\/span>);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        result.<\/span>put<\/span>(<\/span>BindTag.<\/span>STATUS_VARIABLE_NAME<\/span>,<\/span> "error"<\/span>);<\/span>
<\/span><\/span>        result.<\/span>put<\/span>(<\/span>"message"<\/span>,<\/span> e.<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>        result.<\/span>put<\/span>(<\/span>"stackTrace"<\/span>,<\/span> e.<\/span>getStackTrace<\/span>()[<\/span>0<\/span>].<\/span>toString<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> result;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>黑名单与白名单机制<\/h3>
private<\/span> static<\/span> final<\/span> String[]<\/span> JOB_BLACKLIST =<\/span> {<\/span>
<\/span><\/span>    "java.net.URL"<\/span>,<\/span> "javax.naming.InitialContext"<\/span>,<\/span> "org.yaml.snakeyaml"<\/span>,<\/span> 
<\/span><\/span>    "org.springframework"<\/span>,<\/span> "org.apache"<\/span>,<\/span> "rmi"<\/span>,<\/span> "ldap"<\/span>,<\/span> "ldaps"<\/span>,<\/span> "http"<\/span>,<\/span> "https"<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>private<\/span> static<\/span> final<\/span> String[]<\/span> JOB_WHITELIST =<\/span> {<\/span>"com.jabaez.FLAG"<\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> boolean<\/span> containsBlacklist<\/span>(<\/span>String str)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>str ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    String lowerStr =<\/span> str.<\/span>toLowerCase<\/span>();<\/span>
<\/span><\/span>    for<\/span> (<\/span>String blackItem :<\/span> JOB_BLACKLIST)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>lowerStr.<\/span>contains<\/span>(<\/span>blackItem.<\/span>toLowerCase<\/span>()))<\/span> {<\/span>
<\/span><\/span>            return<\/span> true<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> false<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> boolean<\/span> containsWhitelist<\/span>(<\/span>String str)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>str ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    for<\/span> (<\/span>String whiteItem :<\/span> JOB_WHITELIST)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>str.<\/span>contains<\/span>(<\/span>whiteItem))<\/span> {<\/span>
<\/span><\/span>            return<\/span> true<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> false<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>方法调用逻辑<\/h3>
private<\/span> Object invokeMethod<\/span>(<\/span>String invokeTarget)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    int<\/span> hashIndex =<\/span> invokeTarget.<\/span>indexOf<\/span>(<\/span>35<\/span>);<\/span> \/\/ #字符
<\/span><\/span><\/span><\/span>    if<\/span> (<\/span>hashIndex ==<\/span> -<\/span>1<\/span>)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> IllegalArgumentException(<\/span>"Invalid format, expected: className#methodName(params)"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    String className =<\/span> invokeTarget.<\/span>substring<\/span>(<\/span>0<\/span>,<\/span> hashIndex);<\/span>
<\/span><\/span>    String methodAndParams =<\/span> invokeTarget.<\/span>substring<\/span>(<\/span>hashIndex +<\/span> 1<\/span>);<\/span>
<\/span><\/span>    int<\/span> paramStart =<\/span> methodAndParams.<\/span>indexOf<\/span>(<\/span>40<\/span>);<\/span> \/\/ (字符
<\/span><\/span><\/span><\/span>    int<\/span> paramEnd =<\/span> methodAndParams.<\/span>lastIndexOf<\/span>(<\/span>41<\/span>);<\/span> \/\/ )字符
<\/span><\/span><\/span><\/span>    if<\/span> (<\/span>paramStart ==<\/span> -<\/span>1<\/span> ||<\/span> paramEnd ==<\/span> -<\/span>1<\/span>)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> IllegalArgumentException(<\/span>"Invalid method format"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    String methodName =<\/span> methodAndParams.<\/span>substring<\/span>(<\/span>0<\/span>,<\/span> paramStart);<\/span>
<\/span><\/span>    String paramStr =<\/span> methodAndParams.<\/span>substring<\/span>(<\/span>paramStart +<\/span> 1<\/span>,<\/span> paramEnd);<\/span>
<\/span><\/span>    
<\/span><\/span>    Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>className);<\/span>
<\/span><\/span>    List<<\/span>Object><\/span> paramValues =<\/span> new<\/span> ArrayList<>();<\/span>
<\/span><\/span>    List<<\/span>Class<?>><\/span> paramTypes =<\/span> new<\/span> ArrayList<>();<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span> (!<\/span>paramStr.<\/span>trim<\/span>().<\/span>isEmpty<\/span>())<\/span> {<\/span>
<\/span><\/span>        String[]<\/span> params =<\/span> splitParams(<\/span>paramStr);<\/span>
<\/span><\/span>        for<\/span> (<\/span>String str :<\/span> params)<\/span> {<\/span>
<\/span><\/span>            String param =<\/span> str.<\/span>trim<\/span>();<\/span>
<\/span><\/span>            if<\/span> (<\/span>param.<\/span>startsWith<\/span>(<\/span>"'"<\/span>)<\/span> &&<\/span> param.<\/span>endsWith<\/span>(<\/span>"'"<\/span>))<\/span> {<\/span>
<\/span><\/span>                String value =<\/span> param.<\/span>substring<\/span>(<\/span>1<\/span>,<\/span> param.<\/span>length<\/span>()<\/span> -<\/span> 1<\/span>);<\/span>
<\/span><\/span>                paramValues.<\/span>add<\/span>(<\/span>value);<\/span>
<\/span><\/span>                paramTypes.<\/span>add<\/span>(<\/span>String.<\/span>class<\/span>);<\/span>
<\/span><\/span>            }<\/span> else<\/span> if<\/span> (<\/span>param.<\/span>equals<\/span>(<\/span>BeanDefinitionParserDelegate.<\/span>NULL_ELEMENT<\/span>))<\/span> {<\/span>
<\/span><\/span>                paramValues.<\/span>add<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>                paramTypes.<\/span>add<\/span>(<\/span>String.<\/span>class<\/span>);<\/span>
<\/span><\/span>            }<\/span> else<\/span> if<\/span> (<\/span>param.<\/span>matches<\/span>(<\/span>"\\d+"<\/span>))<\/span> {<\/span>
<\/span><\/span>                paramValues.<\/span>add<\/span>(<\/span>Integer.<\/span>valueOf<\/span>(<\/span>Integer.<\/span>parseInt<\/span>(<\/span>param)));<\/span>
<\/span><\/span>                paramTypes.<\/span>add<\/span>(<\/span>Integer.<\/span>TYPE<\/span>);<\/span>
<\/span><\/span>            }<\/span> else<\/span> if<\/span> (<\/span>param.<\/span>equals<\/span>(<\/span>"true"<\/span>)<\/span> ||<\/span> param.<\/span>equals<\/span>(<\/span>"false"<\/span>))<\/span> {<\/span>
<\/span><\/span>                paramValues.<\/span>add<\/span>(<\/span>Boolean.<\/span>valueOf<\/span>(<\/span>Boolean.<\/span>parseBoolean<\/span>(<\/span>param)));<\/span>
<\/span><\/span>                paramTypes.<\/span>add<\/span>(<\/span>Boolean.<\/span>TYPE<\/span>);<\/span>
<\/span><\/span>            }<\/span> else<\/span> {<\/span>
<\/span><\/span>                paramValues.<\/span>add<\/span>(<\/span>param);<\/span>
<\/span><\/span>                paramTypes.<\/span>add<\/span>(<\/span>String.<\/span>class<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Method method =<\/span> clazz.<\/span>getMethod<\/span>(<\/span>methodName,<\/span> (<\/span>Class[])<\/span> paramTypes.<\/span>toArray<\/span>(<\/span>new<\/span> Class[<\/span>0<\/span>]));<\/span>
<\/span><\/span>        if<\/span> (<\/span>Modifier.<\/span>isStatic<\/span>(<\/span>method.<\/span>getModifiers<\/span>()))<\/span> {<\/span>
<\/span><\/span>            return<\/span> method.<\/span>invoke<\/span>(<\/span>null<\/span>,<\/span> paramValues.<\/span>toArray<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        Object instance =<\/span> clazz.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>        return<\/span> method.<\/span>invoke<\/span>(<\/span>instance,<\/span> paramValues.<\/span>toArray<\/span>());<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>NoSuchMethodException e)<\/span> {<\/span>
<\/span><\/span>        Method method2 =<\/span> clazz.<\/span>getDeclaredMethod<\/span>(<\/span>methodName,<\/span> (<\/span>Class[])<\/span> paramTypes.<\/span>toArray<\/span>(<\/span>new<\/span> Class[<\/span>0<\/span>]));<\/span>
<\/span><\/span>        method2.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>Modifier.<\/span>isStatic<\/span>(<\/span>method2.<\/span>getModifiers<\/span>()))<\/span> {<\/span>
<\/span><\/span>            return<\/span> method2.<\/span>invoke<\/span>(<\/span>null<\/span>,<\/span> paramValues.<\/span>toArray<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        Object instance2 =<\/span> clazz.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>        return<\/span> method2.<\/span>invoke<\/span>(<\/span>instance2,<\/span> paramValues.<\/span>toArray<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用思路<\/h3>

黑名单绕过<\/strong>：需要绕过包含java.net.URL<\/code>, javax.naming.InitialContext<\/code>等危险类的检测<\/li>
白名单满足<\/strong>：必须包含com.jabaez.FLAG<\/code><\/li>
方法调用<\/strong>：可以通过反射调用任意类的任意方法（包括私有方法）<\/li>
<\/ol>
官方解法<\/h4>
上传一个.so文件，然后使用System.load<\/code>进行加载<\/p>
替代解法<\/h4>
使用EL表达式注入反弹shell：<\/p>

构造一个包含com.jabaez.FLAG<\/code>但不触发黑名单的类名<\/li>
调用能够执行命令的方法<\/li>
通过反射机制执行任意代码<\/li>
<\/ol>
具体利用步骤<\/h3>

构造一个合法的类名，如com.jabaez.FLAG${恶意代码}<\/code><\/li>
利用反射调用能够执行命令的方法<\/li>
绕过黑名单检测（大小写、编码等方式）<\/li>
通过EL表达式注入执行系统命令<\/li>
<\/ol>
web_ezyaml题目分析<\/h2>
这是一个简单的YAML反序列化题目，主要考察：<\/p>

JNDI注入<\/li>
YAML反序列化漏洞利用<\/li>
反序列化链构造<\/li>
<\/ol>
利用思路<\/h3>

构造恶意的YAML payload<\/li>
利用SnakeYAML的反序列化特性<\/li>
通过JNDI注入实现RCE<\/li>
<\/ol>
总结<\/h2>
这道题目综合考察了以下Java安全知识：<\/p>

Java反射机制的安全风险<\/li>
黑名单\/白名单绕过的技巧<\/li>
表达式注入漏洞<\/li>
反序列化漏洞利用<\/li>
JNDI注入攻击<\/li>
<\/ol>
关键点在于理解反射调用的危险性，以及如何绕过安全限制执行任意代码。通过分析黑名单和白名单的限制，找到合适的类和方法进行利用，最终实现命令执行或反弹shell。<\/p>
2025第十届 "磐石行动" Java题目分析与利用<\/h1>

题目概述<\/h2> 这道Java题目包含两个部分：web-jaba_ez<\/code>和web_ezyaml<\/code>。主要考察Java安全相关的知识，包括反射调用、黑名单\/白名单绕过、表达式注入等漏洞利用技术。<\/p>

官方解法<\/h4> 上传一个.so文件，然后使用System.load<\/code>进行加载<\/p>

题目概述<\/h2>
这道Java题目包含两个部分：`web-jaba_ez<\/code>和web_ezyaml<\/code>。主要考察Java安全相关的知识，包括反射调用、黑名单\/白名单绕过、表达式注入等漏洞利用技术。<\/p>`

官方解法<\/h4>
上传一个.so文件，然后使用`System.load<\/code>进行加载<\/p>`
